pentest-web-application-logic-mapper

Skill: pentest-web-application-logic-mapper

1. Scope & Objective

Objective: To map the application's business logic, state machines, and hidden API surface to identify logical flaws and bypasses. Scope:

• Complex multi-step workflows (checkout, registration, approval processes).
• State-dependent actions (e.g., "Draft" -> "Pending" -> "Published").
• Hidden or undocumented API endpoints and parameters.

2. Inputs & Outputs

Inputs:

• Spider/Crawl Data: List of discovered URLs and forms.
• API Documentation: Swagger/OpenAPI specs, WSDLs (if available).
• User Manuals/Help Docs: Descriptions of intended workflows.

Outputs:

• State Machine Diagram: Visualization of valid states and transitions.
• Logic Flaw Report: Identification of invalid state transitions or skipped steps.
• Hidden Surface Map: List of unlinked but accessible endpoints.