Business Logic Attacks

Test NameAPI IDDescriptionDetectable Vulnerabilities
Broken Object Property AuthorizationboplaTests if the application properly enforces access controls on individual properties of an objectBroken Object Property Authorization
Business Constraint Bypassbusiness_constraint_bypassTests if the limitation of the number of retrievable items via an API call is configured properlyBusiness Constraint Bypass
Date Manipulationdate_manipulationTests if date ranges are set and validated properlyUnvalidated Date Range
Excessive Data Exposureexcessive_data_exposureTests application for not screening sensitive information on the server sideExcessive Data Exposure
ID Enumeration (BOLA)id_enumerationTests if it is possible to collect valid user ID data by interacting with the target applicationID Enumeration
Insecure Output Handlinginsecure_output_handlingTests for instances where a plugin or application fails to properly sanitize or validate LLM output before forwarding it to backend or client-side functions, leading to potential risks such as HTMLi, XSS, CSRF, SSRF, privilege escalation, or remote code executionInsecure Output Handling
Prompt Injectionprompt_injectionTests for prompt injections assess the manipulation of LLMs through crafted prompts, which can result in unintended actions and security vulnerabilities like data leaks and unauthorized accessPrompt Injection