Skip to content
Escape Documentation
Business Logic Agent
Initializing search
Log in to Escape
Home
Documentation
Release Notes
Blog
Not an Escape user yet? Book a demo
Escape Documentation
Log in to Escape
Home
Documentation
Documentation
Introduction
Introduction
Introduction to Escape
Choose Your Product
ASM
ASM
Quick Start
Asset Management
Scope Management
Network Scanning
Network Configuration
Reference (ASM)
Business Logic DAST
Business Logic DAST
Start a new Scan
Understanding Results
Multi-User Testing
Multi-User Testing
WebApp Testing
WebApp Testing
Technology
Routing Patterns
Scope Configuration
Session Management
Performance Tuning
Production-Safe Scanning
Agentic Crawling
Reference (WebApp)
Custom Rules
Custom Rules
Alerting
Detectors
Seeders
Extractors
Custom Rules Reference
API Testing
API Testing
Analyze Coverage
Rate Limiting
Scope
Custom Payloads
Hotstart
Data Types Reference
GraphQL
Reference (REST API)
Reference (GraphQL API)
Custom Rules
Custom Rules
Alerting
Detectors
Transformations
Mutators
Seeders
Extractors
Custom Rules Reference
AI Pentesting
AI Pentesting
Quickstart
How It Works
BOLA Agent
XSS Agent
Regression Testing Agent
CVE Exploitation Agent
Whitebox Agent
SQLI Agent
Business Logic Agent
Platform
Platform
Schedule Scans
Internal Network Scanning
Firewall Configuration
Scan Quality & Debugging
Scan Quality & Debugging
Scan Diagnostics
Problem Code Reference
Troubleshooting
Include Extra Data
Roadmap
Security Tests (274)
Security Tests (274)
Airflow Config Exposure
Alibaba Canal Leak
Ansible Config Exposure
Appspec Exposure
Appveyor Config Exposure
AWS Access Token
AWS Config Exposure
AWS Docker Config Exposure
AWStats Config Exposure
AWStats Exposure
Broken Object Level Authorization
Command Injection
CORS
ZenML ZenML Server - Improper Authentication
Change Detection - Server Side Template Injection
Veeam Backup & Replication - Unauthenticated
Debug mode
Directory traversal
Exposed JWT Token
Exposed MySQL Config
Exposed settings.php
Exposed SQL Dumps
File disclosure
Cache Control Header
Content Security Policy Header
Content-Type header
Cookie Security
Strict Transport Security
X-Content-Type-Options
X-Frame-Options header
High number of Custom Scalars
High number of PCI
High number of PHI
High number of PII
High number of Secrets
JWT algorithm confusion
JWT no algorithm
JWT Signature check
Possible User Enumeration
Mass Assignment
NoSQL Injection
Pagination missing
Positive integer validation
Private data
Private IP
Response size
Server Error
Software Component Leak
Springboot Actuator Disclosure of Thread Dump
Springboot Actuator Disclosure of Environment
Springboot Actuator Heapdump
Springboot Actuator Disclosure of Logfile
Springboot Actuator Disclosure of Mappings
Springboot Actuator Restart Misconfiguration
Springboot Actuator Shutdown Misconfiguration
Springboot Actuator Disclosure of Trace
SQL Injection
SSL Certificate
Server Side Request Forgery
SSTI (Server-Side Template Injection)
Stacktrace
Stored XSS Injection
Tenant isolation
Security timeout
Unreachable server
WAF Bypass
WordPress oEmbed Endpoint Exposure
WordPress RDF Feed Users Exposed
WordPress REST API Users Exposed
WordPress wp-cron Exposed
WordPress xmlrpc.php Exposed
XXE Injection
Adminer Default Login - Detect
Apache Airflow Default Login
Apache Airflow v3 Default Login
Angular Development Build
Apache Apollo - Default Login
Apache Druid - Remote Code Execution (Apache Log4j)
Apache Flink - Remote Code Execution
Apache HertzBeat - Default Credentials
Apache NiFi - Remote Code Execution
Apache OFBiz - JNDI Remote Code Execution (Apache Log4j)
Apache Solr <=8.8.1 - Local File Inclusion
Apache Solr 7+ - Remote Code Execution (Apache Log4j)
Apache Solr 9.1 - Remote Code Execution
Apache Apisix Admin - Default Login
Arcade.php - SQL Injection
ASP.NET ViewState Encryption
ASP.NET ViewState MAC Validation Disabled
BSPHP - Information Disclosure
Apache CloudStack - Default Login
