Skip to content

Security Tests Reference

Escape currently supports 139 tests

Name Category GraphQL Support (114) REST Support (104) Default Severity OWASP 2023
Forced Browsing Access control API1:2023
Private data Access control API3:2023
Private fields Access control API1:2023
Tenant isolation Access control API5:2023
Broken Object Level Authorization Access control API1:2023
Public state-altering operation Access control API5:2023
Sensitive endpoint bruteforce Access control API3:2023
Authenticated route bypass Access control API2:2023
Domain Takeover Configuration API8:2023
Springboot Actuator Restart Misconfiguration Configuration API8:2023
Springboot Actuator Shutdown Misconfiguration Configuration API8:2023
GraphQL Extension Disclosure Configuration API8:2023
WAF Bypass Configuration API8:2023
Automatic Persisted Queries Configuration API8:2023
Directory listing Configuration API1:2023
GraphQL IDE Configuration API7:2023
Proxy Disclosure Configuration API5:2023
Crashing Page Configuration API8:2023
Error type inconsistency Configuration API8:2023
Unhandled endpoint Configuration API2:2023
AWS Docker Config Exposure Information disclosure API8:2023
AWStats Config Exposure Information disclosure API8:2023
AWStats Exposure Information disclosure API8:2023
Airflow Config Exposure Information disclosure API8:2023
AppVeyor Config Exposure Information disclosure API8:2023
Data leak Information disclosure API1:2023
Exposed MySQL Config Information disclosure API8:2023
Exposed SQL Dumps Information disclosure API8:2023
Exposed settings.php Information disclosure API8:2023
Source code disclosure Information disclosure API7:2023
Springboot Actuator Disclosure of Heap Dump Information disclosure API8:2023
Springboot Actuator Disclosure of Mappings Information disclosure API8:2023
Springboot Actuator Disclosure of Trace Information disclosure API8:2023
Ansible Config Exposure Information disclosure API8:2023
Azure Tenant ID Exposure Information disclosure API8:2023
Field suggestion Information disclosure API7:2023
Leaking authentication Information disclosure API7:2023
Springboot Actuator Disclosure of Environment Information disclosure API7:2023
Springboot Actuator Disclosure of Thread Dump Information disclosure API8:2023
Stacktrace Information disclosure API7:2023
Vulnerable Package Information disclosure API8:2023
Debug mode Information disclosure API7:2023
Field Suggestion Information disclosure API3:2023
File disclosure Information disclosure API7:2023
Private IP Information disclosure API1:2023
Software Component Leak Information disclosure API8:2023
console error Information disclosure API8:2023
AWS Config Exposure Information disclosure API8:2023
Alibaba Canal Leak Information disclosure API8:2023
Appspec Exposure Information disclosure API8:2023
Introspection enabled Information disclosure API7:2023
Command Injection Injection API10:2023
Deserialization Attack Injection API10:2023
Directory traversal Injection API10:2023
File inclusion Injection API10:2023
Improper Input Validation Injection Injection API10:2023
JWT Signature check Injection API2:2023
JWT algorithm confusion Injection API2:2023
JWT no algorithm Injection API2:2023
LLM Excessive Agency Injection API8:2023
LLM Insecure Output Handling Injection API8:2023
LLM Insecure Plugin Design Injection API8:2023
LLM JailBreak Injection API8:2023
LLM Model Denial of Service Injection API4:2023
LLM Model Theft Injection API8:2023
LLM Overreliance Injection API8:2023
LLM Prompt Injection Injection API8:2023
LLM Sensitive Information Disclosure Injection API8:2023
LLM Supply Chain Vulnerabilities Injection API8:2023
LLM Training Data Poisoning Injection API8:2023
Log4Shell Injection API8:2023
Mass Assignment Injection API1:2023
NoSQL Injection Injection API9:2023
NoSQL Injection Stored Injection API9:2023
SQL Injection Injection API9:2023
SSTI (Server-Side Template Injection) Injection API10:2023
Stored Improper Input Validation Injection Injection API10:2023
XXE Injection Injection API10:2023
CRLF Injection Injection API10:2023
LLM Endpoint Detection Injection API8:2023
SSL Certificate Protocol API2:2023
Server Error Protocol API5:2023
TLS Configuration Protocol API8:2023
TLS Configuration Ciphers Protocol API8:2023
TLS Protocol Configuration Protocol API8:2023
request smuggling Protocol API8:2023
SSL enforced Protocol API2:2023
TLS Configuration Server Defaults Protocol API8:2023
TLS Configuration Server Preferences Protocol API8:2023
TLS vulnerabilities Protocol API8:2023
Access-Control-Allow-Origin Header Protocol API7:2023
CORS Protocol API7:2023
Cache Control Header Protocol API7:2023
Content Security Policy Header Protocol API7:2023
Content type Protocol API7:2023
Content-Type header Protocol API7:2023
Cookie Security Protocol API7:2023
Header leak Protocol API7:2023
Headers Protocol API2:2023
Strict Transport Security Protocol API7:2023
X-Content-Type-Options Protocol API7:2023
X-Frame-Options header Protocol API7:2023
Open redirection Forgery Request forgery API3:2023
Partial SSRF Request forgery API6:2023
Server Side Request Forgery Request forgery API7:2023
GET based CSRF Request forgery API2:2023
POST based CSRF Request forgery API2:2023
SSRF Injection in headers Request forgery API10:2023
Resource limiting bypass Resource limitation API4:2023
Depth limit Resource limitation API4:2023
Directive overloading Resource limitation API8:2023
Field limit Resource limitation API4:2023
Large JSON input Resource limitation API4:2023
Recursive Fragment Resource limitation API8:2023
Alias limit Resource limitation API5:2023
Batch Limit Resource limitation API8:2023
Character limit Resource limitation API8:2023
Cyclic query Resource limitation API7:2023
Pagination missing Resource limitation API8:2023
Response size Resource limitation API7:2023
Unreachable server Resource limitation API8:2023
Width limit Resource limitation API4:2023
Cyclic Recursive Query Resource limitation API8:2023
Field Duplication Resource limitation API4:2023
Security timeout Resource limitation API7:2023
Mismatching persisted queries and schema Schema API8:2023
Typing misconfiguration Schema API10:2023
Zombie object Schema API9:2023
Duplicated object Schema API9:2023
GraphQL Response Format Schema API9:2023
Invalid Persisted Query Schema API9:2023
Invalid condition in allOf Schema API9:2023
Invalid parameters in path Schema API9:2023
Invalid references Schema API9:2023
Permissive JSON Input Schema API10:2023
Positive integer validation Schema API8:2023
Response type mismatch Schema API10:2023
Swagger rules Schema API9:2023
Undefined objects Schema API9:2023

