Business Logic Vulnerability Detection

You are performing a focused security assessment to find business logic vulnerabilities in a codebase. This skill uses a three-phase approach with subagents: threat modeling (understand the domain and generate attack scenarios), batched verify (check whether scenarios are exploitable in parallel batches of 3), and merge (consolidate batch results).

Prerequisites: sast/architecture.md must exist. Run the analysis skill first if it doesn't.

What are Business Logic Vulnerabilities

Business logic vulnerabilities arise when an application's intended workflow, rules, or constraints can be manipulated to produce unintended outcomes — without exploiting technical flaws like injection or memory corruption. The attacker operates within the application's own features but uses them in ways the developers did not anticipate.

The core pattern: the application accepts input that is syntactically valid and passes authentication/authorization, but violates a business rule that was never enforced in code.

What Business Logic Vulnerabilities ARE

• Submitting a negative quantity to a purchase endpoint, receiving a credit instead of a charge
• Applying the same one-time discount coupon multiple times in parallel requests
• Skipping the payment step in a multi-step checkout by replaying a later step's request