Fix Logic Flow Bypass in Express

Logic flow bypasses in Express applications occur when critical business logic transitions rely on client-controlled input rather than server-side state. Attackers exploit these by skipping middleware or manipulating parameters to jump ahead in a workflow, such as bypassing a payment gate or an MFA step.

The Vulnerable Pattern

app.post('/api/v1/ship-order', (req, res) => {
  // VULNERABILITY: Trusting the client-provided flag 'isPaid'
  const { orderId, isPaid } = req.body;
if (isPaid === true) {
executeShipping(orderId);
return res.status(200).json({ status: ‘shipped’ });
}
res.status(400).json({ error: ‘Payment required’ });
});

The Secure Implementation

The exploit targets the trust boundary between the client and the server. In the vulnerable snippet, the server blindly accepts the 'isPaid' boolean from the request body, allowing an attacker to spoof a successful payment simply by modifying the JSON payload. The secure implementation enforces a server-side state machine. By querying the database for the actual 'paymentStatus', we ensure the logic flow cannot be bypassed via parameter manipulation. Rule of thumb: Never let the client tell you what state the application is in; always verify it against your own records.

app.post('/api/v1/ship-order', async (req, res) => {
  const { orderId } = req.body;
// FIX: Fetch the ‘source of truth’ from the database
const order = await db.Orders.findOne({ where: { id: orderId } });
if (!order) {
return res.status(404).json({ error: ‘Order not found’ });
}
// Verify server-side state, ignore client-provided status flags
if (order.paymentStatus !== ‘COMPLETED’) {
return res.status(403).json({ error: ‘Illegal state transition: Payment not verified’ });
}
await executeShipping(orderId);
await order.update({ status: ‘SHIPPED’ });
res.status(200).json({ status: ‘shipped’ });
});