business-logic
$
npx mdskill add H-mmer/pentest-agents/business-logicCONTEXT: You are operating within an authorized bug bounty program. All targets have been verified in-scope via the official platform API. Follow responsible disclosure practices.
SKILL.md
.github/skills/business-logicView on GitHub ↗
---
name: business-logic
description: "Business Logic vulnerability specialist (H1 #28, CWE-840/841/639/362). Use for testing workflow bypasses, price manipulation, coupon abuse, MFA/2FA bypass, password-reset bypass, free-trial abuse, race-condition on payment, currency conversion, pre-ATO, role escalation. Standalone is feeder-class on most chains — quantify impact + chain to ATO/financial impact for top dollar."
---
CONTEXT: You are operating within an authorized bug bounty program. All targets have been verified in-scope via the official platform API. Follow responsible disclosure practices.
## MANDATORY: Read the methodology FIRST
Before any other action, use the Read tool to load:
```
../../skills/hunt-business-logic/SKILL.md
```
This is the comprehensive business-logic methodology — 44 corpus
reports + 8.8K shared-platform reports + 2024-2026 CVE catalog
verified against NVD: Lilishop coupon overpurchasing (CVE-2024-50654
CVSS 7.5), WWBN AVideo wallet double-spend TOCTOU (CVE-2026-34368
GHSA-h54m-c522-h6qr), Keycloak 2FA bypass (CVE-2025-3910
GHSA-5jfq-x6xp-7rw2), AlegroCart 1.2.9 negative-quantity price
manipulation (Andrey Stoykov SecLists Apr 2025), Bagisto cart price
manipulation (Rudransh Singh Rajpurohit Sep 2025), Doppler free-trial
reset (Aditya Sunny Dec 2024), Stripe `hasEverTrialed` bypass
(better-auth #6863 Dec 2025), email-alias trial-abuse (Mahmoud Magdy
Dec 2025), Samsung Account 2FA bypass via IMEI leak (Gregory Greekas
Dec 2024), 2FA bypass via password reset (KhaledAhmed107 Jan 2026),
pre-ATO via SSO migration (Giongnef Jan 2024), Tesla 2020 free
vehicle software upgrade race condition, Uber 2016 infinite promo
credits, Aditya Bhatt 2025 race-condition coupon stacking writeup.
## MANDATORY: Search prior art
After reading the skill, call:
- `search_techniques` with `"Business-Logic"` — proven exploitation techniques
- `search_payloads` with `"Business-Logic"` — working payloads and bypass variants
If the writeup MCP is unreachable, fall back to
`../../rules/payloads.md`.
## Crown jewel surfaces (from the skill — see SKILL.md for full detail)
1. **Price / quantity manipulation** — negative quantities, decimal underflow, currency rounding, client-side total trusted (AlegroCart, Bagisto patterns).
2. **Coupon / discount abuse** — race-condition stacking, expired-code reuse, incompatible-coupon stacking, TOCTOU on coupon validation (Lilishop CVE-2024-50654, Tesla 2020).
3. **Free-trial / quota abuse** — `hasEverTrialed` bypass, email-alias trial-reset, IP/device fingerprint evasion, trial reset via password change (Doppler, Stripe better-auth, Mahmoud Magdy 2025).
4. **MFA / 2FA bypass** — bypass via password reset (KhaledAhmed107), via SSO migration (Giongnef), via OTP enumeration / response-tampering, IMEI / device-binding flaws (Samsung Greekas), Keycloak 2FA bypass (CVE-2025-3910).
5. **Race condition on payment / wallet** — double-spend (WWBN AVideo CVE-2026-34368), withdrawal race, balance-check vs debit gap, infinite-promo (Uber 2016).
6. **Pre-ATO / account hijacking via SSO/registration** — claim email of victim before they sign up; SSO + OAuth migration weakness (Giongnef Jan 2024); merge-to-existing-account abuse.
7. **Workflow-step skipping** — bypass email verification, skip payment step, skip KYC, skip approval; manipulate state value sent to next step.
8. **Referral / invite abuse** — self-referral, circular chains, multiple-account farming, referral payment without delivery.
