Business Logic Agent¶
The Business Logic Agent discovers business logic vulnerabilities by testing real workflows and state transitions (payments, refunds, coupons, points, subscriptions, etc.).
Capabilities¶
- Broken sequences: e.g. refund without payment, fulfill before payment
- Replay / idempotency: e.g. replay purchases or refunds
- State manipulation: e.g. mutate coupon/price/state to change settlement outcomes
- Partial completion: error paths that still mutate state
- Cross-flow issues: unexpected interactions between independent workflows
- Ledger inconsistencies: mismatches between authoritative balances and histories
Configuration¶
Business Context (Optional)¶
Provide business context to improve scenario relevance and reduce false positives:
automated_pentesting:
business_logic_agent:
business_context: |
Orders follow a strict lifecycle: created → paid → fulfilled → (optionally) refunded.
Coupons can only be applied before payment. Once an order is paid, the charged
amount is immutable. Refunds must equal the amount charged, not the current order total.
Points are awarded on purchase and must be deducted on refund to maintain ledger consistency.
Keep it short and concrete: invariants, allowed/forbidden transitions, and accounting rules.
test_mode (Optional)¶
Use automated_pentesting.business_logic_agent.test_mode when the agent should focus specifically on authorization-oriented business logic checks:
| Value | When to use |
|---|---|
tenant_isolation | Equivalent roles across different tenants must remain isolated from each other |
privilege_escalation | Different privilege levels inside the same tenant must preserve permission boundaries |
If you omit test_mode, the agent infers the best approach from the configured users and roles.
automated_pentesting:
business_logic_agent:
enabled: true
test_mode: privilege_escalation
business_context: |
Members can create and update draft invoices, but only finance admins may
approve, refund, or export them. Subscription and billing settings are admin-only.
Requirements¶
- API schema: REST or GraphQL schema
Vulnerability Categories¶
Typical classes of issues:
- Broken sequences
- Replay / missing idempotency
- State manipulation across transitions
- Partial completion on failures
- Cross-flow interactions
- Ledger inconsistency
Limitations¶
- Requires a schema (OpenAPI or GraphQL).
- Some workflows need extra business context (coupon codes, roles, invariants) to avoid “guessing”.
Related Documentation¶
- How It Works: Understanding AI pentesting capabilities
- API Testing Configuration: API testing options
- Authentication: Set up authentication for scans
- Multi-User Testing: Configure multiple users