[NEW SKILL] payment-webhook-state-machine-review

[JeremyZeng77]

Proposed Skill

Skill name: payment-webhook-state-machine-review
Category: appsec
Severity: high

What It Detects

Payment and billing webhooks can replay, reorder, or bypass state-machine constraints, leading to credit inflation, refund abuse, or subscription state drift.

Why This Skill Is Needed

This topic shows up in real security reviews and incident patterns, but it is not cleanly represented in the current proposal set. A dedicated skill would make the review repeatable instead of relying on ad hoc notes.

Detection Approach

Model the trust boundary for this workflow, then look for weak validation, stale assumptions, unsafe exceptions, missing provenance, and non-human or background paths that get broader reach than intended.

Languages / Frameworks

• payment backends
• subscription systems

Example Vulnerable Code

An implementation exposes this workflow with permissive defaults, incomplete boundary checks, and no durable audit or provenance trail.

Example Remediation

Constrain scope, validate the trust boundary explicitly, preserve provenance, and require repeatable verification evidence before approving this workflow.

References

• OWASP guidance for the relevant domain
• Relevant CWE, NIST, or cloud-provider security guidance

Estimated Complexity

• Standard ($200) — Well-known vuln class, single language, straightforward detection
• Intermediate ($350) — Multiple languages/frameworks, nuanced detection logic
• Complex ($500) — Novel detection approach, comprehensive coverage, low FP rate

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: PayPal - https://paypal.me/Jeremytsangchina

---

Wait for maintainer approval before starting implementation. Please confirm whether this topic is in scope.

[Errordog2]

I submitted a ready implementation for this proposal in #2268.

I saw the note about waiting for maintainer confirmation before implementation, so please treat this as a reviewable draft of the proposed scope rather than an assumption that the topic is pre-approved. Happy to adjust, narrow, or close if maintainers want a different direction.

Coverage in the PR:

• provider authenticity and event provenance checks
• replay/idempotency/atomicity gates
• payment/subscription transition guards
• tenant, connected-account, object, amount, and currency binding checks
• refund, chargeback, dispute, reversal, and credit-balance handling
• reconciliation and drift-detection requirements
• vulnerable and benign prompt-level fixtures