pentest-bizlogiclisted

Business logic flaw hunting — price manipulation, race condition, workflow bypass, authorization edge case advisory. Triggers on business logic, bizlogic, race condition, price manipulation, workflow bypass, payment flaw, coupon abuse, refund abuse, time-of-check race.
fatihkan/badi · ★ 5 · AI & Automation · score 76

Install: claude install-skill fatihkan/badi

# pentest-bizlogic Advisory for **business-logic vulnerabilities** automated scans miss. Requires human analysis — this skill provides methodology + checklists. ## Triggers - "race condition test" - "price manipulation" - "workflow bypass" - "coupon abuse" - "refund flow vulnerability" - "checkout flow analysis" ## Common Bizlogic Categories | Category | Example | Test | |----------|-------|------| | Price manipulation | Change the cart price in the POST body | Negative price, decimal precision, currency mismatch | | Race condition | 5 parallel /api/redeem-coupon | Use the coupon 2x via a race | | Workflow bypass | POST directly to step 3 (skip 1, 2) | State machine skipping | | Coupon abuse | Single-use coupon across multiple accounts | No coupon scope | | Refund abuse | Refund > original | No server-side total recalc | | Account recovery | Username + date of birth -> reset link | Missing out-of-band factor | | Voucher generation | Voucher code predictable (sequential) | Insufficient entropy | | MFA bypass | login_step=2 POST directly -> token | Insecure server state | | Privilege grant | User A invites User B -> B becomes admin | Role inheritance flaw | ## Race Condition Test Pattern ```bash # 5 parallel requests — functional reuse test for i in {1..5}; do curl -X POST https://<target>/api/redeem -H "Authorization: Bearer $TOKEN" \ -d '{"coupon":"SAVE10"}' & done wait # Expectation: 1 success + 4 errors # Vulnerability: 5 successes -> coupon stacking via a