Vulnerability Guide

API attacks: Attacks targeting API-based infrastructure and attempting to override API mechanisms and logic or run backend code. Bucket ID for API usage: client_side.

Test Name	Description	Detectable Vulnerabilities
AWS S3 Takeover	Tests for S3 buckets that no longer exist to prevent data breaches and malware distribution	AWS S3 Takeover
Broken JWT Authentication	Tests for secure implementation of JSON Web Token (JWT) in the application	Broken JWT Authentication
Broken SAML Authentication	Tests for secure implementation of SAML authentication in the application	Broken SAML Authentication
Business Constraint Bypass	Tests if the limitation of the number of retrievable items via an API call is configured properly	Business Constraint Bypass
Cookie Security Check	Tests if the application uses and implements cookies with secure attributes	Sensitive Cookie in HTTPS Session Without Secure Attribute Sensitive Cookie Without Http-Only Flag Sensitive Cookie Weak Session ID
Directory Listing	Tests if server-side directory listing is possible	Directory Listing
Email Header Injection	Tests if it is possible to send emails to other addresses through the target application mailing server, which can lead to spam and phishing	Email Header Injection
Open Cloud Storage	Contains Open Buckets, Azure Blob Storage, and Amazon S3 Bucket Takeover tests.	Open Cloud Storage
Exposed Database Details (Open Database)	Tests if exposed database connection strings are open to public connections	Exposed Database Details Exposed Database Connection String
Excessive Data Exposure	Tests application for not screening sensitive information on the server side	Excessive Data Exposure
Full Path Disclosure (FPD)	Tests if various application parameters are vulnerable to the exposure of errors that include full webroot path	Full Path Disclosure
GraphQL introspection	GraphQL data availability test for queries coming from external IP-address	GraphQL introspection
Headers Security Check	Tests for proper Security Headers configuration	Misconfigured Security Headers Missing Security Headers Insecure Content Secure Policy Configuration
HTML Injection	Tests if various application parameters are vulnerable to HTML injection	HTML Injection
Improper Assets Management	Tests if older or development versions of API endpoints are exposed and can be used to get unauthorized access to data and privileges	Improper Assets Management
Insecure HTTP Method (HTTP Method Fuzzer)	Tests enumeration of possible HTTP methods for vulnerabilities	Insecure HTTP Method
Insecure TLS Configuration	Tests SSL/TLS ciphers and configurations for vulnerabilities	Insecure TLS Configuration
Local File Inclusion (LFI)	Tests if various application parameters are vulnerable to loading of unauthorized local system resources	Local File Inclusion (LFI)
Mass Assignment	Tests if it is possible to create requests with additional parameters to gain privilege escalation	Mass Assignment
OS Command Injection	Tests if various application parameters are vulnerable to Operation System (OS) command injection	OS Command Injection
Remote File Inclusion (RFI)	Tests if various application parameters are vulnerable to loading of unauthorized remote system resources	Remote File Inclusion (RFI)
Secret Tokens Leak	Tests for exposure of secret API tokens or keys in the target application	Secret Tokens Leak
Server Side Template Injection (SSTI)	Tests if various application parameters are vulnerable to server-side code execution	Server Side Template Injection (SSTI)
Server Side Request Forgery (SSRF)	Tests if various application parameters are vulnerable to internal resource access	Server Side Request Forgery (SSRF)
SQL Injection (SQLI)	SQL Injection tests vulnerable parameters for SQL database access	SQL injection SQL Injection: Blind Boolean Based SQL Injection: Blind Time Based
Unrestricted File Upload	Tests if file upload mechanisms are validated properly and denies upload of malicious content	Unrestricted File Upload
Unsafe Date Range (Date Manipulation)	Tests if date ranges are set and validated properly	Unsafe Date Range
User ID Enumeration	Tests if it is possible to collect valid user ID data by interacting with the target application	Enumerable Integer-Based ID
Version Control System Data Leak	Tests if it is possible to access Version Control System (VCS) resources	Version Control System Data Leak
LDAP Injection	Tests if various application parameters are vulnerable to unauthorized LDAP access	LDAP Injection LDAP Error
MongoDB	Tests if an attacker is able to inject malicious input into a NoSQL database query.	MongoDB
Known JavaScript Vulnerabilities (JavaScript Vulnerabilities Scanning)	Tests for known JavaScript component vulnerabilities	JavaScript Component with Known Vulnerabilities
XPath Injection	Tests if unvalidated user input in XPath expressions can be exploited to manipulate queries, potentially leading to unauthorized access or unintended actions	XPath Injection

Business logic attacks: Attacks attempting to bypass application logic's constraints, manipulate legitimate functionality to achieve a malicious goal. Tests may lead to false positive findings. Bucket ID for API usage: business_logic.

