Run any Skill in Manus with one click

$pwd:

pentest-business-logic

Name: Pentest Business Logic
Author: jd-opensource

// Business logic vulnerability testing — workflow bypass, payment manipulation, state machine abuse, and function limit circumvention per WSTG-BUSL.

Run Skill in Manus

$ git log --oneline --stat

stars:276

forks:53

updated:February 11, 2026 at 09:17

File Explorer

3 files

SKILL.md

readonly

name	pentest-business-logic
description	Business logic vulnerability testing — workflow bypass, payment manipulation, state machine abuse, and function limit circumvention per WSTG-BUSL.

Pentest Business Logic

Purpose

Identify flaws in application workflow enforcement, business rule validation, and state machine integrity that cannot be found by taint analysis or pattern matching. These vulnerabilities require understanding intended behavior and finding deviations.

Prerequisites

Authorization Requirements

Written authorization with explicit scope for business logic testing
Test accounts at multiple privilege levels (user, admin, premium, etc.)
Test payment methods or sandbox payment environment for financial testing
Rollback plan for any data-mutating tests (order creation, account changes)

Environment Setup

Burp Suite Professional with Repeater/Intruder configured
Playwright or Selenium for multi-step browser automation
Proxy configured to capture all application traffic
Test data seeded for workflow testing (products, coupons, user accounts)

Core Workflow

Workflow Mapping: Extract multi-step flows (checkout, registration, approval chains, onboarding) from recon deliverables and source code. Document expected state transitions and business constraints.
Rule Extraction: Identify server-side business constraints — price validation, quantity limits, role-gated actions, time-based restrictions, coupon rules, referral limits.
Step Circumvention: Skip, replay, reorder steps in multi-step workflows. Access final-step endpoints directly without completing prerequisites (WSTG-BUSL-06).
Data Integrity Abuse: Submit negative quantities, zero-price items, boundary values, type confusion in business fields. Test forged request parameters (WSTG-BUSL-02/03).
Function Limit Bypass: Test coupon reuse, referral loops, vote stuffing, resource exhaustion through legitimate endpoints (WSTG-BUSL-05).
File Upload Logic: Upload unexpected file types, oversized files, polyglot files, content-type mismatch, path traversal in filenames (WSTG-BUSL-08/09).
Payment Testing: Price manipulation at each checkout stage, currency confusion, discount stacking, partial payment abuse (WSTG-BUSL-10).

WSTG Coverage

WSTG ID	Test Name	Status
WSTG-BUSL-01	Test Business Logic Data Validation	✅
WSTG-BUSL-02	Test Ability to Forge Requests	✅
WSTG-BUSL-03	Test Integrity Checks	✅
WSTG-BUSL-04	Test for Process Timing	✅
WSTG-BUSL-05	Test Number of Times a Function Can Be Used Limits	✅
WSTG-BUSL-06	Testing for the Circumvention of Work Flows	✅
WSTG-BUSL-07	Test Defenses Against Application Misuse	✅
WSTG-BUSL-08	Test Upload of Unexpected File Types	✅
WSTG-BUSL-09	Test Upload of Malicious Files	✅
WSTG-BUSL-10	Test Payment Functionality	✅

Tool Categories

Category	Tools	Purpose
Request Manipulation	Burp Repeater, Burp Intruder, mitmproxy	Modify request parameters, replay/reorder steps
Browser Automation	Playwright, Selenium	Multi-step workflow testing, UI interaction
Scripting	Python requests, aiohttp	Custom workflow abuse scripts, parallel requests
File Upload	custom polyglot generators, ExifTool	File type confusion, metadata injection
Payment Testing	Stripe test mode, PayPal sandbox	Safe payment manipulation testing

References

references/tools.md - Tool function signatures and parameters
references/workflows.md - Attack pattern definitions and test vectors

related-skills.json

same repository

skill-creator.md

from "jd-opensource/JoySafeter"

Guide for creating effective skills. This skill should be used when users want to create a new skill (or update an existing skill) that extends an agent's capabilities with specialized knowledge, workflows, or tool integrations.

