FlowBusters
FlowBusters is an experimental security project for finding business logic flaws. Instead of only scanning endpoints, it follows the workflow itself: record the flow, analyze state transitions, generate adversarial probes, and report confirmed logic issues.
Why It Exists
Many apps pass unit tests, automated scans, and standard penetration tests, but still fail when users abuse the intended business process. FlowBusters focuses on the multi-step rules an application assumes users will follow, but may not enforce server-side.
Workflow
Attack Ideas
Skip Step
Jump directly to a later endpoint without completing required workflow prerequisites.
Role Swap
Try one role’s session context against another role’s expected actions.
Data Tamper
Mutate request body values such as IDs, amounts, statuses, or ownership-sensitive fields.
Replay
Re-fire a captured request after the workflow should no longer allow it.
Example Command
Captain, run FlowBusters against https://your-app.example.com/workflow