Business Logic Invariant Testing

PhantomYerra uses Claude to read your application's source code, derive security rules (invariants) that must always be true, then automatically generate test cases that try to violate them. No other tool does this.

What Are Business Logic Vulnerabilities?

Business logic vulnerabilities are flaws in the design or implementation of an application's intended behaviour. Unlike technical vulnerabilities (SQL injection, XSS), these cannot be detected by signatures or pattern matching - they require understanding what the application is supposed to do and finding ways to make it behave incorrectly.

Price Manipulation

An e-commerce checkout applies discount codes after calculating tax. An attacker intercepts the request and replaces the final price with a negative value, receiving a refund on purchase.

POST /api/checkout
{"items": [...], "total": -99.99, "coupon": "SAVE10"}

Account Takeover via Workflow Bypass

A password reset flow has three steps: request → verify OTP → set password. The third step does not verify the OTP was actually validated: it only checks that the reset token exists.

POST /api/reset/set-password
{"token": "abc123", "new_password": "hacked"}
# Step 2 (OTP verify) never called

Quantity Underflow

A shopping cart allows negative quantities. Setting quantity to -1 reduces the cart total, and applying a 100% discount coupon results in the store paying the attacker.

PUT /api/cart/items/42
{"quantity": -1, "product_id": "premium-item"}

Race Condition - Double Spend

A wallet transfer deducts balance after confirming the transfer. Sending two simultaneous transfer requests for the full balance before either deduction completes allows spending the same funds twice.

# Two simultaneous requests, full balance each
curl -X POST /api/transfer -d '{"amount": 1000}' &
curl -X POST /api/transfer -d '{"amount": 1000}' &

How Invariant Discovery Works

PhantomYerra's AI reads your source code and derives security invariants - statements about what must always be true in a correctly functioning application. This is the foundation of business logic testing.

Source Code Input

Routes, controllers, models, auth middleware

→

AI Invariant Discovery

Claude reads code, derives rules that must always hold

→

Fuzzer Generation

AI writes test cases to violate each invariant

→

Live Testing

Tests run against target - violations become findings

Example Invariants Discovered

Invariant - Pricing

RULE: cart_total must always equal sum(item.price * item.quantity) after any discount applied

VIOLATION: POST /checkout with negative quantity reduces total below zero - store issues refund

Invariant - Authentication Workflow

RULE: password_reset_complete() must only execute if otp_verified flag is True in session

VIOLATION: /reset/complete accepts valid token without checking otp_verified: OTP step skipped

Invariant - Authorisation

RULE: user can only read/write resources where resource.owner_id == session.user_id OR user.role == 'admin'

VIOLATION: GET /api/invoices/{id} - id parameter not validated against owner_id - horizontal IDOR

Invariant - Rate Limiting

RULE: failed_login_attempts for an account must be incremented before checking lockout threshold

VIOLATION: Race condition allows 50 simultaneous login attempts before lockout triggers

Using the Business Logic Tester

Open Business Logic Tester

In the Scan Wizard, select Business Logic Testing as a scan surface, or navigate to Scans → Business Logic from the sidebar.

Provide Source Code

Upload your application's source directory, paste a repository URL for PhantomYerra to clone locally, or select a previously analysed codebase from the project library. PhantomYerra accepts Node.js, Python, Ruby, Java, Go, .NET, and PHP applications.

Business Logic Tester - Source Input Panel Upload panel with drag-and-drop zone for source directory. Below: repository URL input field. Right panel shows previously analysed codebases with last analysis date and invariant count.

Review Discovered Invariants

After analysis (typically 30-90 seconds), PhantomYerra displays all discovered invariants grouped by category: Authentication, Authorisation, Financial, Workflow, Data Integrity, Rate Limiting. Review and deselect any invariants that are intentionally flexible in your application.

Configure Target and Credentials

Set the base URL of the running application and provide authentication credentials for at least one standard user account. For privilege escalation testing, provide credentials for multiple roles.

Run the Tests

Click Start Business Logic Scan. PhantomYerra generates and executes test cases for each invariant. Violations that are confirmed with working exploit evidence are automatically escalated to findings.

Business Logic Scan - Live Results Split panel: left shows invariants being tested with pass/fail indicators and progress bar. Right shows live activity feed with HTTP requests and responses as tests execute. Violations appear highlighted in red with full evidence immediately available.

Adding Custom Invariants

You can manually define invariants that the AI may not have discovered from source code, or that describe business rules specific to your domain.

Custom Invariant Format

{
  "name": "No free upgrades via price override",
  "description": "The final billing amount for a subscription upgrade must match the Stripe price ID for the selected tier. Client-side price manipulation must be rejected.",
  "test_vectors": [
    {"field": "price_id", "tamper": "price_free_tier", "expect_rejection": true},
    {"field": "amount", "tamper": 0, "expect_rejection": true},
    {"field": "amount", "tamper": -1, "expect_rejection": true}
  ],
  "severity": "critical",
  "category": "financial"
}

Where to Add Custom Invariants

In the Business Logic Tester, click Add Custom Invariant in the invariants panel. Fill in the name, description, and test vectors using the format above. Custom invariants are saved to your project and reused on subsequent scans.

Integration with the Full Scan Pipeline

Business Logic Testing integrates smoothly with PhantomYerra's full attack chain analysis. Invariant violations discovered during business logic testing are automatically correlated with findings from DAST, authentication testing, and IDOR testing to build complete multi-step attack chains.

Example Attack Chain

[RECON] Discovered checkout API endpoint via crawler
↓
[BUSINESS LOGIC] Invariant violation: negative quantity accepted
↓
[EXPLOITATION] Cart total reduced to -$500 with coupon SAVE100
↓
[IMPACT] Store issues $500 refund to attacker card
↓
[CHAIN] Combined with IDOR on /api/orders/{id} → attacker can replay other users' orders with negative totals