Pentest Business Logic
Purpose
Identify flaws in application workflow enforcement, business rule validation, and state machine integrity that cannot be found by taint analysis or pattern matching. These vulnerabilities require understanding intended behavior and finding deviations.
Prerequisites
Authorization Requirements
- Written authorization with explicit scope for business logic testing
- Test accounts at multiple privilege levels (user, admin, premium, etc.)
- Test payment methods or sandbox payment environment for financial testing
- Rollback plan for any data-mutating tests (order creation, account changes)
Environment Setup
- Burp Suite Professional with Repeater/Intruder configured
- Playwright or Selenium for multi-step browser automation
- Proxy configured to capture all application traffic
- Test data seeded for workflow testing (products, coupons, user accounts)
Core Workflow
- Workflow Mapping: Extract multi-step flows (checkout, registration, approval chains, onboarding) from recon deliverables and source code. Document expected state transitions and business constraints.
- Rule Extraction: Identify server-side business constraints — price validation, quantity limits, role-gated actions, time-based restrictions, coupon rules, referral limits.
- Step Circumvention: Skip, replay, reorder steps in multi-step workflows. Access final-step endpoints directly without completing prerequisites (WSTG-BUSL-06).
- Data Integrity Abuse: Submit negative quantities, zero-price items, boundary values, type confusion in business fields. Test forged request parameters (WSTG-BUSL-02/03).
- Function Limit Bypass: Test coupon reuse, referral loops, vote stuffing, resource exhaustion through legitimate endpoints (WSTG-BUSL-05).
- File Upload Logic: Upload unexpected file types, oversized files, polyglot files, content-type mismatch, path traversal in filenames (WSTG-BUSL-08/09).
- Payment Testing: Price manipulation at each checkout stage, currency confusion, discount stacking, partial payment abuse (WSTG-BUSL-10).
WSTG Coverage
| WSTG ID | Test Name | Status |
|---|
| WSTG-BUSL-01 | Test Business Logic Data Validation | ✅ |
| WSTG-BUSL-02 | Test Ability to Forge Requests | ✅ |
| WSTG-BUSL-03 | Test Integrity Checks | ✅ |
| WSTG-BUSL-04 | Test for Process Timing | ✅ |
| WSTG-BUSL-05 | Test Number of Times a Function Can Be Used Limits | ✅ |
| WSTG-BUSL-06 | Testing for the Circumvention of Work Flows | ✅ |
| WSTG-BUSL-07 | Test Defenses Against Application Misuse | ✅ |
| WSTG-BUSL-08 | Test Upload of Unexpected File Types | ✅ |
| WSTG-BUSL-09 | Test Upload of Malicious Files | ✅ |
| WSTG-BUSL-10 | Test Payment Functionality | ✅ |
Tool Categories
| Category | Tools | Purpose |
|---|
| Request Manipulation | Burp Repeater, Burp Intruder, mitmproxy | Modify request parameters, replay/reorder steps |
| Browser Automation | Playwright, Selenium | Multi-step workflow testing, UI interaction |
| Scripting | Python requests, aiohttp | Custom workflow abuse scripts, parallel requests |
| File Upload | custom polyglot generators, ExifTool | File type confusion, metadata injection |
| Payment Testing | Stripe test mode, PayPal sandbox | Safe payment manipulation testing |
References
references/tools.md - Tool function signatures and parametersreferences/workflows.md - Attack pattern definitions and test vectors