logicpwn

🔒 LogicPWN

Automated Business Logic Vulnerability Testing

Test for IDOR, authorization bypasses, and business logic flaws in just 3 lines of code

🚀 Quick Start • 📖 Documentation • 💡 Examples • 🤝 Community

🎯 What is LogicPWN?

LogicPWN is a Python security testing framework that makes finding business logic vulnerabilities as easy as:

from logicpwn import quick_idor_test

results = quick_idor_test("https://api.example.com", "/api/users/{id}", [1, 2, 3, "admin"])
print(results['summary'])  # Found 2 IDOR vulnerabilities out of 4 tests

Why LogicPWN?

⚡ Simple 3 lines of code vs 20+ lines before 85% less code for common tasks

🎯 Powerful • IDOR Testing • Auth Bypass • Exploit Chains • Business Logic Enterprise-grade features

🚀 Fast Async support Batch testing Caching Rate limiting Test 1000+ endpoints

✨ Key Features

🔐 Authentication OAuth 2.0, JWT, SAML Session persistence CSRF handling Multi-factor auth	🎯 Vulnerability Testing IDOR detection Authorization bypass Privilege escalation Tenant isolation
⚡ Exploit Chains Multi-step attacks YAML configuration State management Auto-retry logic	📊 Reporting JSON, Markdown, CSV Compliance-ready CI/CD integration Real-time metrics

🚀 Quick Start (30 seconds)

📦 Installation

pip install logicpwn

🎯 Your First Test

Test for IDOR vulnerabilities:

from logicpwn import quick_idor_test

# Test if users can access each other's data
results = quick_idor_test(
    target_url="https://api.example.com",
    endpoint_pattern="/api/users/{id}",
    test_ids=[1, 2, 3, "admin", "guest"]
)

print(results['summary'])

Output:

Found 2 IDOR vulnerabilities out of 5 tests
Pass Rate: 60.0%

🔐 With Authentication

from logicpwn import SecurityTester

with SecurityTester("https://api.example.com") as tester:
    # Authenticate
    tester.authenticate("testuser", "password123")

    # Test for vulnerabilities
    results = tester.test_idor("/api/users/{id}", [1, 2, 3])

    # Export report
    results_obj = SecurityTestResult(**results)
    results_obj.export_json("security_report.json")

🎬 See It in Action

# Clone and try the examples
git clone https://github.com/Infernus007/LogicPWN.git
cd LogicPWN/examples/library_usage
python 01_minimal_idor_test.py

💡 Use Cases

🔍 Find IDOR Vulnerabilities

from logicpwn import SecurityTester

with SecurityTester("https://api.example.com") as tester:
    tester.authenticate("user", "pass")

    # Test user endpoints
    results = tester.test_idor("/api/users/{id}", [1, 2, 3, 100, 999])

    if results['vulnerable_count'] > 0:
        print(f"⚠️  Found {results['vulnerable_count']} IDOR vulnerabilities!")
        for vuln in results['vulnerabilities']:
            print(f"  • {vuln.endpoint_url}")

🚪 Test Authorization Bypass

from logicpwn import SecurityTester

with SecurityTester("https://api.example.com") as tester:
    tester.authenticate("regular_user", "password")

    # Check if admin endpoints are exposed
    admin_results = tester.test_unauthorized_access([
        "/api/admin/users",
        "/api/admin/settings",
        "/api/admin/logs"
    ])

    if admin_results['vulnerable']:
        print(f"🚨 {len(admin_results['accessible'])} admin endpoints exposed!")

🔗 Run Multi-Step Exploit Chains

from logicpwn import quick_exploit_chain

# Execute complex attack sequences from YAML
results = quick_exploit_chain("price_manipulation_test.yaml")

successful = sum(1 for r in results if r.status.value == "success")
print(f"Completed {successful}/{len(results)} steps")

if successful == len(results):
    print("🚨 Vulnerability confirmed: Price manipulation possible!")

