Vulnerability Guide
This section lists all vulnerability buckets that can be detected by Bright and provides detailed information about each of them.
API attacks: Attacks targeting API-based infrastructure and attempting to override API mechanisms and logic or run backend code. Bucket ID for API usage: `client_side`.
| Test Name | Description | Detectable Vulnerabilities |
|---|---|---|
| AWS S3 Takeover | Tests for S3 buckets that no longer exist to prevent data breaches and malware distribution | AWS S3 Takeover |
| Broken JWT Authentication | Tests for secure implementation of JSON Web Token (JWT) in the application | Broken JWT Authentication |
| Broken SAML Authentication | Tests for secure implementation of SAML authentication in the application | Broken SAML Authentication |
| Business Constraint Bypass | Tests if the limitation of the number of retrievable items via an API call is configured properly | Business Constraint Bypass |
| Cookie Security Check | Tests if the application uses and implements cookies with secure attributes | Sensitive Cookie in HTTPS Session Without Secure Attribute Sensitive Cookie Without Http-Only Flag Sensitive Cookie Weak Session ID |
| Directory Listing | Tests if server-side directory listing is possible | Directory Listing |
| Email Header Injection | Tests if it is possible to send emails to other addresses through the target application mailing server, which can lead to spam and phishing | Email Header Injection |
| Open Cloud Storage | Contains Open Buckets, Azure Blob Storage, and Amazon S3 Bucket Takeover tests. | Open Cloud Storage |
| Exposed Database Details (Open Database) | Tests if exposed database connection strings are open to public connections | Exposed Database Details Exposed Database Connection String |
| Excessive Data Exposure | Tests application for not screening sensitive information on the server side | Excessive Data Exposure |
| Full Path Disclosure (FPD) | Tests if various application parameters are vulnerable to the exposure of errors that include full webroot path | Full Path Disclosure |
| GraphQL introspection | GraphQL data availability test for queries coming from external IP-address | GraphQL introspection |
| Headers Security Check | Tests for proper Security Headers configuration | Misconfigured Security Headers Missing Security Headers Insecure Content Secure Policy Configuration |
| HTML Injection | Tests if various application parameters are vulnerable to HTML injection | HTML Injection |
| Improper Assets Management | Tests if older or development versions of API endpoints are exposed and can be used to get unauthorized access to data and privileges | Improper Assets Management |
| Insecure HTTP Method (HTTP Method Fuzzer) | Tests enumeration of possible HTTP methods for vulnerabilities | Insecure HTTP Method |
| Insecure TLS Configuration | Tests SSL/TLS ciphers and configurations for vulnerabilities | Insecure TLS Configuration |
| Local File Inclusion (LFI) | Tests if various application parameters are vulnerable to loading of unauthorized local system resources | Local File Inclusion (LFI) |
| Mass Assignment | Tests if it is possible to create requests with additional parameters to gain privilege escalation | Mass Assignment |
| OS Command Injection | Tests if various application parameters are vulnerable to Operation System (OS) command injection | OS Command Injection |
| Remote File Inclusion (RFI) | Tests if various application parameters are vulnerable to loading of unauthorized remote system resources | Remote File Inclusion (RFI) |
| Secret Tokens Leak | Tests for exposure of secret API tokens or keys in the target application | Secret Tokens Leak |
