Business Logic Abuse
Use When
- The main question is workflow bypass, race condition, replay, quota abuse, confused deputy behavior, or unauthorized state transition.
- A mapped workflow has meaningful business impact if steps are reordered, skipped, repeated, or delegated.
Handoff Criteria
- Hand off to
pentest-web-application-logic-mapperwhen the workflow is not mapped well enough to test. - Hand off to
pentest-input-protocol-manipulationwhen parser or payload behavior becomes the main blocker. - Hand off to
pentest-exploit-execution-payload-controlonly after a deterministic business-logic primitive exists.
Output Schema
- Workflow model:
step,required controls,bypass hypothesis - Abuse sequence: ordered requests/events with timing notes
- Impact proof: unauthorized state change and resulting capability
Instructions
- Model intended state transitions before adversarial testing.
- Identify assumptions in sequencing, concurrency, and cross-system coordination.
- Execute minimal abuse sequences that challenge those assumptions.
- Confirm impact through observable unauthorized state or action outcomes.
- Validate whether fixes require control relocation, not only input filtering.
- Hand off only confirmed primitives for exploit execution.
Verification Gate
- Treat logic abuse as system-behavior testing, not payload-only testing.
- Use time-aware evidence for race and replay cases.
- Include reversible test design for stateful systems.
- Report logic flaws only with demonstrated unauthorized effect.
- Use controls for expected state, unauthorized state, and replay/race timing.
- Keep concurrency low and stop when capability is proven.
微信扫一扫