How do you test for business logic vulnerabilities that automated scanners cannot find?

Business logic flaws cannot be detected by any generic security scanner because they require domain knowledge — understanding what the application is supposed to do and finding ways to make it do something else.

Test methodology:

1. Map the intended flow: document the expected sequence of steps for each key business process. For a purchase: add item → apply coupon → enter address → enter payment → confirm → receive confirmation email.

2. Test each deviation from the happy path:

   • Skip a step: can you reach step 4 (payment) without completing step 2 (coupon applied)? Can you directly POST to the confirm endpoint without the preceding steps?
   • Repeat a step: can you apply the same coupon twice? Can you resubmit the payment form to charge twice? Can you click "Buy" before the previous order has cleared?
   • Reverse a step: can you modify the cart after payment has been processed? Can you change the delivery address after an order has shipped?
   • Manipulate values: change the price in the client-side JavaScript before posting. Submit quantity: -1 to receive a credit. Apply a coupon meant for a different user or product category.

3. Test privilege assumptions: what happens if a standard user attempts to skip a paid feature gate by directly accessing the feature's API endpoint? What if they modify their subscription status in a cookie or localStorage value?

Common real-world findings: coupon codes reused beyond their limit, negative quantity resulting in a refund, price from client-side JavaScript not validated server-side, and multi-step checkout that can be completed out of order via direct API calls.