Business logic vulnerabilities—constituting 27 of the 40 most critical weaknesses in the OWASP Top 10—are inherently resistant to conventional fuzzing, as they stem from semantic inconsistencies rather than memory-safety violations. To address this, we propose the first human-in-the-loop, annotation-driven runtime monitoring framework: developers inject domain-specific knowledge via lightweight source-code annotations to specify expected business behaviors; the system then performs real-time, semantics-aware conformance checking against actual execution traces. Unlike heuristic-based approaches, our framework eliminates fragile inference mechanisms, enabling cross-language, portable policy modeling and seamless integration with mainstream fuzzers such as AFL++. Evaluated on diverse real-world applications, it successfully reproduces 43 known vulnerabilities and discovers 22 previously unknown ones—including 17 assigned CVEs—demonstrating substantial superiority over existing dynamic analysis tools.

Detecting business logic vulnerabilities is a critical challenge in software security. These flaws come from mistakes in an application's design or implementation and allow attackers to trigger unintended application behavior. Traditional fuzzing sanitizers for dynamic analysis excel at finding vulnerabilities related to memory safety violations but largely fail to detect business logic vulnerabilities, as these flaws require understanding application-specific semantic context. Recent attempts to infer this context, due to their reliance on heuristics and non-portable language features, are inherently brittle and incomplete. As business logic vulnerabilities constitute a majority (27/40) of the most dangerous software weaknesses in practice, this is a worrying blind spot of existing tools. In this paper, we tackle this challenge with ANOTA, a novel human-in-the-loop sanitizer framework. ANOTA introduces a lightweight, user-friendly annotation system that enables users to directly encode their domain-specific knowledge as lightweight annotations that define an application's intended behavior. A runtime execution monitor then observes program behavior, comparing it against the policies defined by the annotations, thereby identifying deviations that indicate vulnerabilities. To evaluate the effectiveness of ANOTA, we combine ANOTA with a state-of-the-art fuzzer and compare it against other popular bug finding methods compatible with the same targets. The results show that ANOTA+FUZZER outperforms them in terms of effectiveness. More specifically, ANOTA+FUZZER can successfully reproduce 43 known vulnerabilities, and discovered 22 previously unknown vulnerabilities (17 CVEs assigned) during the evaluation. These results demonstrate that ANOTA provides a practical and effective approach for uncovering complex business logic flaws often missed by traditional security testing techniques.