| Server Side Template Injection (SSTI) | Tests if various application parameters are vulnerable to server-side code execution | Server Side Template Injection (SSTI) |
| Server Side Request Forgery (SSRF) | Tests if various application parameters are vulnerable to internal resource access | Server Side Request Forgery (SSRF) |
| SQL Injection (SQLI) | SQL Injection tests vulnerable parameters for SQL database access | SQL injection SQL Injection: Blind Boolean Based SQL Injection: Blind Time Based |
| Unrestricted File Upload | Tests if file upload mechanisms are validated properly and denies upload of malicious content | Unrestricted File Upload |
| Unsafe Date Range (Date Manipulation) | Tests if date ranges are set and validated properly | Unsafe Date Range |
| User ID Enumeration | Tests if it is possible to collect valid user ID data by interacting with the target application | Enumerable Integer-Based ID |
| Version Control System Data Leak | Tests if it is possible to access Version Control System (VCS) resources | Version Control System Data Leak |
| LDAP Injection | Tests if various application parameters are vulnerable to unauthorized LDAP access | LDAP Injection LDAP Error |
| MongoDB | Tests if an attacker is able to inject malicious input into a NoSQL database query. | MongoDB |
| Known JavaScript Vulnerabilities (JavaScript Vulnerabilities Scanning) | Tests for known JavaScript component vulnerabilities | JavaScript Component with Known Vulnerabilities |
| XPath Injection | Tests if unvalidated user input in XPath expressions can be exploited to manipulate queries, potentially leading to unauthorized access or unintended actions | XPath Injection |
Business logic attacks: Attacks attempting to bypass application logic's constraints, manipulate legitimate functionality to achieve a malicious goal. Tests may lead to false positive findings. Bucket ID for API usage: `business_logic`.
| Test Name | Description | Detectable Vulnerabilities |
|---|---|---|
| Broken Object Property Level Authorization | Tests if the application properly enforces access controls on individual properties of an object. | Broken Object Property Level Authorization |
| Business Constraint Bypass | Tests if the limitation of the number of retrievable items via an API call is configured properly | Business Constraint Bypass |
| Excessive Data Exposure | Tests application for not screening sensitive information on the server side | Excessive Data Exposure |
| Improper Assets Management | Tests if older or development versions of API endpoints are exposed and can be used to get unauthorized access to data and privileges | Improper Assets Management |
| Insecure Output Handling Test | Tests for instances where a plugin or application fails to properly sanitize or validate LLM output before forwarding it to backend or client-side functions, leading to potential risks such as HTMLi, XSS, CSRF, SSRF, privilege escalation, or remote code execution. | Insecure Output Handling Test |
| Mass Assignment | Tests if it is possible to create requests with additional parameters to gain privilege escalation | Mass Assignment |
| Prompt Injection | Tests for prompt injections assess the manipulation of LLMs through crafted prompts, which can result in unintended actions and security vulnerabilities like data leaks and unauthorized access. | Prompt Injection |
| Unsafe Date Range (Date Manipulation) | Tests if date ranges are set and validated properly | Unsafe Date Range |
| User ID Enumeration | Tests if it is possible to collect valid user ID data by interacting with the target application | Enumerable Integer-Based ID |
Client-side attacks: Attacks targeting client UI and client-side code to steal user cookies impersonate the user and perform actions on his behalf. Bucket ID for API usage: `client_side` .