Index

  •    LLM Security Testing

  Access Control

  •    Authenticated route bypass

  •    Broken Object Level Authorization

  •    Forced Browsing

  •    Private data

  •    Private fields

  •    Public state-altering operation

  •    Sensitive endpoint bruteforce

  •    Tenant isolation

  Configuration

  •    Crashing Page

  •    Directory listing

  •    Domain Takeover

  •    Error type inconsistency

  •    Automatic Persisted Queries

  •    GraphQL Extension Disclosure

  •    GraphQL IDE

  •    Proxy Disclosure

  •    Springboot Actuator Restart Misconfiguration

  •    Springboot Actuator Shutdown Misconfiguration

  •    Unhandled endpoint

  •    WAF Bypass

  Information Disclosure

  •    Airflow Config Exposure

  •    Alibaba Canal Leak

  •    Ansible Config Exposure

  •    Appspec Exposure

  •    AppVeyor Config Exposure

  •    AWS Config Exposure

  •    AWS Docker Config Exposure

  •    AWStats Config Exposure

  •    AWStats Exposure

  •    Azure Tenant ID Exposure

  •    Source code disclosure

  •    console error

  •    Data leak

  •    Debug mode

  •    Exposed MySQL Config

  •    Exposed settings.php

  •    Exposed SQL Dumps

  •    File disclosure

  •    Field suggestion

  •    Introspection enabled

  •    Leaking authentication

  •    Vulnerable Package

  •    Private IP

  •    Field Suggestion

  •    Software Component Leak

  •    Springboot Actuator Disclosure of Thread Dump

  •    Springboot Actuator Disclosure of Environment

  •    Springboot Actuator Disclosure of Heap Dump

  •    Springboot Actuator Disclosure of Mappings

  •    Springboot Actuator Disclosure of Trace

  •    Stacktrace

  Injection

  •    Command Injection

  •    CRLF Injection

  •    Deserialization Attack

  •    Directory traversal

  •    File inclusion

  •    Improper Input Validation Injection

  •    Stored Improper Input Validation Injection

  •    JWT algorithm confusion

  •    JWT no algorithm

  •    JWT Signature check

  •    Vulnerable LLM

  •    LLM Endpoint Detection

  •    LLM Excessive Agency

  •    LLM Insecure Output Handling

  •    LLM Insecure Plugin Design

  •    LLM JailBreak

  •    LLM Model Denial of Service

  •    LLM Model Theft

  •    LLM Overreliance

  •    LLM Prompt Injection

  •    LLM Sensitive Information Disclosure

  •    LLM Supply Chain Vulnerabilities

  •    LLM Training Data Poisoning

  •    Log4Shell

  •    Mass Assignment

  •    NoSQL Injection

  •    NoSQL Injection Stored

  •    SQL Injection

  •    SSTI (Server-Side Template Injection)

  •    XXE Injection

  Protocol

  •    CORS

  •    Content type

  •    Access-Control-Allow-Origin Header

  •    Cache Control Header

  •    Content Security Policy Header

  •    Content-Type header

  •    Header leak

  •    Cookie Security

  •    Strict Transport Security

  •    X-Content-Type-Options

  •    X-Frame-Options header

  •    Headers

  •    HeartBleed

  •    request smuggling

  •    Server Error

  •    SSL enforced

  •    SSL Certificate

  •    TLS Configuration Ciphers

  •    TLS Protocol Configuration

  •    TLS Configuration

  •    TLS Configuration Server Defaults

  •    TLS Configuration Server Preferences

  •    TLS vulnerabilities

  Request Forgery

  •    GET based CSRF

  •    POST based CSRF

  •    Open redirection Forgery

  •    Server Side Request Forgery

  •    SSRF Injection in headers

  •    Partial SSRF

  Resource Limitation

  •    Character limit

  •    Cyclic query

  •    Alias limit

  •    Batch Limit

  •    Cyclic Recursive Query

  •    Depth limit

  •    Directive overloading

  •    Field Duplication

  •    Field limit

  •    Recursive Fragment

  •    Width limit

  •    Large JSON input

  •    Pagination missing

  •    Resource limiting bypass

  •    Response size

  •    Security timeout

  •    Unreachable server

  Schema

  •    Duplicated object

  •    GraphQL Response Format

  •    Invalid condition in allOf

  •    Invalid parameters in path

  •    Invalid Persisted Query

  •    Invalid references

  •    Mismatching persisted queries and schema

  •    Permissive JSON Input

  •    Positive integer validation

  •    Response type mismatch

  •    Response type mismatch

  •    Self compliant spec

  •    Swagger rules

  •    Typing misconfiguration

  •    Undefined objects

  •    Weak JSON typing

  •    Zombie object