Test Name	Description	Detectable Vulnerabilities
Broken Object Property Level Authorization	Tests if the application properly enforces access controls on individual properties of an object.	Broken Object Property Level Authorization
Business Constraint Bypass	Tests if the limitation of the number of retrievable items via an API call is configured properly	Business Constraint Bypass
Excessive Data Exposure	Tests application for not screening sensitive information on the server side	Excessive Data Exposure
Improper Assets Management	Tests if older or development versions of API endpoints are exposed and can be used to get unauthorized access to data and privileges	Improper Assets Management
Insecure Output Handling Test	Tests for instances where a plugin or application fails to properly sanitize or validate LLM output before forwarding it to backend or client-side functions, leading to potential risks such as HTMLi, XSS, CSRF, SSRF, privilege escalation, or remote code execution.	Insecure Output Handling Test
Mass Assignment	Tests if it is possible to create requests with additional parameters to gain privilege escalation	Mass Assignment
Prompt Injection	Tests for prompt injections assess the manipulation of LLMs through crafted prompts, which can result in unintended actions and security vulnerabilities like data leaks and unauthorized access.	Prompt Injection
Unsafe Date Range (Date Manipulation)	Tests if date ranges are set and validated properly	Unsafe Date Range
User ID Enumeration	Tests if it is possible to collect valid user ID data by interacting with the target application	Enumerable Integer-Based ID

Client-side attacks: Attacks targeting client UI and client-side code to steal user cookies impersonate the user and perform actions on his behalf. Bucket ID for API usage: client_side .

Test Name	Description	Detectable Vulnerabilities
Brute Force Login	Tests for the availability of commonly used credentials	Brute Force Login
Cookie Security Check	Tests if the application uses and implements cookies with secure attributes	Sensitive Cookie in HTTPS Session Without Secure Attribute Sensitive Cookie Without Http-Only Flag Sensitive Cookie Weak Session ID
AWS S3 Takeover	Tests for S3 buckets that no longer exist to prevent data breaches and malware distribution	AWS S3 Takeover
Cross-Site Scripting (XSS)	Tests if various application DOM parameters are vulnerable to JavaScript injections	Stored Cross-site scripting (pXSS)
CSS Injection	Tests for weaknesses that could allow hackers to inject malicious Cascading Style Sheets (CSS) code.	CSS Injection
Default Login Location	Tests if login form location in the target application is easy to guess and accessible	Default Login Location
Open Cloud Storage	Contains Open Buckets, Azure Blob Storage, and Amazon S3 Bucket Takeover tests.	Open Cloud Storage
HTML Injection	Tests if various application parameters are vulnerable to HTML injection	HTML Injection
iFrame Injection	Tests for frame injection attacks evaluate the embedding of deceptive elements on legitimate websites, tricking users into unintended interactions that lead to unauthorized actions, data theft, or malicious activities.	iFrame Injection
Known JavaScript Vulnerabilities (JavaScript Vulnerabilities Scanning)	Tests for known JavaScript component vulnerabilities	JavaScript Component with Known Vulnerabilities
Prototype Pollution	Tests if it is possible to inject properties into existing JavaScript objects	Prototype Pollution
Secret Tokens Leak	Tests for exposure of secret API tokens or keys in the target application	Secret Tokens Leak
Unsafe Redirect (Unvalidated Redirect)	Tests if various application parameters are vulnerable to the injection of a malicious link that can redirect a user without validation	Unsafe Redirect
Version Control System Data Leak	Tests if it is possible to access Version Control System (VCS) resources	Version Control System Data Leak

CVE tests: Passive CVE signature-based tests. Bucket ID for API usage: cve.

Test Name	Description	Detectable Vulnerabilities
Known JavaScript Vulnerabilities (JavaScript Vulnerabilities Scanning)	Tests for known JavaScript component vulnerabilities	JavaScript Component with Known Vulnerabilities
CVE scanning	Tests for known third-party common vulnerability exposures	Common Vulnerability Exposure

Legacy attacks: Attacks that haven't been widely exploited in the wild in recent time. Bucket ID for API usage: legacy.

Test Name	Description	Detectable Vulnerabilities
CVE scanning	Tests for known third-party common vulnerability exposures	Common Vulnerability Exposure
Known JavaScript Vulnerabilities (JavaScript Vulnerabilities Scanning)	Tests for known JavaScript component vulnerabilities	JavaScript Component with Known Vulnerabilities
WordPress Component	Tests for known vulnerabilities related to the WordPress platform	WordPress
XML External Entity Injection (XXE)	Tests if various XML parameters are vulnerable to XML parsing of unauthorized external entities	XML External Entity Injection
LDAP Injection	Tests if various application parameters are vulnerable to unauthorized LDAP access	LDAP Injection LDAP Error

Multiple authentication attacks: Attacks leveraging multiple authentications to identify vulnerabilities that bypass security controls and expose unauthorized access. Bucket ID for API usage: multiple_authentication_attacks.

