Business Logic Attacks
Test Name | API ID | Description | Detectable Vulnerabilities |
---|---|---|---|
Broken Object Property Authorization | bopla | Tests if the application properly enforces access controls on individual properties of an object | Broken Object Property Authorization |
Business Constraint Bypass | business_constraint_bypass | Tests if the limitation of the number of retrievable items via an API call is configured properly | Business Constraint Bypass |
Date Manipulation | date_manipulation | Tests if date ranges are set and validated properly | Unvalidated Date Range |
Excessive Data Exposure | excessive_data_exposure | Tests application for not screening sensitive information on the server side | Excessive Data Exposure |
ID Enumeration (BOLA) | id_enumeration | Tests if it is possible to collect valid user ID data by interacting with the target application | ID Enumeration |
Insecure Output Handling | insecure_output_handling | Tests for instances where a plugin or application fails to properly sanitize or validate LLM output before forwarding it to backend or client-side functions, leading to potential risks such as HTMLi, XSS, CSRF, SSRF, privilege escalation, or remote code execution | Insecure Output Handling |
Prompt Injection | prompt_injection | Tests for prompt injections assess the manipulation of LLMs through crafted prompts, which can result in unintended actions and security vulnerabilities like data leaks and unauthorized access | Prompt Injection |
Updated 4 days ago