Client-Side Attacks

Test Name

API ID

Description

Detectable Vulnerabilities

AWS S3 Takeover

amazon_s3_takeover

Tests for S3 buckets that no longer exist to prevent data breaches and malware distribution

Amazon AWS S3 bucket takeover

Brute Force Login

brute_force_login

Tests for the availability of commonly used credentials

Brute Force Login

Cookie Security

cookie_security

Tests if the application uses and implements cookies with secure attributes

Missing 'httponly' Flag in Cookie

Missing 'secure' Flag in Cookie

Predictable Cookie Value

Cross-Site Scripting (XSS)

xss

Tests if various application DOM parameters are vulnerable to JavaScript injections

Cross-Site Scripting (rXSS)

CSS Injection

css_injection

Tests for weaknesses that could allow hackers to inject malicious Cascading Style Sheets (CSS) code.

CSS Injection

Default Login Location

default_login_location

Tests if login form location in the target application is easy to guess and accessible

Default Login Location

HTML Injection

html_injection

Tests if various application parameters are vulnerable to HTML injection

HTML Injection

iFrame Injection

iframe_injection

Tests for frame injection attacks evaluate the embedding of deceptive elements on legitimate websites, tricking users into unintended interactions that lead to unauthorized actions, data theft, or malicious activities.

iFrame Injection

JavaScript Vulnerabilities Scanning

retire_js

Tests for known JavaScript component vulnerabilities

JavaScript Component with Known Vulnerabilities

Open Cloud Storage

open_cloud_storage

Contains Open Buckets, Azure Blob Storage, and Amazon S3 Bucket Takeover tests

Open Cloud Storage

Prototype Pollution

proto_pollution

Tests if it is possible to inject properties into existing JavaScript objects

Prototype Pollution

Secret Tokens

secret_tokens

Tests for exposure of secret API tokens or keys in the target application

Secret Tokens Leak

Stored Cross-Site Scripting (Stored XSS)

stored_xss

Tests if various application DOM parameters are vulnerable to JavaScript injections

Stored Cross-site scripting (pXSS)

Unvalidated Redirect

unvalidated_redirect

Tests if various application parameters are vulnerable to the injection of a malicious link that can redirect a user without validation

Unvalidated Redirect

Version Control System

version_control_systems

Tests if it is possible to access Version Control System (VCS) resources

Version Control System Exposure