hunt-business-logic

Identifies business logic vulnerabilities in financial transactions, enhancing security for e-commerce and SaaS platforms.

Install this skill

or

12/100

Security score

The hunt-business-logic skill was audited on Jun 10, 2026 and we found 28 security issues across 2 threat categories. Review the findings below before installing.

Categories Tested

Security Issues

medium line 73

Curl to non-GitHub URL

SourceSKILL.md

73	curl -s -X POST https://target.com/api/subscribe \

medium line 91

Curl to non-GitHub URL

SourceSKILL.md

91	curl -X POST https://target.com/payment/callback \

medium line 99

Curl to non-GitHub URL

SourceSKILL.md

99	curl -s https://target.com/robots.txt \| grep -iE "(disallow\|allow)"

medium line 100

Curl to non-GitHub URL

SourceSKILL.md

100	curl -s https://target.com/sitemap.xml \| grep -iE "(employee\|internal\|staff\|summit\|admin)"

medium line 103

Curl to non-GitHub URL

SourceSKILL.md

103	curl -s https://target.com/assets/app.js \| grep -oE '"/[a-zA-Z0-9/_-]{3,50}"' \| sort -u

medium line 110

Curl to non-GitHub URL

SourceSKILL.md

110	curl -s -X POST https://monitor.target.com/api/monitoring/enable \

medium line 116

Curl to non-GitHub URL

SourceSKILL.md

116	curl -X POST https://target.com/verify \

medium line 39

Fetch to external URL

SourceSKILL.md

39	- `fetch('/api/subscribe', { method: 'POST', body: ... })` with no anti-CSRF token or rate-limit token

medium line 17

Webhook reference - potential data exfiltration

SourceSKILL.md

17	Asset types that pay: checkout flows, subscription endpoints, callback/verification systems, webhook handlers, employee/internal portals exposed to the internet, and any endpoint that trusts client-su

medium line 26

Webhook reference - potential data exfiltration

SourceSKILL.md

26	- `/api/v/payment`, `/api/v/notify`, `/webhook` — payment provider callbacks

medium line 44

Webhook reference - potential data exfiltration

SourceSKILL.md

44	- Payment webhooks with no HMAC signature validation

medium line 57

Webhook reference - potential data exfiltration

SourceSKILL.md

57	4. Intercept and tamper with payment flows. Use Burp Suite to intercept every request between your browser, the application, and the payment provider. Identify where price, currency, order ID, or

low line 90

Webhook reference - potential data exfiltration

SourceSKILL.md

90	# Look for unvalidated webhook endpoints

medium line 142

Webhook reference - potential data exfiltration

SourceSKILL.md

142	4. Payment webhooks lack signature validation. Developers implement "success" webhooks without verifying the HMAC signature provided by the payment provider, allowing anyone to POST a fake success

medium line 160

Webhook reference - potential data exfiltration

SourceSKILL.md

160	\| Webhook HMAC validation \| Test with no/empty signature header (is validation enforced at all — a modified payload only "passes" if it isn't); replay an UNMODIFIED captured webhook to test missing id

medium line 187

Webhook reference - potential data exfiltration

SourceSKILL.md

187	A payment flow passed order amount and currency through client-controlled parameters before redirecting to a third-party payment provider (Smart2Pay). By intercepting the redirect with Burp Suite and

low line 73

External URL reference

SourceSKILL.md

73	curl -s -X POST https://target.com/api/subscribe \

low line 91

External URL reference

SourceSKILL.md

91	curl -X POST https://target.com/payment/callback \

low line 99

External URL reference

SourceSKILL.md

99	curl -s https://target.com/robots.txt \| grep -iE "(disallow\|allow)"

low line 100

External URL reference

SourceSKILL.md

100	curl -s https://target.com/sitemap.xml \| grep -iE "(employee\|internal\|staff\|summit\|admin)"

low line 103

External URL reference

SourceSKILL.md

103	curl -s https://target.com/assets/app.js \| grep -oE '"/[a-zA-Z0-9/_-]{3,50}"' \| sort -u

low line 110

External URL reference

SourceSKILL.md

110	curl -s -X POST https://monitor.target.com/api/monitoring/enable \

low line 116

External URL reference

SourceSKILL.md

116	curl -X POST https://target.com/verify \

low line 198

External URL reference

SourceSKILL.md

198	8. Stripe — Fee discount race redemption ([H1 #1849626](https://hackerone.com/reports/1849626))

low line 204

External URL reference

SourceSKILL.md

204	9. Reverb.com — Gift-card race multi-redemption ([H1 #759247](https://hackerone.com/reports/759247))

low line 210

External URL reference

SourceSKILL.md

210	10. Upserve / OLO — Negative-quantity price manipulation ([H1 #364843](https://hackerone.com/reports/364843))

low line 216

External URL reference

SourceSKILL.md

216	11. Krisp — Pay-less-per-seat via PUT tampering ([H1 #1446090](https://hackerone.com/reports/1446090))

low line 222

External URL reference

SourceSKILL.md

222	12. Stripe — Pay using archived price via mid-flow swap ([H1 #1328278](https://hackerone.com/reports/1328278))

Scanned on Jun 10, 2026

View Security Dashboard

Installation guide →

GitHub Stars 2.2K

Rate this skill

Categorydevelopment

UpdatedJune 15, 2026

frontend playwright stripe docx git api database testing devops backend security-engineer growth-marketer product-manager github stripe paypal development marketing product

elementalsouls/Claude-BugHunter