Replay, AuthZ Diff, and Race
The core offensive workflow in WSHawk v4 and why it is stronger than scanner-only output.
Replay, AuthZ Diff, and Race
These three workflows are the center of WSHawk v4.
Replay
Replay takes a captured real action and re-sends it with stored identity context. This is usually far more defensible than inventing a synthetic payload from scratch.
Replay is useful for:
- confirming a state-changing action
- re-running browser-authenticated behavior
- reproducing a bug during analysis
AuthZ Diff
AuthZ diff compares the same action across identities and groups the differences for operator review.
This is where many serious v4 findings come from:
- cross-tenant exposure
- cross-role behavior mismatch
- hidden fields returned to the wrong user
- actions that should fail but still succeed
Race Testing
Race testing focuses on actions where timing matters:
- duplicate approvals
- stale token reuse
- replay-before-invalidation windows
- double-spend or duplicate refund style logic bugs
Why This Matters
A scanner can suggest problems. Replay, AuthZ diff, and race testing can prove them in a stateful workflow with attached evidence.