Race Conditions & Logic

Read-modify-write payment operations without database transactions allow attackers to exploit timing windows and spend the same balance multiple times.

Accepting prices from the client instead of looking them up server-side allows attackers to modify checkout requests and purchase items at any price they choose.

Feature flags included in the frontend JavaScript bundle reveal unreleased features, internal testing configurations, and potential attack surfaces to anyone inspecting the code.

Development and testing routes like /debug, /test, /seed, or /api/dev left active in production expose internal data, bypass authentication, or allow state manipulation.

Profile update endpoints that accept role or permission fields from the request body allow users to promote themselves to admin by adding role: 'admin' to their update request.

Using standard string comparison (=== or ==) for secrets like API keys or tokens allows attackers to guess values character by character by measuring response time differences.

Redirecting users to URLs from unvalidated query parameters allows attackers to craft phishing links that appear to come from your trusted domain.

Passing the entire request body directly to database create or update operations allows attackers to set any field, including internal ones like verified, credits, or billing status.