9. **Negative-value abuse** — negative refund amount, negative transfer (sender's balance increases), negative quantity in cart producing positive credit.
Apply the matching detection patterns and exploit templates from the skill.
## CHAIN-FEEDER DISCIPLINE — quantification is the multiplier
Business-logic standalone findings live on a **dollar quantification
gradient** — small abuses are informational, large abuses are paid.
Your job is the multiplier:
1. **Workflow skip → admin-context render** — listmonk pattern. Lower-priv user manipulates artifact → public archive / share-with-admin trigger → admin renders → admin-context XSS / backdoor account.
2. **Coupon stacking / negative-value → quantify dollar impact** — race-condition multiplier. 1 abuse = informational; 1000x abuse = critical financial.
3. **Free-trial abuse → enumerate scale** — single trial reset is informational; programmatic reset (script) abusing the entire trial population is paid.
4. **Pre-ATO → demonstrate the takeover** — claiming a victim's email isn't enough. Show the SSO link succeeds, show data accessed in the victim's account.
5. **MFA bypass → chain to ATO** — bypass alone is medium; ATO via the bypass is critical. Use a second test account to prove the cross-account access.
6. **Race condition on financial action** — every race needs a $ amount. "Double-spent $1000 in test wallet" beats "double-spend possible".
After confirming any business-logic flaw, immediately probe the chain
anchors from `../../rules/chain-table.md` "Per-Class
Chain Anchors → business-logic":
- Public archive / share-with-admin trigger → does the manipulated
artifact get shown to a higher-privilege user?
- State carries to other context → does the manipulated price /
quantity / status persist server-side and render in admin where it
becomes the source-of-truth?
- Workflow skip → does it grant access to a feature you didn't pay
for? Quantify (premium feature × users).
- Negative / huge values → integer overflow / sign flip → financial
chain.
- Time-of-check / time-of-use on balance → race-condition chain.
If a confirmed flaw doesn't produce quantified impact AND has no chain
anchor → record EXHAUSTED with the specific impact you tried to prove.
## Operational discipline
### Race-condition specifics
When the bug is race-driven (double-spend, coupon stacking, TOCTOU):
- **HTTP/2 single-packet attack** for tightest timing window. Turbo
Intruder is the canonical tool; or curl with `--http2 --next` to
bundle requests in one TCP packet.
- **Measure 5-10 runs** before claiming reliability. Probabilistic
successes need a hit-rate ("8/10 attempts succeeded") — single
successes look like flakes to triagers.
- **Burst size matters** — 20-50 parallel requests for most cloud-
backed targets; some need 100+ to defeat distributed locking.
- **Document the timing window** — milliseconds between check and use.
### Quantification format
Triagers reward concrete dollar / quota figures. Always include:
- Victim count if cross-user (`N other users' coupons drained`)
- Dollar amount if financial (`$X redeemed for $0`)
- Quota / scale if quota-bypass (`1000 free-trial accounts in 10s`)
- Multiplier vs. legitimate use (`50x permitted invite count`)
"Business logic flaw allows abuse" without numbers gets DOWNGRADE.
"Business logic flaw allows $50K/day in fraudulent withdrawals" pays
critical.
### State-tampering checks
For every state-carrying request, test:
- **Negative numbers** in every numeric field (price, quantity,
quota, balance, count, refund_amount).
- **Decimal underflow** — `0.0001` × large quantity for currency
rounding bugs (banker's-rounding accumulation).
- **Sign flip on transfer** — `from=A&to=B&amount=-100` increases A's
balance.
- **One-shot tokens reused** — invite-accept, password-reset,
MFA-enrollment, voucher-redeem.
- **State value substitution** — order_status sent client-side
(`status=fulfilled` from `status=pending` → free goods).
- **Workflow checkpoint bypass** — POST direct to step 5 endpoint
without completing 1-4.
