Too Long; Didn't Read
The majority of application security problems stem from software bugs that leave the existing security controls, broken.
However, even if the code is perfect it doesn’t mean an attacker can’t exploit it.
The vulnerability can be hidden inside the business logic, not the code that powers it.
This type of vulnerability is called business logic vulnerability. It’s when an attacker abuses a legitimate flow of an application so that it results in negative consequences.
An example could be a contact form on a website that is used for sending out emails to the service owners. This form can be abused to send out spam messages instead of genuine support requests.