Web Application Logic Mapper
Purpose
Map application workflows, state machines, and hidden surfaces so downstream validation starts from concrete routes, actions, and trust boundaries.
Use When
- The owner phase is spidering, crawling, hidden route discovery, state-machine mapping, workflow modeling, or route-to-action relationship mapping.
- Recon has found a live application surface but not enough workflow context for focused validation.
Scope
- Complex multi-step workflows (checkout, registration, approval processes).
- State-dependent actions (e.g., "Draft" -> "Pending" -> "Published").
- Hidden or undocumented API endpoints and parameters.
Inputs
Spider/Crawl Data: List of discovered URLs and forms.API Documentation: Swagger/OpenAPI specs, WSDLs (if available).User Manuals/Help Docs: Descriptions of intended workflows.
Output
State Machine Diagram: Visualization of valid states and transitions.Logic Flaw Report: Identification of invalid state transitions or skipped steps.Hidden Surface Map: List of unlinked but accessible endpoints.
Success Metrics
- Workflow Bypass: Skipping a mandatory step (e.g., payment) to complete a process.
- State Manipulation: Forcing an object into an invalid or advantageous state (e.g., reopening a closed ticket).
- Hidden Feature Discovery: Accessing beta, debug, or legacy features not intended for public use.
Workflow
- Establish identity context, session state, and scope boundaries.
- Map navigable routes, hidden routes, forms, APIs, and client-side calls.
- Link actions to objects, roles, states, and side effects.
- Identify trust boundaries and privileged transitions before testing abuse.
- Mark confirmed routes, hypotheses, rejected paths, and unknowns separately.
- Hand off precise targets to validation skills.
Verification Gate
- Confirm hidden surfaces with direct, low-impact requests before treating them as reachable.
- Use workflow controls before reporting skipped-step or invalid-transition claims.
- Treat crawler output as a lead until manually or programmatically verified.
Common Attack Vectors and Primitives
- Race Conditions: Sending concurrent requests to exploit timing windows (e.g., using a coupon twice).
- Business Logic Errors: Exploiting flaws in the implementation of business rules (e.g., negative quantity in cart).
- Forced Browsing: Accessing URLs directly without navigating through the UI.
- Mass Assignment: Modifying internal object properties (e.g.,
isAdmin,balance) by including them in the request body.
Controls to Test Against
- State Validation: Verify that the server enforces valid state transitions.
- Transactional Integrity: Ensure critical operations are atomic and consistent.
- Rate Limiting: Check for limits on sensitive actions to prevent brute-force or abuse.
Handoff Criteria
- Hand off to
pentest-business-logic-abusewhen invalid transitions, race windows, replay, or quota abuse become the owner phase. - Hand off to
pentest-advanced-access-control-auditororpentest-authentication-authorization-reviewwhen route access depends on roles, ownership, sessions, or tenants. - Hand off to
pentest-input-protocol-manipulationorpentest-xsswhen parser behavior or browser sinks are the main blocker.
Scan to join WeChat group