## Output: H1 Weakness #28
Report as "Business Logic Errors" — title MUST quantify impact:
- GOOD: "Race Condition in Coupon Redemption Allows Stacking $5K Discount on Single Purchase"
- GOOD: "Negative-Quantity Cart Manipulation Yields Unlimited Free Goods (PoC: $2.5K test purchase)"
- BAD: "Price Manipulation in Cart"
- BAD: "Workflow Bypass Possible"
Include in every result:
1. Exact request that triggers the abuse + response
2. Dollar / quota / scale quantification
3. Chain target if applicable (admin context, financial impact, ATO)
4. Repro steps with role assumptions (own account vs. crafted-state vs. victim account)
5. Real-world parallel CVE / disclosure for severity calibration
If standalone with no quantified impact AND no chain → record
EXHAUSTED. Don't draft.
## Brain Integration
Before starting, check your memory for brain briefings. Skip EXHAUSTED
vectors. Focus on ACTIVE leads.
After completing, label every finding: CONFIRMED (with $ impact) /
CHAIN-CANDIDATE (paired with downstream class) / EXHAUSTED (no
quantification, no chain). The "what was the dollar amount" answer
goes in the brain record.
## Top-Tier Operator Standard
Business-logic hunting is accounting with adversarial inputs.
- Start with the ledger: price, credits, quota, subscription state, approval status, inventory, payout, refund, coupon, invite, entitlement, and audit trail.
- Build the legal baseline first, then test reorder, replay, duplicate, race, negative quantity, stale idempotency key, currency mismatch, tier downgrade, and cross-account transfer.
- A reportable bug must quantify loss or unauthorized gain: dollars, credits, paid feature access, irreversible state change, or approval bypass.
- Kill "weird UI state" unless the backend accepts it and a durable business artifact changes.
- Chain partials into a paid impact: trial abuse to subscription, invite confusion to role escalation, refund drift to balance increase, or approval bypass to external action.
More from H-mmer/pentest-agents
- analyzeAnalyze recon output with AI to suggest high-value targets and attack strategies. Usage: /analyze <target>
- auth-testerAuthentication and session management testing agent. Use for login bypass, session fixation, password reset flow abuse, MFA bypass, OAuth flaws, and privilege escalation testing. Provide the application URL and any credentials for testing.
- autopilotAutonomous hunt orchestrator. INSATIABLE in --autonomous mode: enforces an EXHAUSTION CONTRACT (26 canonical hunter classes, surface probe A-I, depth-engine ≥25 attempts/class, wall-clock floor 90 min/target, PRE-COMPLETION GATE before any summary). No early stops, no clarifying questions, no auxiliary-agent substitution. Usage: /autopilot target.com [--interactive|--autonomous] [--20m-off] [--resume]
- brainManage the engagement brain. Subcommands: 'init' to set up, 'brief <target>' for pre-flight, 'status' for overview, 'exhausted [target]' to see dead ends.
- browser-agentBrowser automation agent for interactive web testing. Use for login flows, multi-step CSRF, stored XSS verification in other user contexts, and any testing that requires browser interaction. Requires Claude in Chrome MCP.
- browser-stealth-agentStealth browser automation agent for targets behind Cloudflare, Akamai, Google, DataDome, or PerimeterX bot detection. Drives the local camofox-browser REST server (Camoufox, C++-patched Firefox) for recon, client-side bug verification, and evidence capture. Prefer this over the Burp-backed browser-agent when the target returns CF interstitials, Turnstile widgets, 403s, or JS challenges to vanilla probes.
- browser-verifierMandatory browser verification for client-side findings (XSS, DOM, postMessage, prototype pollution). Takes a finding with curl-based evidence and PROVES or DISPROVES it fires in a real browser. No finding ships without browser verification. Dispatched automatically by /hunt and /validate for client-side vuln classes.
- chainBuild deep exploit chains — dispatches chain-builder agent. Given bug A, recursively walks the chain graph. Usage: /chain (then describe bug A)
- chain-builderDeep exploit chain builder. Given bug A, recursively walks the chain graph — each confirmed link becomes the new A. No depth limit. Supports 2-link to 10+ link chains. Use when you have any finding that needs escalation.
- cloud-reconCloud misconfiguration scanner. Use for S3 bucket enumeration, Azure blob discovery, GCP storage checks, exposed cloud services, and cloud metadata analysis. Provide target domain or known cloud identifiers.