CodiMD - File Upload
Compromised Supply Chain
Exposed JSON Configuration Files
Console Error
Crashing Page
Apache Log4j2 Remote Code Injection
DbGate Web Client - Unauthenticated Remote Command Execution
Django Secret Key Exposure
Apache DolphinScheduler Default Login
Apache Doris - Default Login
Drupal 7 Elfinder - Remote Code Execution
Drupal Avatar Uploader - Cross-Site Scripting
Apache Dubbo - Default Admin Discovery
EasyImage down.php - Arbitrary File Read
Fanwei OA E-Office - Information Disclosure
ElasticSearch - Default Login
Esafenet CDG mysql - File Read
Excessive Browser Permissions
Exposed Config File
Exposed Source Map
Weak Flask Session Secret
Broken Object Level Authorization
Command Injection
CRLF Injection
CSRF Get Based
CSRF Post Based
Domain Takeover
Cookie Security
Insecure WebSocket Connection
NoSQL Injection
Open redirection Forgery
Vulnerable JavaScript Library
Server Error
Software Component Leak
SQL Injection
SSL enforced
Server Side Request Forgery via Frontend
Security timeout
XSS via Domain Takeover
GeoVision Geowebserver <= 5.3.3 - Local File Inclusion / Cross-Site Scripting
Git Metadata Directory Exposure
Gitlab Default Login
GLPI Default Login
Grafana Default Login
Frontend Guessable Cookie Value
HTML Injection
Frontend HTTP Parameter Pollution
Client Side Prototype Pollution
Frontend Template Injection
XSS Injection
XSS via Query Parameter
Infoblox NetMRI < 7.6.1 - Remote Code Execution via Hardcoded Ruby Cookie Secret Key
IoTaWatt Configuration App Exposure
Jenkins Default Login
Jolokia <= 1.7.1 Information Leakage
Joomla! com_booking component 2.4.9 - Information Leak
Joomla! com_fabrik 3.9.11 - Local File Inclusion
Joomla `departments` - SQL Injection
Joomla! Component Easy Shop 1.2.3 - Local File Inclusion
Joomla iProperty Real Estate 4.1.1 - Cross-Site Scripting
Joomla JLex Review 6.0.1 - Cross-Site Scripting
Joomla jMarket 5.15 - Cross-Site Scripting
Joomla JoomBri Careers 3.3.0 - Cross-Site Scripting
Joomla! Component com_sef - Local File Inclusion
Joomla JVTwitter - Cross-Site Scripting
Joomla MarvikShop ShoppingCart 3.4 - Sql Injection
Joomla MarvikShop ShoppingCart 3.4 - Cross-Site Scripting
Joomla Solidres 2.13.3 - Cross-Site Scripting
Jupyter Notebook - Remote Command Execution
Apache Kafka Center Default Login
Apache Karaf - Default Login
kkFileView 4.0.0 - Server-Side Request Forgery
Apache Kylin Console - Default Login
Lucee < 6.0.1.59 - Remote Code Execution
Malwared BYOB - Unauthenticated Remote Code Execution
Microsoft Access Database File - Detect
Minio Default Login
Nginx Server - Local File Inclusion
Nginx Virtual Host Traffic Status Module - Cross-Site Scripting
Nginx Proxy Manager - Default Login
nginxWebUI ≤ 3.5.0 - Remote Command Execution
nginxWebUI ≤ 3.5.0 runCmd - Remote Command Execution
Node ecstatic Internal Path - Exposure
Node-Red - Default Login
OpenMediaVault - Default Login
OpenSearch Dashboard - Default Login
Password Field Autocompletion
PHP Timeclock <=1.04 - Cross-Site Scripting
Xdebug remote code execution via xdebug.remote_connect_back
PHP 8.1.0-dev - Backdoor Remote Code Execution
PHP LDAP Admin < 1.2.5 - Cross-Site Scripting
phpMyAdmin - Default Login
PhpMyAdmin - Unauthenticated Access
PHPOK - SQL Injection
phpwiki 1.5.4 - Cross-Site Scripting/Local File Inclusion
Private key exposure via helper detector
RabbitMQ Default Login
Ruby on Rails - CRLF Injection and Cross-Site Scripting
Apache Ranger - Default Login
React2Shell CVE-2025-55182 - Shell RCE
React2Shell CVE-2025-55182 - Javascript RCE
React Development Build
Reflected URL Parameter
Request URL Override
Rundeck - Default Login
Joomla! CMS <=3.4.6 - Remote Code Execution
Sangfor Log Center - Remote Command Execution
Secret Token Ruby - File Disclosure
Seeyon OA A6 createMysql.jsp Database - Information Disclosure
Selenium - Node Exposure
Self Signed SSL Certificate
Sensitive Comments
SonarQube Default Login - Detect
SQL Injection (Oracle-Based)
