PHASE 1: FOUNDATION — UNDERSTANDING APPLICATION LOGIC AND ACCESS CONTROL (BAC) FROM FIRST PRINCIPLES

This phase dissects the core mechanics behind application logic and access control. You must deeply understand:

1. What is application logic?
2. How do roles, permissions, and states relate to logic?
3. What is access control?
4. How do access control models work?
5. What is Broken Access Control (BAC)?
6. Why BAC exists even when the code seems correct.

Every vulnerability tied to this category stems from human decisions baked into code, not just syntax errors or tech flaws.

1. WHAT IS APPLICATION LOGIC?

Definition:

Application logic is the custom business rule layer that defines how data is processed, how users interact, and how different states trigger transitions.

This is everything beyond basic CRUD. Examples:

• A user can reset password only after verifying email.
• Admins can view all orders. Vendors can only view theirs.
• A product can't be ordered if the quantity is zero.
• You can’t withdraw more than your current account balance.

These logic rules are application-specific. That’s the key.