Most people think hacking is about complex payloads, heavy scripts, or finding some crazy technical vulnerability. But sometimes, the biggest issues hide in simple business logic mistakes.
In this write-up, I'll explain how a ₹10 gift card had the potential to turn into a full product discount due to a business logic flaw.
Let's break it down.
Understanding Business Logic Bugs (In Simple Words)
A business logic vulnerability happens when the application's rules are not properly enforced.
These are not typical bugs like XSS or SQL injection. Instead, they appear when the application trusts the user too much or fails to properly validate its own workflow.
Examples:
- Reusing coupons multiple times
- Bypassing purchase limits
- Manipulating price calculations
- Abusing referral systems
- Reusing gift cards
Basically, if you break the intended workflow of the application, you might find a business logic flaw.
The Scenario
During testing, I was checking how gift cards worked during checkout.
The application had a simple rule:
- One gift card can only be used once
- A maximum of 15 gift cards can be applied per order
This looked completely normal.
To test it, I bought a ₹10 gift card. The product price I was testing with was ₹200.
First Test — Something Strange
I applied the ₹10 gift card during checkout.
The discount worked.
But when I tried again…
The same gift card worked again.
That was unexpected.
So I kept testing.
- 1st use >> ₹10 discount
- 2nd use >> ₹20 discount
- 5th use >> ₹50 discount
- 10th use >>₹100 discount
Eventually I used the same ₹10 gift card 14 times.
Now the math looked like this:
Product price: ₹200 Total discount: ₹140 Remaining payment: ₹60
That was already a serious business logic issue because a single gift card should not work multiple times.
But curiosity kicked in.
And that's where things got interesting…
Going Deeper with Burp Suite
I decided to inspect the request using Burp Suite.
The response contained something interesting:
remaining gift cards: 1That meant the system was keeping track of how many gift cards were still allowed.
At this point I had already used 14 gift cards.
So I intercepted the 15th request.
Instead of forwarding it directly, I modified the value.
remaining gift cards: 1I changed it to:
remaining gift cards: 2Then I forwarded the request
The Result
The application accepted it.
Now the system allowed 1 more gift cards, even though the limit was 15.
So the total became:
15 + 1 = 16 gift cards applied
All from the same ₹10 gift card.
This clearly showed that:
- The application trusted client-side values
- The server did not properly validate the gift card limit
The Root Cause
This bug existed because of two logic issues:
- Gift card reuse was not properly restricted
- Gift card limit was controlled through a modifiable request parameter
The server should have:
- Tracked gift card usage on the backend
- Validated the gift card ID
- Enforced the maximum limit server-side
But instead, it trusted a value that could be easily modified.
Reporting the Bug
I documented the entire issue with:
- Steps to reproduce
- Proof of concept
- Request modification
- Impact explanation
Unfortunately, the report turned out to be a duplicate.
But that's completely normal in bug bounty.
Even if a report becomes duplicate, the learning and mindset you build are far more valuable.
Final Thought
Many beginners chase only famous vulnerabilities like:
- XSS
- SQL Injection
- SSRF
But experienced hunters know that business logic flaws often hide the biggest impact.
So next time when you test an application, ask yourself:
What rule is this application trying to enforce… and how can I break it?
Because sometimes…
a ₹10 gift card is all you need.