web-app-logic
// Web application logic testing - business logic flaws, race conditions, access control, cache poisoning/deception, and information disclosure.
$ git log --oneline --stat
stars:273forks:50updated:May 15, 2026 at 16:48
SKILL.md
| name | web-app-logic |
|---|---|
| description | Web application logic testing - business logic flaws, race conditions, access control, cache poisoning/deception, and information disclosure. |
name: web-app-logic description: Web application logic testing - business logic flaws, race conditions, access control, cache poisoning/deception, and information disclosure.
Web Application Logic
Test for logic flaws and application-specific vulnerabilities that automated scanners miss.
Techniques
| Type | Key Vectors |
|---|---|
| Business Logic | Workflow bypass, price manipulation, feature abuse |
| Race Conditions | TOCTOU, limit bypass, double-spend, parallel requests |
| Access Control | IDOR, horizontal/vertical privilege escalation, forced browsing |
| Cache Poisoning | Unkeyed headers/parameters, fat GET, response splitting |
| Cache Deception | Path confusion, static extension tricks, normalization |
| Info Disclosure | Error messages, debug endpoints, source code, metadata |
Workflow
- Map application workflows and business rules
- Identify state-dependent operations and trust boundaries
- Test logic assumptions with edge cases and race conditions
- Verify access control across user roles
- Document impact with PoC demonstrations
Reference
reference/business-logic*.md- Business logic testing techniquesreference/race-conditions*.md- Race condition exploitationreference/access-control*.md- Access control bypass methodsreference/web-cache-poisoning*.md- Cache poisoning techniquesreference/web-cache-deception*.md- Cache deception attacksreference/information-disclosure*.md- Information disclosure testing