Back to skills
extension
Category: Development & EngineeringNo API key required

pentest-web-application-logic-mapper

Security assessment skill for mapping application business logic, state machines, and hidden API surfaces. Use when prompts include spider, crawl, state machine, hidden surface, workflow mapping, or hidden API discovery. Do not use for exploit development or final reporting only.

personAuthor: jakexiaohubgithub

Web Application Logic Mapper

Purpose

Map application workflows, state machines, and hidden surfaces so downstream validation starts from concrete routes, actions, and trust boundaries.

Use When

  • The owner phase is spidering, crawling, hidden route discovery, state-machine mapping, workflow modeling, or route-to-action relationship mapping.
  • Recon has found a live application surface but not enough workflow context for focused validation.

Scope

  • Complex multi-step workflows (checkout, registration, approval processes).
  • State-dependent actions (e.g., "Draft" -> "Pending" -> "Published").
  • Hidden or undocumented API endpoints and parameters.

Inputs

  • Spider/Crawl Data: List of discovered URLs and forms.
  • API Documentation: Swagger/OpenAPI specs, WSDLs (if available).
  • User Manuals/Help Docs: Descriptions of intended workflows.

Output

  • State Machine Diagram: Visualization of valid states and transitions.
  • Logic Flaw Report: Identification of invalid state transitions or skipped steps.
  • Hidden Surface Map: List of unlinked but accessible endpoints.

Success Metrics

  • Workflow Bypass: Skipping a mandatory step (e.g., payment) to complete a process.
  • State Manipulation: Forcing an object into an invalid or advantageous state (e.g., reopening a closed ticket).
  • Hidden Feature Discovery: Accessing beta, debug, or legacy features not intended for public use.

Workflow

  1. Establish identity context, session state, and scope boundaries.
  2. Map navigable routes, hidden routes, forms, APIs, and client-side calls.
  3. Link actions to objects, roles, states, and side effects.
  4. Identify trust boundaries and privileged transitions before testing abuse.
  5. Mark confirmed routes, hypotheses, rejected paths, and unknowns separately.
  6. Hand off precise targets to validation skills.

Verification Gate

  • Confirm hidden surfaces with direct, low-impact requests before treating them as reachable.
  • Use workflow controls before reporting skipped-step or invalid-transition claims.
  • Treat crawler output as a lead until manually or programmatically verified.

Common Attack Vectors and Primitives

  • Race Conditions: Sending concurrent requests to exploit timing windows (e.g., using a coupon twice).
  • Business Logic Errors: Exploiting flaws in the implementation of business rules (e.g., negative quantity in cart).
  • Forced Browsing: Accessing URLs directly without navigating through the UI.
  • Mass Assignment: Modifying internal object properties (e.g., isAdmin, balance) by including them in the request body.

Controls to Test Against

  • State Validation: Verify that the server enforces valid state transitions.
  • Transactional Integrity: Ensure critical operations are atomic and consistent.
  • Rate Limiting: Check for limits on sensitive actions to prevent brute-force or abuse.

Handoff Criteria

  • Hand off to pentest-business-logic-abuse when invalid transitions, race windows, replay, or quota abuse become the owner phase.
  • Hand off to pentest-advanced-access-control-auditor or pentest-authentication-authorization-review when route access depends on roles, ownership, sessions, or tenants.
  • Hand off to pentest-input-protocol-manipulation or pentest-xss when parser behavior or browser sinks are the main blocker.