Subresource Integrity Missing
Svelte Development Build
ThinkPHP 6.0.0~6.0.1 - Arbitrary File Write
ThinkPHP 2/3 - Remote Code Execution
ThinkPHP 5.0.1 - Remote Code Execution
ThinkPHP 5.0.23 - Remote Code Execution
ThinkPHP 5.0.9 - Information Disclosure
Apache Tomcat Manager Default Login
Apache Tomcat - Default Login Discovery
TOTOLINK N150RT - Password Exposure
Twig PHP <2.4.4 template engine - SSTI
Twonky Server - Exposure
Unsafe Function Use
Vue.js Development Build
OA E-Office mysql_config.ini - Information Disclosure
Webmin - Default Login
WordPress wp-config Detection
WordPress Plugin "AffiliateWP -- Allowed Products" Log Disclosure
WordPress DB Backup
WordPress DB Backup
Wordpress DB Repair Exposed
WordPress Debug Log - Exposure
Social Metrics Tracker <= 1.6.8 - Unauthorised Data Export
Wordpress Oembed Proxy - Server-side request forgery
WordPress Total Upkeep Database and Files Backup Download
WordPress Wordfence 7.4.5 - Local File Inclusion
Wordpress Wordfence - Cross-Site Scripting
WordPress Wordfence 7.4.6 - Cross0Site Scripting
Zebra_Form PHP Library <= 2.9.8 - Cross-Site Scripting
WordPress Woody Code Snippets <2.4.6 - Cross-Site Scripting
WordPress PHPFreeChat 0.2.8 - Cross-Site Scripting
XSS Injection
Zabbix Default Login
Character Limit
CSRF Get Based
CSRF Post Based
GraphQL Alias Limit
GraphQL Batch Limit
GraphQL Cyclic Recursive Query
GraphQL Directive Overloading
GraphQL Field Duplication
GraphQL Field Suggestion
GraphQL Recursive Fragment
GraphQL IDE
Introspection enabled
DNS record DKIM
DNS record DMARC
DNS Rebinding Attack
DNS record private IP
DNS record TXT length
DNS record TXT sensitive
DNSSEC not enabled
Domain Takeover
HTTP/2 Not Supported
HTTP without HTTPS Redirect
DNS record loopback
MCP Server Accessible Without Authentication
Default MSSQL Credentials
Exposed MSSQL Server
Default MySQL Credentials
Exposed MySQL Server
DNS record permissive SPF
Default PostgreSQL Credentials
Exposed PostgreSQL Server
Spoofable SPF Records with PTR Mechanism
Default SSH Credentials
Open SSH Server
Enabled SSH Password Authentication
SSL enforced
Authentication
Authentication
AWS Cognito
Basic
Browser Actions
Browser Agent
Browser Use
cURL
cURL Sequence
Digest
GraphQL
Headers
HTTP
OAuth Authz Code Browser
OAuth Client
OAuth ROPC
MFA & Captcha
Advanced Workflows
Authentication Reference
Private Locations
Private Locations
Prerequisites
Deployment Methods
Quickstart
SSL Configuration
mTLS Authentication
Proxy Configuration
Resource Management
Logging & Monitoring
Availability & Connectivity
Deploying at Scale
Repeater Migration
Integrations
Integrations
Custom Integrations
ASM Integrations
ASM Integrations
akamai-logo1-svg
Akamai
AWS
Azure
Bitbucket
Cloudflare
GCP
GitHub
GitLab
Kubernetes
Postman
Wiz
Testing in CI/CD
Testing in CI/CD
Testing in GitHub Action
Testing in GitLab CI
Testing in Bitbucket
Testing in CircleCI
Testing in Jenkins
Testing in Azure DevOps
Testing in Travis CI
Testing in Harness
Incremental Scanning
Ticketing Integrations
Ticketing Integrations
Email Notifications
Slack Notifications
Discord Notifications
Teams Notifications
Jira Integration
Governance
Governance
Results, Issues & Triage
Issue Management
Compliance
Reporting
Workflows
Workflows
Workflow Triggers
Workflow Conditions
Workflow Actions
Workflow Throttling
Managing Workflows
Webhook Notifications
Tooling
Tooling
Public API
Escape MCP
Escape MCP
IDE Integration Guide
Escape Copilot
Escape CLI
Escape CLI
Installation
Configuration
Getting Started
Profiles Management
Assets Management
Scans Management
Locations Management
Issues Management
Audit Logs
Scan Events
Scan Problems
Advanced Features
Practical Recipes
Enterprise Features
Enterprise Features
Support & SLA
SSO & Identity Federation
Logs
Privacy & Security
RBAC
RBAC
Core entities
Access control
Roles management
Projects management
Users management
Per feature details
agent
business logic
Business Logic Agent
¶
Coming soon
Back to top