> For the complete documentation index, see [llms.txt](https://ahmed-tarek.gitbook.io/security-notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a01-broken-access-control/checklists/bussiness-logic-checklist.md).

# bussiness logic checklist

* [ ] Change the price with another price: 100 -> 50

* [ ] Change the price with a negative price: 100 -> -100

* [ ] Change the price with another price by adding a negative value: 100 -> (+-120)

* [ ] Change the price with another price by multiplying by 0.5: 100 -> (0.5 \* 100)

* [ ] Retrieving a Profile: For example, Jack’s profile can be fetched with id=1001. Change the value from 1001 to 1089 to see another user’s information.

* [ ] Shopping Cart: Test for authentication bypass to log into the shopping cart without paying for items.

**Review Functionality:**

* [ ] Try to post a review as a Verified Reviewer without purchasing that product.
* [ ] Attempt to provide a rating beyond the scale (e.g., 0 or 6).
* [ ] Check if the same user can post multiple ratings for a product (race conditions).
* [ ] Test if file uploads allow any extensions.
* [ ] Try posting reviews as other users.
* [ ] Perform CSRF on this functionality.

**Coupon Code Functionality:**

* [ ] Apply the same code more than once to see if the coupon code is reusable.
* [ ] Test for Race Condition by using the same code for two accounts simultaneously.
* [ ] Attempt Mass Assignment or HTTP Parameter Pollution to add multiple coupon codes.
* [ ] Check for missing input sanitization vulnerabilities (e.g., XSS, SQLi).
* [ ] Tamper with requests to add discount codes to non-discounted items.

#### \[ ] Delivery Charges Abuse

* [ ] Tamper with delivery charge rates to negative values to reduce the final amount.
* [ ] Check for free delivery by modifying parameters.

#### \[ ] Currency Arbitrage

* [ ] Pay in one currency (e.g., USD) and request a refund in another currency (e.g., EUR).

#### \[ ] Premium Feature Abuse

* [ ] Forcefully browse premium account areas or endpoints.
* [ ] Pay for a premium feature, cancel the subscription, and check if the feature remains usable.
* [ ] Use Burp's Match & Replace to manipulate access to premium features.
* [ ] Check cookies or local storage for variables related to premium access.

#### \[ ] Refund Feature Abuse

* [ ] Purchase a subscription and request a refund to see if access remains.
* [ ] Attempt currency arbitrage with refunds.
* [ ] Test for race conditions by making multiple cancellation requests.

#### \[ ] Cart/Wishlist Abuse

* [ ] Add a product with negative quantity alongside positive quantities.
* [ ] Add a product exceeding the available quantity.
* [ ] Check if moving a product from the wishlist to the cart can affect another user's cart.

#### \[ ] Thread Comment Functionality

* [ ] Attempt to post unlimited comments on a thread.
* [ ] Test for race conditions if a user can comment only once.
* [ ] Tamper with parameters to post comments as a verified user.
* [ ] Attempt to impersonate other users when posting comments.

#### \[ ] Parameter Tampering

* [ ] Tamper with payment or critical fields.
* [ ] Use HTTP Parameter Pollution and Mass Assignment to add unexpected fields.
* [ ] Manipulate responses to bypass restrictions (e.g., 2FA).
* [ ] Attempt parameter tampering to manipulate product prices.

#### \[ ] Exam Result Manipulation

* [ ] Complete exams and retake them, then manipulate requests to obtain certificates with correct answers.

#### \[ ] Authentication Flags and Privilege Escalation

* [ ] Observe HTTP traffic for suspicious parameters related to ACL/Permission.
* [ ] Analyze parameter values for potential tampering (e.g., encoding changes).

#### \[ ] Critical Parameter Manipulation

* [ ] Observe HTTP traffic for parameters that can be tampered with for unauthorized access.

#### \[ ] Developer Cookie Tampering

* [ ] Capture cookie responses and manipulate them to access other users’ information.

**Functions where authorization might be important:**

* [ ] Profile Update Functions
* [ ] Order History Functions
* [ ] Cart Functions
* [ ] Payment Functions
* [ ] Any Other CRUD Functions


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a01-broken-access-control/checklists/bussiness-logic-checklist.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
