Sitemap

Business logic vulnerabilities: Excessive Trust in Client-Side Controls Walkthrough (Apprentice)

4 min read1 day ago

--

Press enter or click to view image in full size

Learn how attackers exploit excessive trust in client-side controls to manipulate product prices and bypass business logic using Burp Suite in the PortSwigger Web Security Academy.

Business logic vulnerabilities are among the most dangerous web application security issues because they exploit flaws in how an application processes legitimate user actions rather than traditional coding mistakes. Unlike SQL Injection or Cross-Site Scripting (XSS), these vulnerabilities abuse the application’s intended functionality to achieve unintended outcomes.

In this walkthrough, we’ll solve the Excessive Trust in Client-Side Controls lab from the PortSwigger Web Security Academy. You’ll learn how trusting user-controlled values can allow attackers to manipulate product prices, purchase expensive items for almost nothing, understand the security impact, and implement secure server-side validation.

📌 Lab Information

Difficulty: Apprentice

Category: Business Logic Vulnerabilities

Objective: Purchase the Leather Jacket using only the available store credit by manipulating the client-controlled price value.

Lab URL:
https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-excessive-trust-in-client-side-controls

🎯 What You’ll Learn

By completing this lab, you’ll learn how to:

✅ Identify business logic vulnerabilities caused by trusting client-side data.

✅ Intercept and modify HTTP requests using Burp Suite.

✅ Manipulate client-controlled parameters to bypass pricing controls.

✅ Understand why client-side validation should never be trusted.

✅ Apply secure server-side validation techniques.

🔍 Understanding the Vulnerability

Client-side controls improve the user experience, but they should never be considered a security mechanism.

In this lab, the application sends the product price as part of the POST request when an item is added to the shopping cart.

Instead of validating the price on the server, the application trusts the value supplied by the client.

This means an attacker can modify the price before the request reaches the server.

The vulnerable parameter is:

price

Instead of using the legitimate value:

133700

the attacker changes it to:

1

As a result, the application believes the product costs 1 cent.

🎯 Identifying the Attack Surface

When a product is added to the shopping cart, the browser sends a request similar to:

POST /cart HTTP/1.1
csrf=<token>&productId=1&quantity=1&redir=CART&price=133700

The vulnerable parameter is:

price

Since this value is entirely controlled by the client, it can be intercepted and modified using Burp Suite.

⚙️ How the Vulnerability Occurs

The application incorrectly assumes that users will never modify the request.

Client


Adds Product to Cart


Intercept Request


Modify price Parameter


Server Trusts Client Value


Product Added at Manipulated Price

This happens because:

• The server trusts the client-supplied price.

• The application never validates the product price against the database.

• Business logic validation is performed only on the client side.

🚀 Exploitation Steps

Step 1: Log In

Authenticate using the provided credentials.

Username

wiener

Password

peter

After logging in, browse to the product page.

Step 2: Add the Product to the Cart

Add the Lightweight “l33t” Leather Jacket to your cart.

Intercept the request using Burp Suite Proxy or Repeater.

The original request contains:

price=133700

Modify it to:

price=1

The modified request becomes:

POST /cart HTTP/1.1
csrf=<token>&productId=1&quantity=1&redir=CART&price=1

Forward the request.

Step 3: Verify the Cart

Open the shopping cart.

The jacket is now displayed with a price of:

$0.01

Instead of:

$1337.00

This confirms that the application trusted the manipulated client-side value.

Step 4: Complete the Checkout

Submit the checkout request normally.

The application processes the manipulated cart total without recalculating the price on the server.

Step 5: Confirm the Solution

Once the checkout is complete, the lab displays:

Congratulations, you solved the lab!

⚠️ Security Impact

If this vulnerability existed in a production e-commerce application, an attacker could:

• Purchase expensive products at arbitrary prices.

• Bypass payment controls.

• Cause significant financial loss.

• Manipulate discounts and promotional logic.

• Abuse any feature that relies on client-controlled values.

Because the attacker controls the price, the integrity of the entire purchasing process is compromised.

🛡️ Remediation

Developers should follow these security best practices:

✅ Never trust client-supplied pricing information.

✅ Remove the price parameter from client requests.

✅ Always retrieve product prices from the server-side database.

✅ Validate shopping cart totals before processing payment.

✅ Log suspicious pricing anomalies for security monitoring.

The correct workflow should always be:

Client Sends:
Product ID + Quantity


Server Retrieves Price


Server Calculates Total


Payment Processed Using Server Value

📖 Key Takeaways

Client-side controls improve usability, not security.

✔ Any value sent by the client can be modified.

✔ Business logic validation must always occur on the server.

✔ Never trust hidden fields, JavaScript variables, or request parameters for security decisions.

✔ Server-side validation is essential to maintain application integrity.

📚 References

PortSwigger Web Security Academy

https://portswigger.net/web-security/logic-flaws

OWASP Top 10

https://owasp.org/www-project-top-ten/

🤝 Connect with Me

If you enjoy practical cybersecurity content and hands-on PortSwigger Web Security Academy walkthroughs, feel free to connect with me.

🌐 Portfolio
https://rahulms.qzz.io/

💻 GitHub
https://github.com/1amrahul

💼 LinkedIn
https://linkedin.com/in/rahul-m-s-372b631a2

If this walkthrough helped you, consider following this publication for more PortSwigger Web Security Academy lab solutions, Burp Suite tutorials, Business Logic Vulnerability guides, and practical Web Application Penetration Testing (VAPT) content.

--

--