pentest-business-logic

What problem does it solve?

Identify and test business logic vulnerabilities that arise from flawed workflow enforcement, inappropriate rule validation, and brittle state-machine behavior in applications.

Core Features & Use Cases

• Workflow Mapping: Map multi-step processes (checkout, onboarding, approvals) from recon deliverables and source code, documenting expected state transitions and constraints.
• Rule Extraction: Identify server-side business constraints (pricing, quantity, role gating, time-based rules, discounts) to validate enforceability.
• Step Circumvention: Attempt to bypass prerequisite steps, reorder actions, or replay complete flows to verify server-side safeguards.
• Data Integrity Abuse: Submit boundary and crafted inputs (negative quantities, zero prices, type confusion) to reveal validation gaps.
• Function Limit Bypass: Test per-user or per-session limits (coupon uses, referrals, votes) under stress or parallel requests.
• File Upload Logic: Assess file type handling and payload boundaries for uploads, including polyglot considerations.
• Payment Testing: Validate price calculations, discounts, and payment state transitions across the flow.

Quick Start

Run a controlled business-logic security assessment on a target application by mapping workflows and validating constraints with Burp and Playwright.