pentest-web-application-logic-mapper | Skill Performance & Reviews | TopRankSkills

TopRank Skills

Home / Skills / tools / pentest-web-application-logic-...

pentest-web-application-logic-mapper

maintained by NeverSight

star 66 account_tree 19 verified_user MIT License
bolt View GitHub

name: pentest-web-application-logic-mapper description: "Security assessment skill for mapping application business logic, state machines, and hidden API surfaces. Use when prompts include spider, crawl, state machine, hidden surface, workflow mapping, or hidden API discovery. Do not use for exploit development or final reporting only."

Skill: pentest-web-application-logic-mapper

1. Scope & Objective

Objective: To map the application's business logic, state machines, and hidden API surface to identify logical flaws and bypasses. Scope:

  • Complex multi-step workflows (checkout, registration, approval processes).
  • State-dependent actions (e.g., "Draft" -> "Pending" -> "Published").
  • Hidden or undocumented API endpoints and parameters.

2. Inputs & Outputs

Inputs:

  • Spider/Crawl Data: List of discovered URLs and forms.
  • API Documentation: Swagger/OpenAPI specs, WSDLs (if available).
  • User Manuals/Help Docs: Descriptions of intended workflows.

Outputs:

  • State Machine Diagram: Visualization of valid states and transitions.
  • Logic Flaw Report: Identification of invalid state transitions or skipped steps.
  • Hidden Surface Map: List of unlinked but accessible endpoints.

3. Success Metrics

  • Workflow Bypass: Skipping a mandatory step (e.g., payment) to complete a process.
  • State Manipulation: Forcing an object into an invalid or advantageous state (e.g., reopening a closed ticket).
  • Hidden Feature Discovery: Accessing beta, debug, or legacy features not intended for public use.

4. Common Attack Vectors & Exploit Primitives

  • Race Conditions: Sending concurrent requests to exploit timing windows (e.g., using a coupon twice).
  • Business Logic Errors: Exploiting flaws in the implementation of business rules (e.g., negative quantity in cart).
  • Forced Browsing: Accessing URLs directly without navigating through the UI.
  • Mass Assignment: Modifying internal object properties (e.g., isAdmin, balance) by including them in the request body.

5. Security Controls to Test Against

  • State Validation: Verify that the server enforces valid state transitions.
  • Transactional Integrity: Ensure critical operations are atomic and consistent.
  • Rate Limiting: Check for limits on sensitive actions to prevent brute-force or abuse.

6. Concrete Examples

Example 1: Skipping Payment Step

  • Context: Checkout flow: Cart -> Shipping -> Payment -> Confirmation.
  • Attack: Force browse directly to /checkout/confirmation after the Shipping step, skipping Payment.
  • Success: Order is placed without payment processing.

Example 2: Race Condition in Coupon Usage

  • Context: Users can redeem a one-time use coupon.
  • Attack: Send 10 simultaneous requests to redeem the same coupon.
  • Success: Coupon is redeemed multiple times, applying the discount repeatedly.

Example 3: Mass Assignment in Profile Update

  • Context: User updates profile via PUT /api/user.
  • Attack: Include "role": "admin" in the JSON body.
  • Success: User role is updated to "admin" due to lack of field filtering.

chat Comments (0)

chat_bubble_outline

No comments yet. Be the first to share your thoughts!

Skill Details

GitHub Stars 66
GitHub Forks 19
Created Mar 2026
Last Updated 3个月前
tools tools debugging

Related Skills

fabric
chevron_right
typescript-expert
chevron_right
break-loop
chevron_right
burp-suite
chevron_right
page-behavior-audit
chevron_right

Build your own?

Join 12,000+ developers contributing to the Claude ecosystem.