Below article will help you to develop the mindset how to immediately switch on your bug hunting mindset while you use any app for daily-to-daily tasks.

Today I was checking for mindmap online tool that has AI features and came across whimsical[.]com

Below approach can help you to look/spot business logic testing areas as well as BAC.

First use the app as normal user. This alone can take days to weeks :)

I was exploring it's AI generate ideas feature where you enter the starting idea and it will automatically generate all steps & branches

After creating 3, I got hit with this limitation of free plan. 3/3 used

That's it. Hunter mindset activated!

This is one of the example where to look for business logic flaws. As per policy it allows only 3 team boards to be used in free plan but can we somehow create 4 ? Then that's the vulnerability which automated tools can't easily test at scale as every product's logic is different.

Before testing check for security policy via google dorking

target report vulnerability target responsible disclosure target security disclosure target vulnerability disclosure target bug bounty program target whitehat program or check their .txt files in .well-known path

Now can we find a way to create 4 ? If done, then that's vulnerability right in front with clear impact. Example test to perform like:

• Race condition.
• Try to test whether case-sensitive / case-insensitive in the parameters and endpoints.
• Try parameter pollution in endpoints and parameter you smell like it needs testing for it.
• Is there old endpoint that does it ? Any old api endpoint visible ?
• Try to extract archive URL and filter those endpoint that are only accessible to premium plan users and try to direct hit those endpoints.
• Check how IDs are implemented (general ID, UUID, unique token, etc…)
• For every request , look carefully in the response if any excessive information is retrieved.

Futher check if the app allows for users to be created with various roles and permissions.

How does the app handles authorization ?

Create multiple teams, and test access control from Team A to Team B

Check for the most spicy feature that every bug hunters loves (invite functionality to organization/workspace/team/project)

Check if there is opportunity to test cross-tenant BAC bugs.

Check for all JS files along with minified ones, beautify it and try to find the spicy parts that contains routes/endpoints/path structures/additional parameters which isn't directly visible in frontuser through any functionality.

Check for juicy parameters like (isprouser, usertype, plantype, premium) where just changing from False to True/0 to 1/no to yes, gives you access to premium features.

Check for client side leaked tokens/secrets/etc… that has clear impact and is reproducible.

They don't offer bounties so that I am not interested in testing it. As for only hall of fame acknowledgement, have enough from other programs if needed to showcase in portfolio.

Testing can be easy once you get to the endpoint but finding the features to test and navigating to the most crucial areas to test for unique vulnerabilities is the hard part.

Hope you learned how to develop the BAC + Logic Hunter mindset. It can be tough while starting, but momentum is important plus a single target that has enough features where even 1 year is not enough to complete the manual test! Where automation overlooks important areas and AIs just keep hallucinating.