Application Security Platform
Targets

Use Business Logic Recorder (BLR)

This document is for:
Invicti Platform

The Business Logic Recorder (BLR) enables you to test complex web applications without manual effort or extra tools. Most scanners struggle with business logic, but this tool helps "explain" how user input affects application behavior. Some web forms require specific field values that a scanner engine may not be able to guess.

This document covers how the Business Logic Recorder works and how and when to use it.

When to use the Business Logic Recorder

Many web applications use multi-step forms, where later steps depend on user input from earlier ones. Shopping carts and airline reservations commonly follow this approach.

A key concept is that different input values can trigger different workflow paths. For example, a car rental form might use a birth date field to determine eligibility:

  • Ages ≤20 or ≥65: Rental unavailable, process stops.
  • Ages 26-64: Proceeds normally.
  • Ages 21-25: Adds an extra step for insurance acknowledgment.

The Business Logic Recorder (BLR) captures such sequences, ensuring scanners can test all workflow variations for vulnerabilities.

How to use the Business Logic Recorder

To enter the Business Logic Recorder:

  1. In Invicti Platform, select Inventory > Targets from the left-side menu..
  2. Locate the target you would like to amend, using the 3-dots menu, select Edit target.
  3. Select Business Logic Recorder from the menu

  1. Click New Sequence.
  2. In the Business Logic Recorder, navigate to the element where you need to record business logic (for example, a multi-part web form). The Record button is pre-selected for you.

  1. Click and fill in the elements in the form, and submit the form. As you click, the information on the right is updated.

  1. Select the Record button again to stop the recording.
  2. Select Play to review the recording.
  3. Click Save for the BLR to store the recorded actions for use in the next scan.
  4. A .blr file is created and added to the form.

  1. Click save target configuration.

Share This Article