📊 Generate Compliance Reports

from logicpwn import SecurityTester
from logicpwn.results import SecurityTestResult

# Run tests
with SecurityTester("https://api.example.com") as tester:
    tester.authenticate("user", "pass")
    results = tester.test_idor("/api/users/{id}", [1, 2, 3])

# Generate reports
result_obj = SecurityTestResult(
    test_type="IDOR Security Audit",
    target_url="https://api.example.com",
    total_tests=results['total_tested'],
    vulnerabilities=results['vulnerabilities'],
    safe_endpoints=results['safe_endpoints']
)

# Export in multiple formats
result_obj.export_json("audit_report.json")      # For automation
result_obj.export_markdown("audit_report.md")    # For documentation
result_obj.export_csv("audit_report.csv")        # For Excel

🤖 CI/CD Integration

# security_tests.py
from logicpwn import quick_idor_test
import sys

results = quick_idor_test(
    "https://staging.example.com",
    "/api/users/{id}",
    [1, 2, 3]
)

# Fail CI/CD pipeline if vulnerabilities found
if results['vulnerable_count'] > 0:
    print(f"❌ Security check failed: {results['summary']}")
    sys.exit(1)
else:
    print(f"✅ Security check passed!")
    sys.exit(0)

GitHub Actions:

- name: Security Tests
  run: python security_tests.py

📚 Examples

We have 6 comprehensive examples to get you started:

Example	Description	Difficulty	Time
01 - Minimal IDOR Test	5-line vulnerability test	⭐ Easy	2 min
02 - Authenticated Testing	Full auth flow	⭐⭐ Medium	5 min
03 - Exploit Chains	Multi-step attacks	⭐⭐ Medium	10 min
04 - Batch Testing	Scan entire APIs	⭐⭐⭐ Hard	15 min
05 - Context Managers	Resource management	⭐⭐ Medium	5 min
06 - Report Generation	Export & reports	⭐⭐ Medium	10 min

👉 View All Examples

🏗️ Architecture

Click to view architecture

┌─────────────────────────────────────────────────────────────┐
│                        LogicPWN                              │
├─────────────────────────────────────────────────────────────┤
│                                                              │
│  ┌──────────────┐  ┌──────────────┐  ┌──────────────┐     │
│  │ Quick Start  │  │ SecurityTester│  │ Exploit Chain│     │
│  │     API      │  │     Class     │  │    Engine    │     │
│  └──────┬───────┘  └──────┬───────┘  └──────┬───────┘     │
│         │                  │                  │              │
│         └──────────────────┴──────────────────┘              │
│                            │                                 │
├────────────────────────────┼─────────────────────────────────┤
│                     Core Modules                             │
├──────────────────────────────────────────────────────────────┤
│                                                              │
│  ┌─────────────┐ ┌─────────────┐ ┌──────────────┐         │
│  │    Auth     │ │   Access    │ │   Validator  │         │
│  │  • OAuth    │ │   • IDOR    │ │  • Response  │         │
│  │  • JWT      │ │   • BOLA    │ │  • Business  │         │
│  │  • SAML     │ │   • Tenant  │ │  • Logic     │         │
│  └─────────────┘ └─────────────┘ └──────────────┘         │
│                                                              │
│  ┌─────────────┐ ┌─────────────┐ ┌──────────────┐         │
│  │   Runner    │ │  Reporter   │ │  Reliability │         │
│  │  • Sync     │ │  • JSON     │ │  • Retry     │         │
│  │  • Async    │ │  • Markdown │ │  • Circuit   │         │
│  │  • HTTP/2   │ │  • CSV      │ │  • Breaker   │         │
│  └─────────────┘ └─────────────┘ └──────────────┘         │
│                                                              │
└──────────────────────────────────────────────────────────────┘

Modular Design:

• 🎯 Core Modules - Authentication, Access Control, Validation
• ⚡ High Performance - Async/await, connection pooling, caching
• 🔌 Extensible - Plugin system, middleware support
• 📦 Lightweight - Install only what you need

📖 Documentation

📘 For Beginners 🚀 Quick Start Guide 💡 Examples Library 🎓 Learning Path ❓ FAQ

📗 For Advanced Users 🔧 API Reference 🏗️ Architecture 🧪 Testing Guide 🤝 Contributing

