Earlier this year, while working on a web application security assessment, I discovered a critical flaw in one of the application’s APIs. Let me break it down simply.

I came across a JSON payload that included a discount object like this, 

"chosen_discount": {
  "percentage": 0
}

From the user’s point of view, there was no visible discount option on the checkout page. The product appeared to require full payment, and nothing suggested otherwise. However, at the API level, the application was still accepting a discount parameter from the client.

As a security professional, I tested what would happen if I modified that value. Instead of 0, I changed the discount percentage to 100. The result? The order went through without any payment required. The back-end blindly trusted the client-supplied value and applied a full discount.

This wasn’t a technical exploit in the traditional sense it was a business logic vulnerability. The system behaved exactly as it was told, but without enforcing the rules that should have existed on the server side.

This is a strong reminder for developers:
Always validate critical logic on the back-end. Never trust values coming from the client whether it’s a website or a mobile app.

Business Logic Flaws like this can be just as damaging as classic security bugs, especially when they directly affect revenue.