Test Name	Description	Detectable Vulnerabilities
Broken Access Control	Tests for improper access controls measures allowing users to perform actions beyond their permissions	Broken Access Control

Server-side attacks: Attacks trying to exploit server-side architecture and code. Bucket ID for API usage: server_side.

Test Name	Description	Detectable Vulnerabilities
AWS S3 Takeover	Tests for S3 buckets that no longer exist to prevent data breaches and malware distribution	AWS S3 Takeover
Broken JWT Authentication	Tests for secure implementation of JSON Web Token (JWT) in the application	Broken JWT Authentication
Broken SAML Authentication	Tests for secure implementation of SAML authentication in the application	Broken SAML Authentication
Brute Force Login	Tests for the availability of commonly used credentials	Brute Force Login
CVE scanning	Tests for known third-party common vulnerability exposures	Common Vulnerability Exposure
MongoDB	Tests if an attacker is able to inject malicious input into a NoSQL database query.	MongoDB
Common Files Exposure	Tests if common files that should not be accessible are accessible	Exposed Common File
Cookie Security Check	Tests if the application uses and implements cookies with secure attributes	Sensitive Cookie in HTTPS Session Without Secure Attribute Sensitive Cookie Without Http-Only Flag Sensitive Cookie Weak Session ID
Cross-Site Request Forgery (CSRF)	Tests application forms for vulnerable cross-site filling and submitting	Unauthorized Cross-Site Request Forgery (CSRF) Authorized Cross-Site Request Forgery (CSRF)
Directory Listing	Tests if server-side directory listing is possible	Directory Listing
Email Header Injection	Tests if it is possible to send emails to other addresses through the target application mailing server, which can lead to spam and phishing	Email Header Injection
Open Cloud Storage	Contains Open Buckets, Azure Blob Storage, and Amazon S3 Bucket Takeover tests.	Open Cloud Storage
Exposed Database Details (Open Database)	Tests if exposed database connection strings are open to public connections	Exposed Database Details Exposed Database Connection String
Full Path Disclosure (FPD)	Tests if various application parameters are vulnerable to the exposure of errors that include full webroot path	Full Path Disclosure
Headers Security Check	Tests for proper Security Headers configuration	Misconfigured Security Headers Missing Security Headers Insecure Content Secure Policy Configuration
iFrame Injection	Tests for frame injection attacks evaluate the embedding of deceptive elements on legitimate websites, tricking users into unintended interactions that lead to unauthorized actions, data theft, or malicious activities.	iFrame Injection
Insecure HTTP Method (HTTP Method Fuzzer)	Tests enumeration of possible HTTP methods for vulnerabilities	Insecure HTTP Method
Insecure TLS Configuration	Tests SSL/TLS ciphers and configurations for vulnerabilities	Insecure TLS Configuration
Known JavaScript Vulnerabilities (JavaScript Vulnerabilities Scanning)	Tests for known JavaScript component vulnerabilities	JavaScript Component with Known Vulnerabilities
Local File Inclusion (LFI)	Tests if various application parameters are vulnerable to loading of unauthorized local system resources	Local File Inclusion (LFI)
OS Command Injection	Tests if various application parameters are vulnerable to Operation System (OS) command injection	OS Command Injection
Remote File Inclusion (RFI)	Tests if various application parameters are vulnerable to loading of unauthorized remote system resources	Remote File Inclusion (RFI)
Secret Tokens Leak	Tests for exposure of secret API tokens or keys in the target application	Secret Tokens Leak
Server Side Template Injection (SSTI)	Tests if various application parameters are vulnerable to server-side code execution	Server Side Template Injection (SSTI)
Server Side Request Forgery (SSRF)	Tests if various application parameters are vulnerable to internal resource access	Server Side Request Forgery (SSRF)
SQL Injection (SQLI)	SQL Injection tests vulnerable parameters for SQL database access	SQL injection SQL Injection: Blind Boolean Based SQL Injection: Blind Time Based
Unrestricted File Upload	Tests if file upload mechanisms are validated properly and denies upload of malicious content	Unrestricted File Upload
Version Control System Data Leak	Tests if it is possible to access Version Control System (VCS) resources	Version Control System Data Leak
WordPress Component	Tests for known vulnerabilities related to the WordPress platform	WordPress
XML External Entity Injection (XXE)	Tests if various XML parameters are vulnerable to XML parsing of unauthorized external entities	XML External Entity Injection
XPath Injection	Tests if unvalidated user input in XPath expressions can be exploited to manipulate queries, potentially leading to unauthorized access or unintended actions	XPath Injection

Advanced attacks: Attacks potentially causing a temporary disruption to the backend infrastructure. Use with caution and don’t target against production environments. Bucket ID for API usage: advanced.

Test Name	Description	Detectable Vulnerabilities
Lack of Resources and Rate Limiting	Tests all API endpoints for rate-limiting or resource exhaustion protection in place.	Lack of Resources and Rate Limiting