🎓 Learning Path

🟢 Beginner (30 minutes)

Goal: Understand the basics and run your first test

• Install LogicPWN: pip install logicpwn
• Read Quick Start
• Run 01_minimal_idor_test.py
• Modify it for your target
• Try 02_authenticated_testing.py

You'll learn: Installation, basic IDOR testing, authentication

🟡 Intermediate (2 hours)

Goal: Master common security testing workflows

• Study 03_exploit_chain_execution.py
• Create your own exploit chain YAML
• Try 04_batch_endpoint_testing.py
• Learn 05_context_manager_usage.py
• Practice 06_result_export_and_reporting.py

You'll learn: Exploit chains, batch testing, reporting, best practices

🔴 Advanced (1 day)

Goal: Build custom security testing frameworks

• Explore the core modules
• Build custom exploit chains
• Create CI/CD integration
• Develop custom validators
• Contribute to LogicPWN

You'll learn: Architecture, extensibility, production deployment

❓ FAQ

Is LogicPWN a vulnerability scanner?

Yes and no. LogicPWN is a testing framework for business logic vulnerabilities. Unlike traditional scanners that look for known CVEs, LogicPWN tests for:

• IDOR (Insecure Direct Object Reference)
• Authorization bypasses
• Business logic flaws
• Privilege escalation

Can I use LogicPWN for bug bounties?

Yes! LogicPWN is perfect for bug bounty hunting. Many testers use it to:

• Automate IDOR testing across endpoints
• Test authorization on hundreds of endpoints
• Find business logic flaws quickly
• Generate proof-of-concept reports

How is this different from Burp Suite?

LogicPWN complements Burp Suite:

Feature	Burp Suite	LogicPWN
Manual Testing	✅ Excellent	❌ Not designed for this
Automation	⚠️ Complex	✅ Simple (3 lines of code)
Business Logic	⚠️ Manual process	✅ Built-in
CI/CD Integration	❌ Difficult	✅ Easy
Scripting	⚠️ Java/Python	✅ Python-native
Price	💰 $449/year	💰 Free

Best practice: Use Burp for manual testing, LogicPWN for automation.

Is it safe to use in production?

LogicPWN is designed for testing environments. Features for safety:

✅ Rate limiting - Avoid DoS ✅ Connection management - Proper cleanup ✅ Error handling - Graceful failures ✅ Logging - Audit trails

⚠️ Always:

• Test in staging first
• Get permission before testing
• Follow responsible disclosure

Can I contribute?

Yes! We welcome contributions:

• 🐛 Report bugs
• 💡 Suggest features
• 📝 Improve docs
• 🔧 Submit code

See Contributing Guide for details.

🔧 Advanced Usage

Custom Authentication

from logicpwn import SecurityTester

tester = SecurityTester("https://api.example.com")
tester.authenticate(
    username="admin",
    password="secret",
    login_endpoint="/api/v2/auth/login",
    method="POST",
    username_field="email",  # Custom field
    password_field="pwd",    # Custom field
    success_indicators=["access_token", "authenticated"]
)

Async Batch Testing

from logicpwn.core.access import detect_idor_flaws_async
import asyncio

async def scan_all_endpoints():
    results = await detect_idor_flaws_async(
        endpoint_template="https://api.example.com/users/{id}",
        test_ids=[str(i) for i in range(1, 1000)],  # Test 1000 IDs
        success_indicators=["user_data"],
        failure_indicators=["unauthorized"]
    )
    return results

results = asyncio.run(scan_all_endpoints())

Custom Exploit Chains (YAML)

# business_logic_test.yaml
name: "E-commerce Price Manipulation"
description: "Test for price override vulnerabilities"

steps:
  - name: "Add Product to Cart"
    request_config:
      method: "POST"
      url: "https://shop.com/api/cart/add"
      json_data:
        product_id: "EXPENSIVE_ITEM"
        quantity: 1
    success_indicators: ["cart_updated"]

