Abusing the Rules: Detect and Defend Against Business Logic Attacks in APIs
Business logic vulnerabilities in APIs are often design oversights that lead to dangerous outcomes. They occur when attackers abuse legitimate API behavior to bypass controls or exploit workflows. In this talk, we’ll share field experience developing behavioral analysis techniques that surface exploitable API behaviors at scale. We developed a method for passively analyzing API responses - clustering similar logic flows and flagging anomalies that suggest potential abuse paths. You’ll see how business logic vulns manifest in real-world APIs, how attackers chain together valid actions to achieve unintended outcomes, and how defenders can catch these issues early. The session will conclude with practical strategies for integrating business logic awareness into threat modeling and CI/CD pipelines.
Speaker
Nohé Hinniger-Foray
Full-Stack R&D Engineer @ Escape
Nohé is Full-Stack R&D Engineer @ Escape. As computer science enthusiast, he loves to craft new technologies, tools & applications for the open-source community. He has also shared his expertise at various security and tech conferences like BSides Berlin, engaging with a broader audience.... read more