pentest-web-application-logic-mapper
Skill: pentest-web-application-logic-mapper
1. Scope & Objective
Objective: To map the application's business logic, state machines, and hidden API surface to identify logical flaws and bypasses. Scope:
- Complex multi-step workflows (checkout, registration, approval processes).
- State-dependent actions (e.g., "Draft" -> "Pending" -> "Published").
- Hidden or undocumented API endpoints and parameters.
2. Inputs & Outputs
Inputs:
Spider/Crawl Data: List of discovered URLs and forms.API Documentation: Swagger/OpenAPI specs, WSDLs (if available).User Manuals/Help Docs: Descriptions of intended workflows.
Outputs:
State Machine Diagram: Visualization of valid states and transitions.Logic Flaw Report: Identification of invalid state transitions or skipped steps.Hidden Surface Map: List of unlinked but accessible endpoints.
3. Success Metrics
- Workflow Bypass: Skipping a mandatory step (e.g., payment) to complete a process.
- State Manipulation: Forcing an object into an invalid or advantageous state (e.g., reopening a closed ticket).
- Hidden Feature Discovery: Accessing beta, debug, or legacy features not intended for public use.
4. Common Attack Vectors & Exploit Primitives
- Race Conditions: Sending concurrent requests to exploit timing windows (e.g., using a coupon twice).
- Business Logic Errors: Exploiting flaws in the implementation of business rules (e.g., negative quantity in cart).
- Forced Browsing: Accessing URLs directly without navigating through the UI.
- Mass Assignment: Modifying internal object properties (e.g.,
isAdmin,balance) by including them in the request body.
5. Security Controls to Test Against
- State Validation: Verify that the server enforces valid state transitions.
- Transactional Integrity: Ensure critical operations are atomic and consistent.
- Rate Limiting: Check for limits on sensitive actions to prevent brute-force or abuse.
6. Concrete Examples
Example 1: Skipping Payment Step
- Context: Checkout flow: Cart -> Shipping -> Payment -> Confirmation.
- Attack: Force browse directly to
/checkout/confirmationafter the Shipping step, skipping Payment. - Success: Order is placed without payment processing.
Example 2: Race Condition in Coupon Usage
- Context: Users can redeem a one-time use coupon.
- Attack: Send 10 simultaneous requests to redeem the same coupon.
- Success: Coupon is redeemed multiple times, applying the discount repeatedly.
Example 3: Mass Assignment in Profile Update
- Context: User updates profile via
PUT /api/user. - Attack: Include
"role": "admin"in the JSON body. - Success: User role is updated to "admin" due to lack of field filtering.
More from crtvrffnrt/skills
pentest-xss
Security assessment skill for Cross-Site Scripting (XSS) vulnerabilities. Use when investigating input sanitization, reflected, stored, DOM, or blind XSS. Focuses on discovery, exploitation, and payload optimization. Do not use for generic network recon or non-web injection types.
37pentest-exploit-execution-payload-control
Security assessment skill for deterministic exploit execution from validated primitives. Use when prompts include exploit implementation, payload hardening, chaining confirmed weaknesses, post-exploitation proof, or controlled impact demonstration. Do not use for early-stage reconnaissance, speculative hypothesis generation, or report-only requests.
31pentest-recon-surface-analysis
Security assessment skill for reconnaissance, endpoint/service enumeration, and attack-surface mapping. Use when prompts include recon, enumerate, map endpoints, discover assets, inventory interfaces, fingerprint technologies, or identify control-plane surfaces. Do not use when the request is exploit development, payload execution, or final report writing only.
30pentest-business-logic-abuse
Security assessment skill for business workflow abuse, state-machine manipulation, and control-plane logic flaws. Use when prompts include workflow bypass, race condition, replay, quota abuse, order-of-operations flaws, delegated execution abuse, or unauthorized state transitions. Do not use for pure input injection fuzzing, broad recon, or standalone report formatting tasks.
27pentest-gemini-az
Use when users need an Azure, Microsoft 365, or Entra ID companion that reads, lists, changes, and manages resources using the current Azure CLI session, with `az rest` as the default execution path.
26pentest-outbound-interaction-oob-detection
Security assessment skill for outbound interaction and out-of-band (OOB) validation. Use when prompts include SSRF callback confirmation, blind XSS beacons, webhook abuse, XXE/OOB behavior, DNS/HTTP callback correlation, or asynchronous server-side interaction proof. Do not use when vulnerabilities are fully in-band and require no external callback correlation.
25