pentest-web-application-logic-mapper
maintained by NeverSight
star
66
account_tree
19
verified_user
MIT License
name: pentest-web-application-logic-mapper description: "Security assessment skill for mapping application business logic, state machines, and hidden API surfaces. Use when prompts include spider, crawl, state machine, hidden surface, workflow mapping, or hidden API discovery. Do not use for exploit development or final reporting only."
Skill: pentest-web-application-logic-mapper
1. Scope & Objective
Objective: To map the application's business logic, state machines, and hidden API surface to identify logical flaws and bypasses. Scope:
- Complex multi-step workflows (checkout, registration, approval processes).
- State-dependent actions (e.g., "Draft" -> "Pending" -> "Published").
- Hidden or undocumented API endpoints and parameters.
2. Inputs & Outputs
Inputs:
-
Spider/Crawl Data: List of discovered URLs and forms. -
API Documentation: Swagger/OpenAPI specs, WSDLs (if available). -
User Manuals/Help Docs: Descriptions of intended workflows.
Outputs:
-
State Machine Diagram: Visualization of valid states and transitions. -
Logic Flaw Report: Identification of invalid state transitions or skipped steps. -
Hidden Surface Map: List of unlinked but accessible endpoints.
3. Success Metrics
- Workflow Bypass: Skipping a mandatory step (e.g., payment) to complete a process.
- State Manipulation: Forcing an object into an invalid or advantageous state (e.g., reopening a closed ticket).
- Hidden Feature Discovery: Accessing beta, debug, or legacy features not intended for public use.
4. Common Attack Vectors & Exploit Primitives
- Race Conditions: Sending concurrent requests to exploit timing windows (e.g., using a coupon twice).
- Business Logic Errors: Exploiting flaws in the implementation of business rules (e.g., negative quantity in cart).
- Forced Browsing: Accessing URLs directly without navigating through the UI.
-
Mass Assignment: Modifying internal object properties (e.g.,
isAdmin,balance) by including them in the request body.
5. Security Controls to Test Against
- State Validation: Verify that the server enforces valid state transitions.
- Transactional Integrity: Ensure critical operations are atomic and consistent.
- Rate Limiting: Check for limits on sensitive actions to prevent brute-force or abuse.
6. Concrete Examples
Example 1: Skipping Payment Step
- Context: Checkout flow: Cart -> Shipping -> Payment -> Confirmation.
-
Attack: Force browse directly to
/checkout/confirmationafter the Shipping step, skipping Payment. - Success: Order is placed without payment processing.
Example 2: Race Condition in Coupon Usage
- Context: Users can redeem a one-time use coupon.
- Attack: Send 10 simultaneous requests to redeem the same coupon.
- Success: Coupon is redeemed multiple times, applying the discount repeatedly.
Example 3: Mass Assignment in Profile Update
-
Context: User updates profile via
PUT /api/user. -
Attack: Include
"role": "admin"in the JSON body. - Success: User role is updated to "admin" due to lack of field filtering.
chat Comments (0)
Sign in to join the discussion and leave a comment.
Skill Details
GitHub Stars
66
GitHub Forks
19
Created
Mar 2026
Last Updated
3 months ago
tools
tools debugging
Related Skills
Build your own?
Join 12,000+ developers contributing to the Claude ecosystem.
No comments yet. Be the first to share your thoughts!