pentest-web-application-logic-mapper

Skill: pentest-web-application-logic-mapper

1. Scope & Objective

Objective: To map the application's business logic, state machines, and hidden API surface to identify logical flaws and bypasses. Scope:

• Complex multi-step workflows (checkout, registration, approval processes).
• State-dependent actions (e.g., "Draft" -> "Pending" -> "Published").
• Hidden or undocumented API endpoints and parameters.

2. Inputs & Outputs

Inputs:

• Spider/Crawl Data: List of discovered URLs and forms.
• API Documentation: Swagger/OpenAPI specs, WSDLs (if available).
• User Manuals/Help Docs: Descriptions of intended workflows.

Outputs:

• State Machine Diagram: Visualization of valid states and transitions.
• Logic Flaw Report: Identification of invalid state transitions or skipped steps.
• Hidden Surface Map: List of unlinked but accessible endpoints.

3. Success Metrics

• Workflow Bypass: Skipping a mandatory step (e.g., payment) to complete a process.
• State Manipulation: Forcing an object into an invalid or advantageous state (e.g., reopening a closed ticket).
• Hidden Feature Discovery: Accessing beta, debug, or legacy features not intended for public use.

4. Common Attack Vectors & Exploit Primitives

• Race Conditions: Sending concurrent requests to exploit timing windows (e.g., using a coupon twice).
• Business Logic Errors: Exploiting flaws in the implementation of business rules (e.g., negative quantity in cart).
• Forced Browsing: Accessing URLs directly without navigating through the UI.
• Mass Assignment: Modifying internal object properties (e.g., isAdmin, balance) by including them in the request body.

5. Security Controls to Test Against

• State Validation: Verify that the server enforces valid state transitions.
• Transactional Integrity: Ensure critical operations are atomic and consistent.
• Rate Limiting: Check for limits on sensitive actions to prevent brute-force or abuse.

6. Concrete Examples

Example 1: Skipping Payment Step

• Context: Checkout flow: Cart -> Shipping -> Payment -> Confirmation.
• Attack: Force browse directly to /checkout/confirmation after the Shipping step, skipping Payment.
• Success: Order is placed without payment processing.

Example 2: Race Condition in Coupon Usage

• Context: Users can redeem a one-time use coupon.
• Attack: Send 10 simultaneous requests to redeem the same coupon.
• Success: Coupon is redeemed multiple times, applying the discount repeatedly.

Example 3: Mass Assignment in Profile Update

• Context: User updates profile via PUT /api/user.
• Attack: Include "role": "admin" in the JSON body.
• Success: User role is updated to "admin" due to lack of field filtering.