Business Logic Vuln
Route penetration testing toward workflow, pricing, and state-machine flaws instead of only input injection.
Overview
Business Logic Vuln is an agent skill most often used in Ship (also Validate prototype hardening) that routes security work toward state-machine, pricing, and workflow abuse instead of parser-level input injection.
Install
npx skills add https://github.com/yaklang/hack-skills --skill business-logic-vulnWhat is this skill?
- P1 entry router for coupons, inventory, payment, approvals, quotas, invites, trials, and state transitions
- Maps check-then-act windows, sequence dependencies, and missing cross-step authorization
- 3-step recommended flow: map states → probe timing/sequence → hand off to api-sec, auth-sec, or file-access routers
- Explicitly excludes parser-level injection in favor of when and which business conditions are enforced
- Links to Business Logic Vulnerabilities deep skill plus api-sec, auth-sec, and file-access-vuln categories
- 4 related category router skills in the skill map
Adoption & trust: 1.1k installs on skills.sh; 980 GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
You are pentesting or reviewing an app but keep defaulting to XSS and SQLi while coupons, payments, and approvals might fail on timing and business rules.
Who is it for?
Solo builders shipping transactional APIs, checkout flows, or admin approval workflows who need a repeatable logic-vuln checklist.
Skip if: Pure static analysis of dependency CVEs or teams that only need OWASP Top 10 injection tests with no commerce or state workflows.
When should I use this skill?
Workflow abuse, race conditions, pricing flaws, or multi-step state attacks matter more than parser-level input injection; targets involve coupons, inventory, payment, approvals, quotas, invites, trials, or state transit
What do I get? / Deliverables
You get a structured map of states and one-time actions, prioritized logic-flaw hypotheses, and clear handoffs to api-sec, auth-sec, or file-access-vuln when the exploit path leaves pure business logic.
- Business state and one-time-action map
- Logic-flaw hypothesis list with router handoffs
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Canonical shelf is Ship → Security where pre-release abuse-case testing and hardening live for solo builders shipping APIs and transactional apps. Business-logic routing targets authorization gaps, race windows, and multi-step abuse before production—not generic syntax validation.
Where it fits
Sketch abuse cases for invite-only beta before wiring final payment webhooks.
Run pre-launch logic tests on trial extension and quota enforcement endpoints.
After a refund exploit report, re-map one-time actions and cross-step auth on the fix branch.
How it compares
Use as a category router before diving into generic api-sec when the bug class is who can act when—not malformed payloads.
Common Questions / FAQ
Who is business-logic-vuln for?
Indie and solo builders, security-minded developers, and agent-assisted pentesters working on SaaS, marketplaces, or apps with payments, coupons, quotas, and multi-step approvals.
When should I use business-logic-vuln?
During Ship security review before release, when Validate prototype flows need abuse-case design, or in Operate after a pricing or inventory incident—whenever workflow abuse matters more than parser injection.
Is business-logic-vuln safe to install?
It is documentation-style routing for authorized testing on systems you own or are permitted to test; review the Security Audits panel on this Prism page and only run probes in legal scope.
Workflow Chain
Then invoke: business logic vulnerabilities
SKILL.md
READMESKILL.md - Business Logic Vuln
# Business Logic Router This is the routing entry point for business-logic and state-machine issues. ## When to Use - The target involves coupons, inventory, payment, approvals, quotas, invites, trials, or state transitions - The issue is not parser-level; it is about when checks happen and which business conditions are checked - You suspect race conditions, workflow bypass, price tampering, negative values, stacked discounts, or multi-step flaws ## Skill Map - [Business Logic Vulnerabilities](../business-logic-vulnerabilities/SKILL.md) ## Recommended Flow 1. First map key business states and one-time actions 2. Then check for check-then-act windows, sequence dependencies, or missing cross-step authorization 3. If the chain depends on APIs, uploads, or object permissions, return to the corresponding router skill to complete the path ## Related Categories - [api-sec](../api-sec/SKILL.md) - [auth-sec](../auth-sec/SKILL.md) - [file-access-vuln](../file-access-vuln/SKILL.md)