pentest-web-application-logic-mapper

Security assessment skill for mapping application business logic, state machines, and hidden API surfaces. Use when prompts include spider, crawl, state machine, hidden surface, workflow mapping, or hidden API discovery. Do not use for exploit development or final reporting only.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "pentest-web-application-logic-mapper" with this command: npx skills add crtvrffnrt/skills/crtvrffnrt-skills-pentest-web-application-logic-mapper

Skill: pentest-web-application-logic-mapper

1. Scope & Objective

Objective: To map the application's business logic, state machines, and hidden API surface to identify logical flaws and bypasses. Scope:

  • Complex multi-step workflows (checkout, registration, approval processes).
  • State-dependent actions (e.g., "Draft" -> "Pending" -> "Published").
  • Hidden or undocumented API endpoints and parameters.

2. Inputs & Outputs

Inputs:

  • Spider/Crawl Data: List of discovered URLs and forms.
  • API Documentation: Swagger/OpenAPI specs, WSDLs (if available).
  • User Manuals/Help Docs: Descriptions of intended workflows.

Outputs:

  • State Machine Diagram: Visualization of valid states and transitions.
  • Logic Flaw Report: Identification of invalid state transitions or skipped steps.
  • Hidden Surface Map: List of unlinked but accessible endpoints.

3. Success Metrics

  • Workflow Bypass: Skipping a mandatory step (e.g., payment) to complete a process.
  • State Manipulation: Forcing an object into an invalid or advantageous state (e.g., reopening a closed ticket).
  • Hidden Feature Discovery: Accessing beta, debug, or legacy features not intended for public use.

4. Common Attack Vectors & Exploit Primitives

  • Race Conditions: Sending concurrent requests to exploit timing windows (e.g., using a coupon twice).
  • Business Logic Errors: Exploiting flaws in the implementation of business rules (e.g., negative quantity in cart).
  • Forced Browsing: Accessing URLs directly without navigating through the UI.
  • Mass Assignment: Modifying internal object properties (e.g., isAdmin, balance) by including them in the request body.

5. Security Controls to Test Against

  • State Validation: Verify that the server enforces valid state transitions.
  • Transactional Integrity: Ensure critical operations are atomic and consistent.
  • Rate Limiting: Check for limits on sensitive actions to prevent brute-force or abuse.

6. Concrete Examples

Example 1: Skipping Payment Step

  • Context: Checkout flow: Cart -> Shipping -> Payment -> Confirmation.
  • Attack: Force browse directly to /checkout/confirmation after the Shipping step, skipping Payment.
  • Success: Order is placed without payment processing.

Example 2: Race Condition in Coupon Usage

  • Context: Users can redeem a one-time use coupon.
  • Attack: Send 10 simultaneous requests to redeem the same coupon.
  • Success: Coupon is redeemed multiple times, applying the discount repeatedly.

Example 3: Mass Assignment in Profile Update

  • Context: User updates profile via PUT /api/user.
  • Attack: Include "role": "admin" in the JSON body.
  • Success: User role is updated to "admin" due to lack of field filtering.

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

General

pentest-exploit-execution-payload-control

No summary provided by upstream source.

Repository SourceNeeds Review
15-crtvrffnrt
General

pentest-business-logic-abuse

No summary provided by upstream source.

Repository SourceNeeds Review
13-crtvrffnrt
General

pentest-gemini-sub-htb

No summary provided by upstream source.

Repository SourceNeeds Review
12-crtvrffnrt
General

pentest-input-protocol-manipulation

No summary provided by upstream source.

Repository SourceNeeds Review
12-crtvrffnrt