mirror of
https://github.com/0x5t4l1n/hunting.git
synced 2026-05-26 11:35:51 +00:00
Restructure repository: Remove OWASP categorization, organize by vulnerability type
Co-authored-by: Stalin-143 <161853795+Stalin-143@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
@@ -0,0 +1,27 @@
|
||||
# Business Logic Vulnerabilities
|
||||
|
||||
## Description
|
||||
Business logic vulnerabilities are flaws in the design and implementation of an application that allow an attacker to elicit unintended behavior. These vulnerabilities occur when the application's legitimate processing flow can be used in a way that results in a negative consequence to the organization.
|
||||
|
||||
## Common Issues
|
||||
- Insufficient workflow validation
|
||||
- Price manipulation
|
||||
- Quantity manipulation
|
||||
- Race conditions
|
||||
- Bypassing business rules
|
||||
- Abuse of functionality
|
||||
- Lack of rate limiting
|
||||
|
||||
## Common Attack Vectors
|
||||
- Payment processing
|
||||
- Discount/coupon systems
|
||||
- Account creation/management
|
||||
- Transaction processing
|
||||
- File upload limits
|
||||
- Resource allocation
|
||||
|
||||
## Testing Approach
|
||||
Understand the application's business logic and test for ways to manipulate or bypass intended workflows and rules.
|
||||
|
||||
## Payloads
|
||||
See `business-logic-payloads.txt` for a comprehensive list of business logic testing scenarios and payloads.
|
||||
@@ -0,0 +1,46 @@
|
||||
# Business Logic Testing Payloads
|
||||
|
||||
# Price manipulation
|
||||
price=-1
|
||||
price=0
|
||||
price=0.01
|
||||
amount=-1000
|
||||
quantity=-5
|
||||
|
||||
# Discount abuse
|
||||
discount=100
|
||||
discount=999
|
||||
coupon=UNLIMITED
|
||||
promo_code=TEST999
|
||||
|
||||
# Race condition payloads
|
||||
# Send multiple simultaneous requests to:
|
||||
POST /transfer (with same account balance)
|
||||
POST /redeem (with same coupon code)
|
||||
POST /purchase (with same limited item)
|
||||
|
||||
# Workflow bypass attempts
|
||||
step=1
|
||||
step=3
|
||||
skip_step=true
|
||||
status=completed
|
||||
payment_status=paid
|
||||
|
||||
# Account enumeration
|
||||
username=admin
|
||||
username=administrator
|
||||
username=test
|
||||
email=admin@example.com
|
||||
reset_token=00000000-0000-0000-0000-000000000000
|
||||
|
||||
# Rate limiting tests
|
||||
# Send 1000 requests in 1 second
|
||||
# Send 100 login attempts
|
||||
# Send 50 password reset requests
|
||||
|
||||
# Authentication bypass patterns
|
||||
2fa_enabled=false
|
||||
verified=true
|
||||
is_admin=true
|
||||
role=admin
|
||||
skip_verification=true
|
||||
Reference in New Issue
Block a user