Definition

Unrestricted Access to Sensitive Business Flows occurs when attackers can abuse legitimate application workflows in ways that were not intended by the system design.

It is not about broken login or missing authorization alone, but about abusing normal business processes at scale or in unintended ways.

Core idea

APIs may function correctly for normal users, but still be vulnerable if attackers can:

• Automate legitimate actions
• Bypass intended flow limitations
• Exploit logic gaps in business processes

This is a business logic vulnerability, not just a technical access issue.

What makes it different

Unlike earlier OWASP issues:

• Not just “can you access it?”
• But “can you abuse how it works?”

Common attack patterns

• OTP or password reset brute forcing
• Ticket or product reservation abuse