원클릭으로
sc-business-logic
Business logic flaw detection — price manipulation, workflow bypass, race conditions, and abuse vectors
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Business logic flaw detection — price manipulation, workflow bypass, race conditions, and abuse vectors
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Comprehensive AI-powered security scanning suite with 48 skills covering OWASP Top 10, 7 language-specific deep scanners (Go, TypeScript, Python, PHP, Rust, Java, C#), supply chain analysis, infrastructure-as-code scanning, and 3000+ checklist items. Use when you need to run a security audit, find vulnerabilities, scan a PR for security issues, or perform a penetration test on a codebase.
C#/.NET-specific security deep scan
Go-specific security deep scan
Java/Kotlin-specific security deep scan
PHP-specific security deep scan
Python-specific security deep scan
| name | sc-business-logic |
| description | Business logic flaw detection — price manipulation, workflow bypass, race conditions, and abuse vectors |
| license | MIT |
| metadata | {"author":"ersinkoc","category":"security","version":"1.0.0"} |
Detects business logic vulnerabilities that arise from flawed application workflows rather than technical implementation errors. Covers price/quantity manipulation, coupon abuse, workflow step bypassing, negative value attacks, account enumeration, and reward system abuse. These vulnerabilities cannot be detected by pattern matching alone — they require understanding of the application's intended behavior.
Called by sc-orchestrator during Phase 2. Runs against web applications with business workflows.
"price", "amount", "quantity", "discount", "coupon",
"total", "balance", "credit", "transfer", "payment",
"checkout", "cart", "order", "refund", "reward",
"referral", "bonus", "limit", "quota", "threshold"
1. Price/Quantity Manipulation:
// VULNERABLE: Trusting client-side price
app.post('/checkout', (req, res) => {
const total = req.body.items.reduce((sum, item) =>
sum + item.price * item.quantity, 0 // Client sends price!
);
charge(req.user, total);
});
// SAFE: Server-side price lookup
app.post('/checkout', (req, res) => {
const total = await Promise.all(req.body.items.map(async item => {
const product = await Product.findById(item.productId);
return product.price * item.quantity;
})).then(prices => prices.reduce((a, b) => a + b, 0));
});
2. Negative Quantity/Amount:
# VULNERABLE: No negative check
def transfer(request):
amount = int(request.POST['amount']) # amount = -1000
sender.balance -= amount # Adds 1000!
receiver.balance += amount # Subtracts 1000!
# SAFE
amount = int(request.POST['amount'])
if amount <= 0:
raise ValidationError("Amount must be positive")
3. Workflow Step Bypass:
// VULNERABLE: Can skip directly to confirmation without payment
app.post('/order/confirm', auth, (req, res) => {
Order.update(req.body.orderId, { status: 'confirmed' });
});
// SAFE: Verify payment was completed
app.post('/order/confirm', auth, async (req, res) => {
const order = await Order.findById(req.body.orderId);
if (order.status !== 'paid') {
return res.status(400).json({ error: 'Payment required' });
}
order.status = 'confirmed';
await order.save();
});
4. Coupon/Discount Abuse: Check for: single-use coupons applied multiple times, percentage discounts exceeding 100%, stacking multiple exclusive coupons, applying expired coupons.
5. Account Enumeration: Different responses for "user not found" vs "wrong password" reveals account existence.