Fix Logic Flow Bypass in Tornado
Logic flow bypasses in Tornado applications typically manifest when handlers assume a specific execution sequence without server-side state verification. Attackers exploit this by 'forceful browsing'—hitting terminal endpoints (like /api/v1/finalize_payment) while skipping prerequisite validation steps. To kill this bug class, you must implement a strict state machine and enforce state guards within the Tornado request lifecycle.
The Vulnerable Pattern
class CheckoutHandler(BaseHandler):
def post(self):
# VULNERABILITY: This handler assumes the user has already
# completed the 'shipping' and 'tax' calculation steps.
# An attacker can POST here directly to bypass payment logic.
order_id = self.get_argument('order_id')
total_price = self.get_argument('price')
self.db.execute('UPDATE orders SET status="paid", total=%s WHERE id=%s', total_price, order_id)
self.write({'status': 'confirmed'})The Secure Implementation
The fix shifts validation from the business logic layer to the RequestHandler's 'prepare()' method. This ensures that any request—regardless of the HTTP verb—is intercepted and checked against the server-side state machine. By explicitly checking that the 'order_state' is 'pending_payment', we prevent attackers from jumping straight to completion. Additionally, never allow sensitive values like 'price' to be passed via arguments; always pull the 'Source of Truth' from your database based on a validated session or ID.
class CheckoutHandler(BaseHandler):
def prepare(self):
# ENFORCEMENT: Use prepare() to validate state before any verb method runs.
self.order_id = self.get_argument('order_id')
order = self.db.get('SELECT state FROM orders WHERE id=%s', self.order_id)
# Strict State Machine: Must be in 'pending_payment' to proceed
if not order or order['state'] != 'pending_payment':
raise tornado.web.HTTPError(403, reason='Invalid workflow state transition.')
def post(self):
# Re-verify price from server-side DB, never trust client-provided totals.
actual_total = self.db.get('SELECT calculated_total FROM orders WHERE id=%s', self.order_id)
self.db.execute('UPDATE orders SET state="completed" WHERE id=%s', self.order_id)
self.write({'status': 'order_finalized'})</code></pre>
Your Tornado API
might be exposed to Logic Flow Bypass
74% of Tornado apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.