pentest-business-logic
Pentest Business Logic
Purpose
Identify flaws in application workflow enforcement, business rule validation, and state machine integrity that cannot be found by taint analysis or pattern matching. These vulnerabilities require understanding intended behavior and finding deviations.
Prerequisites
Authorization Requirements
- Written authorization with explicit scope for business logic testing
- Test accounts at multiple privilege levels (user, admin, premium, etc.)
- Test payment methods or sandbox payment environment for financial testing
- Rollback plan for any data-mutating tests (order creation, account changes)
Environment Setup
- Burp Suite Professional with Repeater/Intruder configured
- Playwright or Selenium for multi-step browser automation
- Proxy configured to capture all application traffic
- Test data seeded for workflow testing (products, coupons, user accounts)
More from jd-opensource/joysafeter
pentest-osint-recon
Open Source Intelligence gathering and attack surface management for external reconnaissance.
90pentest-mobile-app
OWASP Mobile Top 10 security testing for Android and iOS — local storage, certificate pinning bypass, IPC abuse, and binary protections.
59pentest-api-deep
Deep OWASP API Security Top 10 testing for REST, GraphQL, gRPC, and WebSocket APIs — BFLA, mass assignment, rate limiting, and unsafe consumption.
58pentest-exploit-validation
Proof-driven exploitation with 4-level evidence system, bypass exhaustion protocol, mandatory evidence checklists, and strict EXPLOITED/POTENTIAL/FALSE_POSITIVE classification.
54pentest-ai-llm-security
AI/LLM application security testing — prompt injection, jailbreaking, data exfiltration, and insecure output handling per OWASP LLM Top 10.
54pentest-secrets-exposure
Discover hardcoded credentials, leaked API keys, exposed configuration files, sensitive data in artifacts, and information disclosure via error handling.
52