B01 Business Logic Trust of Client

What this means

SiteShadow flagged code where the server is trusting client-provided values for security- or money-sensitive decisions (price, role, permissions, "paid" status, account limits, feature flags).

Why it matters

Attackers can manipulate client data to bypass business rules.

• Fraud: set price=0, discount=100, isPaid=true.
• Privilege escalation: set role=admin, plan=enterprise, limit=unlimited.
• State tampering: skip required workflow steps by sending "final" states directly.

Safer examples

1) Recompute sensitive values on the server

// Client sends: { sku: "pro_monthly" }
const sku = req.body.sku;
const price = pricingTable[sku];          // server source of truth
const tax = computeTax(req.user, price);  // server-side computation

2) Enforce allowed state transitions server-side

allowed = {
  "draft": {"submitted"},
  "submitted": {"approved", "rejected"},
}
if new_state not in allowed[old_state]:
    raise PermissionError("Invalid transition")

3) Use allowlists/DTOs for updatable fields

Only allow safe fields to be set by the client. Everything else is server-controlled (see API01).

How SiteShadow detects it (high level)

• Flags client-controlled fields being used in sensitive decisions (money, role, auth/state).
• Looks for "trust boundary" signals like request body values flowing into pricing/status/permission code paths.

References

• OWASP Top 10: https://owasp.org/Top10/

---

← Back to Vulnerability Library