--- name: pentest-bizlogic description: Business logic flaw hunting — price manipulation, race condition, workflow bypass, authorization edge case advisory. Triggers on business logic, bizlogic, race condition, price manipulation, workflow bypass, payment flaw, coupon abuse, refund abuse, time-of-check race. license: MIT compatibility: Works with Claude Code allowed-tools: Read Write Edit Bash Grep metadata: author: badi badi-version: ">=1.24.0" category: pentest scope: advisory inspired-by: 0xSteph/pentest-ai-agents bizlogic-hunter --- # pentest-bizlogic Otomatik scan'in yakalayamadigi **is mantigi zafiyetleri** advisory. Insan analizi gerekir — bu skill methodology + checklist saglar. ## Triggers - "race condition test" - "fiyat manipulasyonu" - "workflow bypass" - "coupon abuse" - "refund flow zafiyet" - "checkout flow analiz" ## Yaygin Bizlogic Kategorileri | Kategori | Ornek | Test | |----------|-------|------| | Price manipulation | Cart'taki fiyati POST body'de degistir | Negative price, decimal precision, currency mismatch | | Race condition | 5 paralel /api/redeem-coupon | Race ile coupon 2x kullanim | | Workflow bypass | Adim 3'e dogrudan POST (1,2 atla) | State machine atlama | | Coupon abuse | Tek kullanimlik coupon birden cok hesapla | Coupon scope yok | | Refund abuse | Refund > original | Server-side total recalc yok | | Account recovery | Username + dogum tarihi -> reset link | Out-of-band factor eksik | | Voucher generation | Voucher code predictable (sequential) | Insufficient entropy | | MFA bypass | login_step=2 dogrudan post -> token | Server state guvensiz | | Privilege grant | User A, User B'yi davet -> B admin olur | Role inheritance flaw | ## Race Condition Test Pattern ```bash # 5 paralel request — fonksiyonel reuse testi for i in {1..5}; do curl -X POST https:///api/redeem -H "Authorization: Bearer $TOKEN" \ -d '{"coupon":"SAVE10"}' & done wait # Beklenti: 1 basari + 4 hata # Zafiyet: 5 basari -> race ile coupon stack ``` Daha kontrollu: **Turbo Intruder** (Burp), **Repeater Group "Send in parallel"** (Burp Pro 2023+). ## Price Manipulation Checklist - [ ] Cart fiyati client-tarafli mi (POST body'de degistir, server kabul eder mi) - [ ] Currency code swap (USD -> EUR, server total recalc yapmaz) - [ ] Decimal precision (price: 1.99 -> 1.99999, hangi version saved) - [ ] Negative quantity (qty: -1 -> negatif fatura, kredi acik) - [ ] Discount > 100% (coupon 110% indirim, payable negatif) - [ ] Promo + sale ucu (iki indirim stack, yasakli mi) ## Workflow Bypass Checklist ``` Flow: signup -> verify email -> set password -> dashboard Test: - POST /set-password dogrudan, verify atlanir mi - /dashboard dogrudan, /signup tamamlanmadan - /payment direct POST, /cart skip - Step 2'den step 4'e signed token gerekli mi ``` ## Coupon Abuse Checklist - [ ] Tek kullanimlik coupon — kullanildiktan sonra `used: true` server-side - [ ] Per-user limit — ayni hesap 5 kez kullanim engellenir - [ ] Race condition — paralel 10 redeem - [ ] Coupon stack — birden cok coupon ayni order'da - [ ] Expired coupon — server saat dogrulamasi - [ ] Coupon scope — sadece elektronik kategorisinde gecerli mi (digerine uygulanir mi) ## Refund Flow - [ ] Refund > original purchase (negative balance) - [ ] Refund'dan sonra item iade edilmiyor (stock 0 olmaz) - [ ] Refund + chargeback simultaneous - [ ] Refund tokenize: refund_id tahmin edilebilir (sequential) ## Methodology Akisi ``` 1. Application logic'i anla (kullanici davranisi simulate et) 2. State diagram ciz (her endpoint hangi state'i degistirir) 3. State invariant'lari listele (her zaman dogru olan kurallar) 4. Invariant'lari kir: out-of-order, parallel, negative, edge value 5. Server-side ne yaptigini logla (response code, state check) 6. PoC reproduce et + acil rapor ``` ## Out-of-Scope - Automated bizlogic scan (insan analizi gerekir) - Production data modification (test ortami zorunlu) - Sahsi kazanc icin ek transfer (kanit goster, transferi yapma)