Web Security · DeepScan Research
Business logic pentest examples scanners usually miss
Examples of business logic vulnerabilities in SaaS applications and why proof-focused testing is required to find them.
Business logic vulnerabilities happen when the application does exactly what the code says, but not what the business rules require. A scanner can detect missing headers or known patterns, but it usually cannot understand whether a user should be allowed to refund an invoice, invite an admin, change a plan, or access another tenant's data.
Common examples include invite abuse, role downgrade bypass, tenant switching errors, coupon and billing manipulation, trial extension abuse, workflow replay, approval bypass, export abuse, and inconsistent authorization between UI and API routes. Each requires context.
Take invite flows. A product may allow admins to invite users, but fail to validate who can assign roles. A low-privileged user might replay an invite request and set themselves as owner. Nothing about that request looks like a classic vulnerability without understanding the expected role model.
Tenant isolation issues are another frequent class. Users switch organizations, teams, clinics, accounts, projects, or workspaces. If one endpoint trusts a client-supplied ID or stale session state, data can cross boundaries even though authentication works correctly.
Business logic testing needs multiple roles, realistic data, and multi-step scenarios. It also needs proof. A report should show the user state, request sequence, expected rule, actual outcome, and impact. Without that evidence, engineering may close the issue as cannot reproduce.
DeepScan agent workflows are useful here because they can explore variations across roles, objects, and workflows while keeping evidence tied to the approved scope. Human review still matters for interpreting business impact.
The practical takeaway: do not confuse scanner coverage with pentest coverage. If a test never attempts the actions your customers and admins actually perform, it is not testing your product's real risk.