pentest-business-logic-abuse

Security assessment skill for business workflow abuse, state-machine manipulation, and control-plane logic flaws. Use when prompts include workflow bypass, race condition, replay, quota abuse, order-of-operations flaws, delegated execution abuse, or unauthorized state transitions. Do not use for pure input injection fuzzing, broad recon, or standalone report formatting tasks.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "pentest-business-logic-abuse" with this command: npx skills add crtvrffnrt/skills/crtvrffnrt-skills-pentest-business-logic-abuse

Business Logic Abuse

Activation Triggers (Positive)

  • business logic
  • workflow bypass
  • race condition
  • state transition
  • replay
  • quota abuse
  • confused deputy
  • delegated execution

Exclusion Triggers (Negative)

  • payload fuzzing only
  • endpoint recon only
  • report polishing only

Output Schema

  • Workflow model: step, required controls, bypass hypothesis
  • Abuse sequence: ordered requests/events with timing notes
  • Impact proof: unauthorized state change and resulting capability

Instructions

  1. Model intended state transitions before adversarial testing.
  2. Identify assumptions in sequencing, concurrency, and cross-system coordination.
  3. Execute minimal abuse sequences that challenge those assumptions.
  4. Confirm impact through observable unauthorized state or action outcomes.
  5. Validate whether fixes require control relocation, not only input filtering.
  6. Hand off only confirmed primitives for exploit execution.

Should Do

  • Treat logic abuse as system-behavior testing, not payload-only testing.
  • Use time-aware evidence for race and replay cases.
  • Include reversible test design for stateful systems.

Should Not Do

  • Do not report logic flaws without demonstrated unauthorized effect.
  • Do not overuse concurrency that risks stability.
  • Do not substitute theoretical abuse paths for confirmed execution evidence.

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

General

pentest-exploit-execution-payload-control

No summary provided by upstream source.

Repository SourceNeeds Review
15-crtvrffnrt
General

pentest-gemini-az

No summary provided by upstream source.

Repository SourceNeeds Review
12-crtvrffnrt
General

pentest-input-protocol-manipulation

No summary provided by upstream source.

Repository SourceNeeds Review
12-crtvrffnrt
General

pentest-authentication-authorization-review

No summary provided by upstream source.

Repository SourceNeeds Review
12-crtvrffnrt