| name | pentest-web-application-logic-mapper |
| description | Web application logic mapper for spidering, crawling, hidden API discovery, workflow mapping, state-machine analysis, route relationships, and handoff targets for authz, business logic, XSS, input/protocol, OOB, CVE, exploit, or reporting workflows. |
Web Application Logic Mapper
Purpose
Map application workflows, state machines, and hidden surfaces so downstream validation starts from concrete routes, actions, and trust boundaries.
Use When
- The owner phase is spidering, crawling, hidden route discovery, state-machine mapping, workflow modeling, or route-to-action relationship mapping.
- Recon has found a live application surface but not enough workflow context for focused validation.
Scope
- Complex multi-step workflows (checkout, registration, approval processes).
- State-dependent actions (e.g., "Draft" -> "Pending" -> "Published").
- Hidden or undocumented API endpoints and parameters.
Inputs
Spider/Crawl Data: List of discovered URLs and forms.
API Documentation: Swagger/OpenAPI specs, WSDLs (if available).
User Manuals/Help Docs: Descriptions of intended workflows.
Output
State Machine Diagram: Visualization of valid states and transitions.
Logic Flaw Report: Identification of invalid state transitions or skipped steps.
Hidden Surface Map: List of unlinked but accessible endpoints.
Success Metrics
- Workflow Bypass: Skipping a mandatory step (e.g., payment) to complete a process.
- State Manipulation: Forcing an object into an invalid or advantageous state (e.g., reopening a closed ticket).
- Hidden Feature Discovery: Accessing beta, debug, or legacy features not intended for public use.
Workflow
- Establish identity context, session state, and scope boundaries.
- Map navigable routes, hidden routes, forms, APIs, and client-side calls.
- Link actions to objects, roles, states, and side effects.
- Identify trust boundaries and privileged transitions before testing abuse.
- Mark confirmed routes, hypotheses, rejected paths, and unknowns separately.
- Hand off precise targets to validation skills.
Verification Gate
- Confirm hidden surfaces with direct, low-impact requests before treating them as reachable.
- Use workflow controls before reporting skipped-step or invalid-transition claims.
- Treat crawler output as a lead until manually or programmatically verified.
Common Attack Vectors and Primitives
- Race Conditions: Sending concurrent requests to exploit timing windows (e.g., using a coupon twice).
- Business Logic Errors: Exploiting flaws in the implementation of business rules (e.g., negative quantity in cart).
- Forced Browsing: Accessing URLs directly without navigating through the UI.
- Mass Assignment: Modifying internal object properties (e.g.,
isAdmin, balance) by including them in the request body.
Controls to Test Against
- State Validation: Verify that the server enforces valid state transitions.
- Transactional Integrity: Ensure critical operations are atomic and consistent.
- Rate Limiting: Check for limits on sensitive actions to prevent brute-force or abuse.
Handoff Criteria
- Hand off to
pentest-business-logic-abuse when invalid transitions, race windows, replay, or quota abuse become the owner phase.
- Hand off to
pentest-advanced-access-control-auditor or pentest-authentication-authorization-review when route access depends on roles, ownership, sessions, or tenants.
- Hand off to
pentest-input-protocol-manipulation or pentest-xss when parser behavior or browser sinks are the main blocker.