Fix Business Logic Errors in Next.js
Business logic errors in Next.js environments typically manifest when developers conflate client-side UI state with server-side authority. In the context of Server Actions and API Routes, logic flaws often involve parameter tampering where critical values—like unit prices, user roles, or discount codes—are trusted directly from the request payload rather than being validated against the database source of truth.
The Vulnerable Pattern
export async function POST(req) { const { cartItems, totalAmount, userId } = await req.json();// VULNERABILITY: The server blindly trusts the ‘totalAmount’ sent by the client. // An attacker can intercept the request and change 500.00 to 0.01. const order = await db.order.create({ data: { userId, items: cartItems, amount: totalAmount, status: ‘PAID’ } });
return new Response(JSON.stringify({ success: true, orderId: order.id })); }
The Secure Implementation
The exploit vector here is Parameter Tampering. In the vulnerable snippet, the developer treats the client as a trusted calculator. A 'hacker' simply modifies the JSON body in transit to set an arbitrary price. The secure implementation follows the 'Zero Trust' principle: the client only sends the intent (product IDs and quantities), while the server performs the authoritative lookup and calculation. Additionally, the secure version uses session-based identity instead of a client-provided 'userId' to prevent Insecure Direct Object Reference (IDOR) attacks.
export async function POST(req) { const { cartItems } = await req.json(); const session = await getServerSession(authOptions);if (!session) return new Response(‘Unauthorized’, { status: 401 });
// SECURE: Fetch product data directly from the DB to verify prices const productIds = cartItems.map(item => item.id); const dbProducts = await db.product.findMany({ where: { id: { in: productIds } } });
// Recalculate total on the server side const validatedTotal = cartItems.reduce((sum, item) => { const product = dbProducts.find(p => p.id === item.id); if (!product) throw new Error(‘Invalid product ID’); return sum + (product.price * item.quantity); }, 0);
const order = await db.order.create({ data: { userId: session.user.id, items: cartItems, amount: validatedTotal, status: ‘PENDING’ } });
return new Response(JSON.stringify({ success: true, orderId: order.id })); }
Your Next.js API
might be exposed to Business Logic Errors
74% of Next.js apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.