pentest-business-logic-abuse
Business Logic Abuse
Activation Triggers (Positive)
business logicworkflow bypassrace conditionstate transitionreplayquota abuseconfused deputydelegated execution
Exclusion Triggers (Negative)
payload fuzzing onlyendpoint recon onlyreport polishing only
Output Schema
- Workflow model:
step,required controls,bypass hypothesis - Abuse sequence: ordered requests/events with timing notes
- Impact proof: unauthorized state change and resulting capability
Instructions
- Model intended state transitions before adversarial testing.
- Identify assumptions in sequencing, concurrency, and cross-system coordination.
- Execute minimal abuse sequences that challenge those assumptions.
- Confirm impact through observable unauthorized state or action outcomes.
- Validate whether fixes require control relocation, not only input filtering.
- Hand off only confirmed primitives for exploit execution.
Should Do
- Treat logic abuse as system-behavior testing, not payload-only testing.
- Use time-aware evidence for race and replay cases.
- Include reversible test design for stateful systems.
Should Not Do
- Do not report logic flaws without demonstrated unauthorized effect.
- Do not overuse concurrency that risks stability.
- Do not substitute theoretical abuse paths for confirmed execution evidence.
More from crtvrffnrt/skills
pentest-xss
Security assessment skill for Cross-Site Scripting (XSS) vulnerabilities. Use when investigating input sanitization, reflected, stored, DOM, or blind XSS. Focuses on discovery, exploitation, and payload optimization. Do not use for generic network recon or non-web injection types.
36pentest-exploit-execution-payload-control
Security assessment skill for deterministic exploit execution from validated primitives. Use when prompts include exploit implementation, payload hardening, chaining confirmed weaknesses, post-exploitation proof, or controlled impact demonstration. Do not use for early-stage reconnaissance, speculative hypothesis generation, or report-only requests.
30pentest-recon-surface-analysis
Security assessment skill for reconnaissance, endpoint/service enumeration, and attack-surface mapping. Use when prompts include recon, enumerate, map endpoints, discover assets, inventory interfaces, fingerprint technologies, or identify control-plane surfaces. Do not use when the request is exploit development, payload execution, or final report writing only.
29pentest-gemini-az
Use when users need an Azure, Microsoft 365, or Entra ID companion that reads, lists, changes, and manages resources using the current Azure CLI session, with `az rest` as the default execution path.
26pentest-outbound-interaction-oob-detection
Security assessment skill for outbound interaction and out-of-band (OOB) validation. Use when prompts include SSRF callback confirmation, blind XSS beacons, webhook abuse, XXE/OOB behavior, DNS/HTTP callback correlation, or asynchronous server-side interaction proof. Do not use when vulnerabilities are fully in-band and require no external callback correlation.
25pentest-evidence-structuring-report-synthesis
Security assessment skill for structuring evidence, deduplicating findings, and producing decision-ready security reports. Use when prompts include write report, consolidate findings, severity ranking, remediation guidance, executive summary, or technical appendix generation. Do not use for live exploit execution, reconnaissance, or payload experimentation tasks.
25