| Test Name | Description | Detectable Vulnerabilities |
|---|---|---|
| Brute Force Login | Tests for the availability of commonly used credentials | Brute Force Login |
| Cookie Security Check | Tests if the application uses and implements cookies with secure attributes | Sensitive Cookie in HTTPS Session Without Secure Attribute Sensitive Cookie Without Http-Only Flag Sensitive Cookie Weak Session ID |
| AWS S3 Takeover | Tests for S3 buckets that no longer exist to prevent data breaches and malware distribution | AWS S3 Takeover |
| Cross-Site Scripting (XSS) | Tests if various application DOM parameters are vulnerable to JavaScript injections | Stored Cross-site scripting (pXSS) |
| CSS Injection | Tests for weaknesses that could allow hackers to inject malicious Cascading Style Sheets (CSS) code. | CSS Injection |
| Default Login Location | Tests if login form location in the target application is easy to guess and accessible | Default Login Location |
| Open Cloud Storage | Contains Open Buckets, Azure Blob Storage, and Amazon S3 Bucket Takeover tests. | Open Cloud Storage |
| HTML Injection | Tests if various application parameters are vulnerable to HTML injection | HTML Injection |
| iFrame Injection | Tests for frame injection attacks evaluate the embedding of deceptive elements on legitimate websites, tricking users into unintended interactions that lead to unauthorized actions, data theft, or malicious activities. | iFrame Injection |
| Known JavaScript Vulnerabilities (JavaScript Vulnerabilities Scanning) | Tests for known JavaScript component vulnerabilities | JavaScript Component with Known Vulnerabilities |
| Prototype Pollution | Tests if it is possible to inject properties into existing JavaScript objects | Prototype Pollution |
| Secret Tokens Leak | Tests for exposure of secret API tokens or keys in the target application | Secret Tokens Leak |
| Unsafe Redirect (Unvalidated Redirect) | Tests if various application parameters are vulnerable to the injection of a malicious link that can redirect a user without validation | Unsafe Redirect |
| Version Control System Data Leak | Tests if it is possible to access Version Control System (VCS) resources | Version Control System Data Leak |
CVE tests: Passive CVE signature-based tests. Bucket ID for API usage: `cve`.
| Test Name | Description | Detectable Vulnerabilities |
|---|---|---|
| Known JavaScript Vulnerabilities (JavaScript Vulnerabilities Scanning) | Tests for known JavaScript component vulnerabilities | JavaScript Component with Known Vulnerabilities |
| CVE scanning | Tests for known third-party common vulnerability exposures | Common Vulnerability Exposure |
Legacy attacks: Attacks that haven't been widely exploited in the wild in recent time. Bucket ID for API usage: `legacy`.
| Test Name | Description | Detectable Vulnerabilities |
|---|---|---|
| CVE scanning | Tests for known third-party common vulnerability exposures | Common Vulnerability Exposure |
| Known JavaScript Vulnerabilities (JavaScript Vulnerabilities Scanning) | Tests for known JavaScript component vulnerabilities | JavaScript Component with Known Vulnerabilities |
| WordPress Component | Tests for known vulnerabilities related to the WordPress platform | WordPress |
| XML External Entity Injection (XXE) | Tests if various XML parameters are vulnerable to XML parsing of unauthorized external entities | XML External Entity Injection |
| LDAP Injection | Tests if various application parameters are vulnerable to unauthorized LDAP access | LDAP Injection LDAP Error |
Multiple authentication attacks: Attacks leveraging multiple authentications to identify vulnerabilities that bypass security controls and expose unauthorized access. Bucket ID for API usage: `multiple_authentication_attacks`.
| Test Name | Description | Detectable Vulnerabilities |
|---|---|---|
| Broken Access Control | Tests for improper access controls measures allowing users to perform actions beyond their permissions | Broken Access Control |
Server-side attacks: Attacks trying to exploit server-side architecture and code. Bucket ID for API usage: `server_side`.
