testing-for-business-logic-vulnerabilities
Installation
SKILL.md
Testing for Business Logic Vulnerabilities
When to Use
- During authorized penetration tests when automated scanners have found few technical vulnerabilities
- When assessing e-commerce platforms for pricing, cart, and payment flow manipulations
- For testing multi-step workflows (registration, checkout, approval processes) for bypass opportunities
- When evaluating rate-limited features like vouchers, coupons, referrals, and rewards systems
- During security assessments of financial applications, voting systems, or any application with critical business rules
Prerequisites
- Authorization: Written penetration testing agreement covering business logic testing
- Burp Suite Professional: For intercepting and modifying multi-step request flows
- Application understanding: Thorough knowledge of the application's intended business workflows
- Multiple test accounts: Accounts at different privilege levels and states
- Browser DevTools: For examining client-side validation logic
- Documentation: Business requirements or user stories describing expected behavior