  - name: "Manipulate Price"
    request_config:
      method: "POST"
      url: "https://shop.com/api/cart/update"
      json_data:
        product_id: "EXPENSIVE_ITEM"
        price: 0.01  # Try to set price to 1 cent
    success_indicators: ["updated"]
    failure_indicators: ["invalid", "unauthorized"]

  - name: "Checkout"
    request_config:
      method: "POST"
      url: "https://shop.com/api/checkout"
    success_indicators: ["order_confirmed"]

from logicpwn import quick_exploit_chain

results = quick_exploit_chain("business_logic_test.yaml")

Logging Configuration

from logicpwn import configure_logging, use_preset

# Simple debug logging
configure_logging(level="DEBUG", log_file="debug.log")

# Or use presets
use_preset("debug")                          # Verbose debugging
use_preset("security", log_file="audit.log") # Compliance logs
use_preset("ci")                             # CI/CD friendly

📊 Performance

Real-world benchmarks from production testing:

Metric	Value	Notes
Throughput	4.3 req/sec	Average across all test types
Memory	67.7 MB	Lightweight footprint
CPU	26.2%	Efficient resource usage
Reliability	99.2%	Success rate across tests
Async Speed	10x faster	vs synchronous testing

Scalability:

• ✅ Test 1000+ endpoints in minutes
• ✅ Async batch processing
• ✅ Connection pooling & caching
• ✅ Adaptive rate limiting

🤝 Community & Support

💬 Get Help GitHub Discussions Ask questions, share tips

🐛 Report Issues GitHub Issues Bug reports, feature requests

📚 Documentation Read the Docs Guides, API reference

🌟 Star History

If LogicPWN helps you, consider giving it a star! ⭐

🤝 Contributing

We welcome contributions from the community:

• 🍴 Fork the repository
• 🌿 Create a feature branch
• ✍️ Make your changes
• ✅ Add tests
• 📬 Submit a pull request

See CONTRIBUTING.md for detailed guidelines.

🚀 What's New in v0.4.0

🎯 Simplified API # Before (v0.3.0) from logicpwn.core.auth import ... # 20+ lines of code # After (v0.4.0) from logicpwn import quick_idor_test # 3 lines of code 85% less code!

✨ New Features ✅ SecurityTester class ✅ Quick functions ✅ Rich result objects ✅ Better error messages ✅ 6 new examples ✅ Logging presets 100% backward compatible

View Full Changelog

🛣️ Roadmap

v0.5.0 (Coming Soon)

• CLI tool for terminal usage
• YAML template library
• GitHub Actions workflows
• Plugin system
• Web dashboard

v0.6.0 (Future)

• GraphQL support
• gRPC testing
• WebSocket security
• AI-powered test generation

View Full Roadmap →

💼 Enterprise Support

Need help deploying LogicPWN in your organization?

🏢 Enterprise Features Custom training sessions Priority support Custom feature development SLA guarantees Dedicated Slack channel

📧 Contact Us For enterprise inquiries: Email: jashnaik2004@gmail.com GitHub: @Infernus007

📄 License

LogicPWN is licensed under the MIT License - see LICENSE for details.

MIT License - Free to use, modify, and distribute

🙏 Acknowledgments

LogicPWN is built with these amazing open-source libraries:

• requests - HTTP library
• aiohttp - Async HTTP
• pydantic - Data validation
• loguru - Logging
• PyYAML - YAML parsing

Special thanks to the security community for feedback and contributions!

🎯 Quick Links

Resource	Link
📦 PyPI Package	https://pypi.org/project/logicpwn/
🐙 GitHub Repo	https://github.com/Infernus007/LogicPWN
📚 Documentation	docs/
💡 Examples	examples/library_usage/
🐛 Report Bug	Create Issue
💬 Discussions	Join Discussion

🎉 Start Testing in 30 Seconds

pip install logicpwn

from logicpwn import quick_idor_test
results = quick_idor_test("https://api.example.com", "/api/users/{id}", [1, 2, 3])

Built with ❤️ for the security community

⭐ Star us on GitHub if LogicPWN helps you find vulnerabilities!

⬆ Back to Top