2026-03-26276

openclaw-security-checker.md

from "jd-opensource/JoySafeter"

OpenClaw 安全检测工具，基于安全实践指南验证配置安全、权限隔离、网络策略、日志审计和运行时完整性

2026-03-13276

openclaw-threat-detect.md

from "jd-opensource/JoySafeter"

OpenClaw 攻击模式检测工具，识别数据外传、反弹Shell、文件泄露、Prompt注入、供应链投毒等高危行为，支持 MITRE ATT&CK 映射

2026-03-13276

skill-security-auditor.md

from "jd-opensource/JoySafeter"

OpenClaw Skills 全方位安全审计工具，检测供应链投毒、Prompt注入、恶意代码模式、权限越权和依赖风险

2026-03-13276

planning-with-files.md

from "jd-opensource/JoySafeter"

Implements Manus-style file-based planning for complex tasks. Creates task_plan.md, findings.md, and progress.md. Use when starting complex multi-step tasks, research projects, or any task requiring >5 tool calls. Now with automatic session recovery after /clear.

2026-02-13276

pentest-ai-llm-security.md

from "jd-opensource/JoySafeter"

AI/LLM application security testing — prompt injection, jailbreaking, data exfiltration, and insecure output handling per OWASP LLM Top 10.

2026-02-11276

package.json

"author": "jd-opensource"

"repository": "jd-opensource/JoySafeter"

View GitHub Repository View Creator Repositories

$ install --global

$ download --local

Run Skill in Manus

$ useful --forSOC

Information Security AnalystsComputer and Mathematical Occupations15-1212L4

Pentest Business Logic

Purpose

Prerequisites

Authorization Requirements

Written authorization with explicit scope for business logic testing

Test accounts at multiple privilege levels (user, admin, premium, etc.)

Test payment methods or sandbox payment environment for financial testing

Rollback plan for any data-mutating tests (order creation, account changes)

Environment Setup

Burp Suite Professional with Repeater/Intruder configured

Playwright or Selenium for multi-step browser automation

Proxy configured to capture all application traffic

Test data seeded for workflow testing (products, coupons, user accounts)

Core Workflow

Workflow Mapping: Extract multi-step flows (checkout, registration, approval chains, onboarding) from recon deliverables and source code. Document expected state transitions and business constraints.

Rule Extraction: Identify server-side business constraints — price validation, quantity limits, role-gated actions, time-based restrictions, coupon rules, referral limits.

Step Circumvention: Skip, replay, reorder steps in multi-step workflows. Access final-step endpoints directly without completing prerequisites (WSTG-BUSL-06).

Data Integrity Abuse: Submit negative quantities, zero-price items, boundary values, type confusion in business fields. Test forged request parameters (WSTG-BUSL-02/03).

Function Limit Bypass: Test coupon reuse, referral loops, vote stuffing, resource exhaustion through legitimate endpoints (WSTG-BUSL-05).

File Upload Logic: Upload unexpected file types, oversized files, polyglot files, content-type mismatch, path traversal in filenames (WSTG-BUSL-08/09).

Payment Testing: Price manipulation at each checkout stage, currency confusion, discount stacking, partial payment abuse (WSTG-BUSL-10).

WSTG Coverage

WSTG ID

Test Name

Status

WSTG-BUSL-01

Test Business Logic Data Validation

✅

WSTG-BUSL-02

Test Ability to Forge Requests

✅

WSTG-BUSL-03

Test Integrity Checks

✅

WSTG-BUSL-04

Test for Process Timing

✅

WSTG-BUSL-05

Test Number of Times a Function Can Be Used Limits

✅

WSTG-BUSL-06

Testing for the Circumvention of Work Flows

✅

WSTG-BUSL-07

Test Defenses Against Application Misuse

✅

WSTG-BUSL-08

Test Upload of Unexpected File Types

✅

WSTG-BUSL-09

Test Upload of Malicious Files

✅

WSTG-BUSL-10

Test Payment Functionality

✅

Tool Categories

pentest-business-logic

Pentest Business Logic

Purpose

Prerequisites

Authorization Requirements

Environment Setup

Core Workflow

WSTG Coverage

Tool Categories

References

More from this repository

More from this repository

Pentest Business Logic

Purpose

Prerequisites

Authorization Requirements

Environment Setup

Core Workflow

WSTG Coverage

Tool Categories

References