| Test Name | Description | Detectable Vulnerabilities |
|---|---|---|
| AWS S3 Takeover | Tests for S3 buckets that no longer exist to prevent data breaches and malware distribution | AWS S3 Takeover |
| Broken JWT Authentication | Tests for secure implementation of JSON Web Token (JWT) in the application | Broken JWT Authentication |
| Broken SAML Authentication | Tests for secure implementation of SAML authentication in the application | Broken SAML Authentication |
| Brute Force Login | Tests for the availability of commonly used credentials | Brute Force Login |
| CVE scanning | Tests for known third-party common vulnerability exposures | Common Vulnerability Exposure |
| MongoDB | Tests if an attacker is able to inject malicious input into a NoSQL database query. | MongoDB |
| Common Files Exposure | Tests if common files that should not be accessible are accessible | Exposed Common File |
| Cookie Security Check | Tests if the application uses and implements cookies with secure attributes | Sensitive Cookie in HTTPS Session Without Secure Attribute Sensitive Cookie Without Http-Only Flag Sensitive Cookie Weak Session ID |
| Cross-Site Request Forgery (CSRF) | Tests application forms for vulnerable cross-site filling and submitting | Unauthorized Cross-Site Request Forgery (CSRF) Authorized Cross-Site Request Forgery (CSRF) |
| Directory Listing | Tests if server-side directory listing is possible | Directory Listing |
| Email Header Injection | Tests if it is possible to send emails to other addresses through the target application mailing server, which can lead to spam and phishing | Email Header Injection |
| Open Cloud Storage | Contains Open Buckets, Azure Blob Storage, and Amazon S3 Bucket Takeover tests. | Open Cloud Storage |
| Exposed Database Details (Open Database) | Tests if exposed database connection strings are open to public connections | Exposed Database Details Exposed Database Connection String |
| Full Path Disclosure (FPD) | Tests if various application parameters are vulnerable to the exposure of errors that include full webroot path | Full Path Disclosure |
| Headers Security Check | Tests for proper Security Headers configuration | Misconfigured Security Headers Missing Security Headers Insecure Content Secure Policy Configuration |
| iFrame Injection | Tests for frame injection attacks evaluate the embedding of deceptive elements on legitimate websites, tricking users into unintended interactions that lead to unauthorized actions, data theft, or malicious activities. | iFrame Injection |
| Insecure HTTP Method (HTTP Method Fuzzer) | Tests enumeration of possible HTTP methods for vulnerabilities | Insecure HTTP Method |
| Insecure TLS Configuration | Tests SSL/TLS ciphers and configurations for vulnerabilities | Insecure TLS Configuration |
| Known JavaScript Vulnerabilities (JavaScript Vulnerabilities Scanning) | Tests for known JavaScript component vulnerabilities | JavaScript Component with Known Vulnerabilities |
| Local File Inclusion (LFI) | Tests if various application parameters are vulnerable to loading of unauthorized local system resources | Local File Inclusion (LFI) |
| OS Command Injection | Tests if various application parameters are vulnerable to Operation System (OS) command injection | OS Command Injection |
| Remote File Inclusion (RFI) | Tests if various application parameters are vulnerable to loading of unauthorized remote system resources | Remote File Inclusion (RFI) |
| Secret Tokens Leak | Tests for exposure of secret API tokens or keys in the target application | Secret Tokens Leak |
| Server Side Template Injection (SSTI) | Tests if various application parameters are vulnerable to server-side code execution | Server Side Template Injection (SSTI) |
| Server Side Request Forgery (SSRF) | Tests if various application parameters are vulnerable to internal resource access | Server Side Request Forgery (SSRF) |
| SQL Injection (SQLI) | SQL Injection tests vulnerable parameters for SQL database access | SQL injection SQL Injection: Blind Boolean Based SQL Injection: Blind Time Based |
| Unrestricted File Upload | Tests if file upload mechanisms are validated properly and denies upload of malicious content | Unrestricted File Upload |
| Version Control System Data Leak | Tests if it is possible to access Version Control System (VCS) resources | Version Control System Data Leak |
| WordPress Component | Tests for known vulnerabilities related to the WordPress platform | WordPress |
| XML External Entity Injection (XXE) | Tests if various XML parameters are vulnerable to XML parsing of unauthorized external entities | XML External Entity Injection |
| XPath Injection | Tests if unvalidated user input in XPath expressions can be exploited to manipulate queries, potentially leading to unauthorized access or unintended actions | XPath Injection |
Advanced attacks: Attacks potentially causing a temporary disruption to the backend infrastructure. Use with caution and don’t target against production environments. Bucket ID for API usage: `advanced`.
| Test Name | Description | Detectable Vulnerabilities |
|---|---|---|
| Lack of Resources and Rate Limiting | Tests all API endpoints for rate-limiting or resource exhaustion protection in place. | Lack of Resources and Rate Limiting |
Updated 16 days ago