Featured Thread

FlowBusters

FlowBusters is an experimental security project for finding business logic flaws. Instead of only scanning endpoints, it follows the workflow itself: record the flow, analyze state transitions, generate adversarial probes, and report confirmed logic issues.

Why It Exists

Many apps pass unit tests, automated scans, and standard penetration tests, but still fail when users abuse the intended business process. FlowBusters focuses on the multi-step rules an application assumes users will follow, but may not enforce server-side.

Workflow

1. Record Browser workflow demo.json + HAR 2. Analyze State transitions critical endpoints 3. Mutate Skip step, replay, tamper, role swap 4. Probe Findings + remediation

Attack Ideas

Skip Step

Jump directly to a later endpoint without completing required workflow prerequisites.

Role Swap

Try one role’s session context against another role’s expected actions.

Data Tamper

Mutate request body values such as IDs, amounts, statuses, or ownership-sensitive fields.

Replay

Re-fire a captured request after the workflow should no longer allow it.

Example Command

Captain, run FlowBusters against https://your-app.example.com/workflow