business-logic

/business-logic — Business Logic & Authorization Testing

AI-driven analysis of a target application's business logic. This skill does NOT rely on the pentest CLI — instead, it uses an intelligent agent to crawl, understand, and test the application's workflows for logic flaws.

Input

The target URL is provided via $ARGUMENTS. If no URL is provided, ask the user for one.

Steps

1. Parse the target URL from $ARGUMENTS.

2. Delegate to logic-agent using the Agent tool. The agent performs the following AI-driven analysis:

   Phase 1 — Application Crawling & Understanding:

   • Crawl the target application to map out all user-facing workflows
   • Identify authentication flows, registration, password reset
   • Identify transactional workflows (purchases, transfers, bookings)
   • Identify role-based features (admin panels, user dashboards, API endpoints)
   • Map out multi-step processes (checkout, onboarding, approval chains)

   Phase 2 — IDOR Testing:

   • Identify endpoints that use sequential or predictable IDs (user IDs, order IDs, document IDs)
   • Test if incrementing/decrementing IDs returns other users' data
   • Test UUID/GUID endpoints for information disclosure
   • Check both direct object references in URLs and in API request bodies

   Phase 3 — Horizontal Privilege Escalation:

   • Test if User A can access User B's resources by swapping identifiers
   • Test if API endpoints enforce ownership validation
   • Check if changing user context (cookies, tokens) bypasses access controls

   Phase 4 — Payment & Pricing Manipulation:

   • Test if prices can be modified in client-side requests
   • Test negative quantity or negative price attacks
   • Test coupon/discount code abuse (reuse, stacking, race conditions)
   • Test currency conversion manipulation
   • Test if free trial restrictions can be bypassed

   Phase 5 — Workflow Bypass:

   • Test if multi-step processes can be completed by skipping intermediate steps
   • Test if validation on step N can be bypassed by jumping directly to step N+2
   • Test if required fields can be omitted in API requests
   • Test if approval workflows can be self-approved

   Phase 6 — Rate Limiting Bypass:

   • Test if rate limits apply consistently across endpoints
   • Test bypass techniques: IP rotation headers (X-Forwarded-For), parameter pollution, encoding variations
   • Test if rate limits reset with minor request modifications

   Phase 7 — Feature Access Control:

   • Test if premium/paid features are accessible to free-tier users
   • Test if feature flags are enforced server-side or only client-side
   • Test if API endpoints for restricted features lack authorization checks
   • Test if removing client-side restrictions exposes hidden functionality

3. Report business logic flaws with detailed exploitation scenarios:

   • For each finding: vulnerability description, affected endpoint/workflow, step-by-step reproduction, business impact
   • Severity assessment based on business impact (financial loss, data breach, compliance violation)
   • Remediation recommendations specific to each flaw

Notes

• This skill is AI-driven and does not use pentest-cli commands directly.
• The logic agent uses its understanding of common business logic patterns to identify flaws.
• Some tests (IDOR, privilege escalation) involve sending requests that may modify application state.
• Always ensure you have authorization before testing against production systems.
• Business logic flaws are often the highest-impact vulnerabilities because they cannot be detected by automated scanners.