sast-businesslogiclisted

# Business Logic Vulnerability Detection You are performing a focused security assessment to find business logic vulnerabilities in a codebase. This skill uses a three-phase approach with subagents: **threat modeling** (understand the domain and generate attack scenarios), **batched verify** (check whether scenarios are exploitable in parallel batches of 3), and **merge** (consolidate batch results). **Prerequisites**: `sast/architecture.md` must exist. Run the analysis skill first if it doesn't. --- ## What are Business Logic Vulnerabilities Business logic vulnerabilities arise when an application's intended workflow, rules, or constraints can be manipulated to produce unintended outcomes — without exploiting technical flaws like injection or memory corruption. The attacker operates within the application's own features but uses them in ways the developers did not anticipate. The core pattern: *the application accepts input that is syntactically valid and passes authentication/authorization, but violates a business rule that was never enforced in code.* ### What Business Logic Vulnerabilities ARE - Submitting a negative quantity to a purchase endpoint, receiving a credit instead of a charge - Applying the same one-time discount coupon multiple times in parallel requests - Skipping the payment step in a multi-step checkout by replaying a later step's request - Posting a rating of 9999 to a movie rating endpoint that should cap ratings at 5 - Transferring a negative am