--- name: pentest-web-application-logic-mapper description: "Security assessment skill for mapping application business logic, state machines, and hidden API surfaces. Use when prompts include spider, crawl, state machine, hidden surface, workflow mapping, or hidden API discovery. Do not use for exploit development or final reporting only." --- ## Skill: `pentest-web-application-logic-mapper` ### 1. Scope & Objective **Objective**: To map the application's business logic, state machines, and hidden API surface to identify logical flaws and bypasses. **Scope**: - Complex multi-step workflows (checkout, registration, approval processes). - State-dependent actions (e.g., "Draft" -> "Pending" -> "Published"). - Hidden or undocumented API endpoints and parameters. ### 2. Inputs & Outputs **Inputs**: - `Spider/Crawl Data`: List of discovered URLs and forms. - `API Documentation`: Swagger/OpenAPI specs, WSDLs (if available). - `User Manuals/Help Docs`: Descriptions of intended workflows. **Outputs**: - `State Machine Diagram`: Visualization of valid states and transitions. - `Logic Flaw Report`: Identification of invalid state transitions or skipped steps. - `Hidden Surface Map`: List of unlinked but accessible endpoints. ### 3. Success Metrics - **Workflow Bypass**: Skipping a mandatory step (e.g., payment) to complete a process. - **State Manipulation**: Forcing an object into an invalid or advantageous state (e.g., reopening a closed ticket). - **Hidden Feature Discovery**: Accessing beta, debug, or legacy features not intended for public use. ### 4. Common Attack Vectors & Exploit Primitives - **Race Conditions**: Sending concurrent requests to exploit timing windows (e.g., using a coupon twice). - **Business Logic Errors**: Exploiting flaws in the implementation of business rules (e.g., negative quantity in cart). - **Forced Browsing**: Accessing URLs directly without navigating through the UI. - **Mass Assignment**: Modifying internal object properties (e.g., `isAdmin`, `balance`) by including them in the request body. ### 5. Security Controls to Test Against - **State Validation**: Verify that the server enforces valid state transitions. - **Transactional Integrity**: Ensure critical operations are atomic and consistent. - **Rate Limiting**: Check for limits on sensitive actions to prevent brute-force or abuse. ### 6. Concrete Examples **Example 1: Skipping Payment Step** * **Context**: Checkout flow: Cart -> Shipping -> Payment -> Confirmation. * **Attack**: Force browse directly to `/checkout/confirmation` after the Shipping step, skipping Payment. * **Success**: Order is placed without payment processing. **Example 2: Race Condition in Coupon Usage** * **Context**: Users can redeem a one-time use coupon. * **Attack**: Send 10 simultaneous requests to redeem the same coupon. * **Success**: Coupon is redeemed multiple times, applying the discount repeatedly. **Example 3: Mass Assignment in Profile Update** * **Context**: User updates profile via `PUT /api/user`. * **Attack**: Include `"role": "admin"` in the JSON body. * **Success**: User role is updated to "admin" due to lack of field filtering.