Skill

business-logic

Tests web app business logic and authorization for flaws like IDOR, privilege escalation, workflow bypass, payment manipulation, and rate limiting using AI agent crawling.

security

testing

npx claudepluginhub sabania/pentest-cli --plugin pentest-framework

Tool Access

This skill is limited to using the following tools:

BashAgentRead

Preview

AI-driven analysis of a target application's business logic. This skill does NOT rely on the pentest CLI — instead, it uses an intelligent agent to crawl, understand, and test the application's workflows for logic flaws.

SKILL.md

Similar Skills

testing-for-business-logic-vulnerabilities

Identifies business logic flaws in web apps allowing price manipulation, workflow bypass, and privilege escalation during authorized penetration tests beyond automated scanners.

asi

testing-for-business-logic-vulnerabilities

5.9k

Tests business logic in web apps for price manipulation, workflow bypass, and privilege escalation during authorized penetration tests with Burp Suite and curl.

3 files

cybersecurity-skills

testing-for-business-logic-vulnerabilities

Tests web apps for business logic flaws enabling price manipulation, workflow bypass, and privilege escalation beyond automated scanners. Guides pentesting with Burp Suite, curl, and manual API tampering.

3 files

cybersecurity-skills-zh

Stats

Parent Repo Stars5

Parent Repo Forks0

Last CommitMar 20, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

/business-logic — Business Logic & Authorization Testing

Input

The target URL is provided via $ARGUMENTS. If no URL is provided, ask the user for one.

Steps

Parse the target URL from $ARGUMENTS.

Delegate to logic-agent using the Agent tool. The agent performs the following AI-driven analysis:

Phase 1 — Application Crawling & Understanding:

Crawl the target application to map out all user-facing workflows
Identify authentication flows, registration, password reset
Identify transactional workflows (purchases, transfers, bookings)
Identify role-based features (admin panels, user dashboards, API endpoints)
Map out multi-step processes (checkout, onboarding, approval chains)

Phase 2 — IDOR Testing:

Identify endpoints that use sequential or predictable IDs (user IDs, order IDs, document IDs)
Test if incrementing/decrementing IDs returns other users' data
Test UUID/GUID endpoints for information disclosure
Check both direct object references in URLs and in API request bodies

Phase 3 — Horizontal Privilege Escalation:

Test if User A can access User B's resources by swapping identifiers
Test if API endpoints enforce ownership validation
Check if changing user context (cookies, tokens) bypasses access controls

Phase 4 — Payment & Pricing Manipulation:

Test if prices can be modified in client-side requests
Test negative quantity or negative price attacks
Test coupon/discount code abuse (reuse, stacking, race conditions)
Test currency conversion manipulation
Test if free trial restrictions can be bypassed

Phase 5 — Workflow Bypass:

Test if multi-step processes can be completed by skipping intermediate steps
Test if validation on step N can be bypassed by jumping directly to step N+2
Test if required fields can be omitted in API requests
Test if approval workflows can be self-approved

Phase 6 — Rate Limiting Bypass:

Test if rate limits apply consistently across endpoints
Test bypass techniques: IP rotation headers (X-Forwarded-For), parameter pollution, encoding variations
Test if rate limits reset with minor request modifications

Phase 7 — Feature Access Control:

Test if premium/paid features are accessible to free-tier users
Test if feature flags are enforced server-side or only client-side
Test if API endpoints for restricted features lack authorization checks
Test if removing client-side restrictions exposes hidden functionality

Report business logic flaws with detailed exploitation scenarios:

For each finding: vulnerability description, affected endpoint/workflow, step-by-step reproduction, business impact
Severity assessment based on business impact (financial loss, data breach, compliance violation)
Remediation recommendations specific to each flaw

Notes

This skill is AI-driven and does not use pentest-cli commands directly.

The logic agent uses its understanding of common business logic patterns to identify flaws.

Some tests (IDOR, privilege escalation) involve sending requests that may modify application state.

Always ensure you have authorization before testing against production systems.

Business logic flaws are often the highest-impact vulnerabilities because they cannot be detected by automated scanners.

/business-logic — Business Logic & Authorization Testing

Input

The target URL is provided via $ARGUMENTS. If no URL is provided, ask the user for one.

Steps

Parse the target URL from $ARGUMENTS.

Delegate to logic-agent using the Agent tool. The agent performs the following AI-driven analysis:

Phase 1 — Application Crawling & Understanding:

Crawl the target application to map out all user-facing workflows
Identify authentication flows, registration, password reset
Identify transactional workflows (purchases, transfers, bookings)
Identify role-based features (admin panels, user dashboards, API endpoints)
Map out multi-step processes (checkout, onboarding, approval chains)

Phase 2 — IDOR Testing:

Identify endpoints that use sequential or predictable IDs (user IDs, order IDs, document IDs)
Test if incrementing/decrementing IDs returns other users' data
Test UUID/GUID endpoints for information disclosure
Check both direct object references in URLs and in API request bodies

Phase 3 — Horizontal Privilege Escalation:

Test if User A can access User B's resources by swapping identifiers
Test if API endpoints enforce ownership validation
Check if changing user context (cookies, tokens) bypasses access controls

Phase 4 — Payment & Pricing Manipulation:

Test if prices can be modified in client-side requests
Test negative quantity or negative price attacks
Test coupon/discount code abuse (reuse, stacking, race conditions)
Test currency conversion manipulation
Test if free trial restrictions can be bypassed

Phase 5 — Workflow Bypass:

Test if multi-step processes can be completed by skipping intermediate steps
Test if validation on step N can be bypassed by jumping directly to step N+2
Test if required fields can be omitted in API requests
Test if approval workflows can be self-approved

Phase 6 — Rate Limiting Bypass:

Test if rate limits apply consistently across endpoints
Test bypass techniques: IP rotation headers (X-Forwarded-For), parameter pollution, encoding variations
Test if rate limits reset with minor request modifications

Phase 7 — Feature Access Control:

Test if premium/paid features are accessible to free-tier users
Test if feature flags are enforced server-side or only client-side
Test if API endpoints for restricted features lack authorization checks
Test if removing client-side restrictions exposes hidden functionality

Report business logic flaws with detailed exploitation scenarios:

For each finding: vulnerability description, affected endpoint/workflow, step-by-step reproduction, business impact
Severity assessment based on business impact (financial loss, data breach, compliance violation)
Remediation recommendations specific to each flaw

Notes

This skill is AI-driven and does not use pentest-cli commands directly.

The logic agent uses its understanding of common business logic patterns to identify flaws.

Some tests (IDOR, privilege escalation) involve sending requests that may modify application state.

Always ensure you have authorization before testing against production systems.

Business logic flaws are often the highest-impact vulnerabilities because they cannot be detected by automated scanners.