Common security issues in financial web apps
Use this reference when testing anything that moves money or value (cart/checkout, invoices, credits, refunds, discounts, subscriptions).
Common themes to look for:
- State desync between client/server or between microservices (cart vs payment vs fulfillment)
- Price/quantity/discount manipulation (rounding, negative values, duplicated coupon application)
- Workflow abuse (replay, race conditions, partial completion, refund edge cases)
Reference material: