陌讯skills聚合平台

pentest-business-logic-abuse

📁 crtvrffnrt/skills 📅 9 days ago
11
总安装量
11
周安装量
#27755
全站排名
安装命令
npx skills add https://github.com/crtvrffnrt/skills --skill pentest-business-logic-abuse

Agent 安装分布

gemini-cli 11
opencode 9
github-copilot 9
codex 9
kimi-cli 9
amp 9

Skill 文档

Business Logic Abuse

Activation Triggers (Positive)

  • business logic
  • workflow bypass
  • race condition
  • state transition
  • replay
  • quota abuse
  • confused deputy
  • delegated execution

Exclusion Triggers (Negative)

  • payload fuzzing only
  • endpoint recon only
  • report polishing only

Output Schema

  • Workflow model: step, required controls, bypass hypothesis
  • Abuse sequence: ordered requests/events with timing notes
  • Impact proof: unauthorized state change and resulting capability

Instructions

  1. Model intended state transitions before adversarial testing.
  2. Identify assumptions in sequencing, concurrency, and cross-system coordination.
  3. Execute minimal abuse sequences that challenge those assumptions.
  4. Confirm impact through observable unauthorized state or action outcomes.
  5. Validate whether fixes require control relocation, not only input filtering.
  6. Hand off only confirmed primitives for exploit execution.

Should Do

  • Treat logic abuse as system-behavior testing, not payload-only testing.
  • Use time-aware evidence for race and replay cases.
  • Include reversible test design for stateful systems.

Should Not Do

  • Do not report logic flaws without demonstrated unauthorized effect.
  • Do not overuse concurrency that risks stability.
  • Do not substitute theoretical abuse paths for confirmed execution evidence.
GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台
本页面由 陌讯 Skills 聚合平台 收录整理,数据定期更新。