Supported Security Tests and Vulnerability Categories¶
Escape covers thousands of test scenarios across 173
vulnerability categories (security assessments).
Each test contains different attack scenarios and payloads that’s adapted to the logic of your application.
In the ASM, almost all the security tests are supported, but the underlying exploration algorithms are way less deep as the main goal of the ASM explore the organization wide scope.
Index¶
- LLM Endpoint Detection
- LLM Excessive Agency
- LLM Insecure Output Handling
- LLM Insecure Plugin Design
- LLM JailBreak
- LLM Model Denial of Service
- LLM Model Theft
- LLM Overreliance
- LLM Prompt Injection
- LLM Sensitive Information Disclosure
- LLM Supply Chain Vulnerabilities
- LLM Training Data Poisoning
- Airflow Config Exposure
- Alibaba Canal Leak
- Ansible Config Exposure
- Agentic Issue
- Appspec Exposure
- Appveyor Config Exposure
- Arbitrary Token Scope
- Auth Bypass
- AWS Access Token
- AWS Config Exposure
- AWS Docker Config Exposure
- AWStats Config Exposure
- AWStats Exposure
- Azure Tenant Id Exposure
- Broken Object Level Authorization
- Command Injection
- Content Security Policy
- CORS
- Crashing Page
- CRLF Injection
- CSRF Get Based
- CSRF Post Based
- Debug mode
- Directory listing
- Directory traversal
- Duplicated object
- Error type inconsistency
- Exposed JWT Token
- Exposed MySQL Config
- Exposed settings.php
- Exposed Source Map
- Exposed SQL Dumps
- File disclosure
- File inclusion
- Forced Browsing
- Leaked Sensitive Data in LocalStorage
- Frontend Guessable Cookie Value
- Access-Control-Allow-Origin Header
- Cache Control Header
- Content Security Policy Header
- Content-Type header
- Header leak
- Cookie Security
- Strict Transport Security
- X-Content-Type-Options
- X-Frame-Options header
- Headers
- High number of Custom Scalars
- High number of PCI
- High number of PHI
- High number of PII
- High number of Secrets
- HTML Injection
- Frontend HTTP Parameter Pollution
- GraphQL IDE
- Improper Input Validation Injection
- Stored Improper Input Validation Injection
- Introspection enabled
- Invalid condition in allOf
- Invalid parameters in path
- Invalid Persisted Query
- Invalid references
- JWT algorithm confusion
- JWT no algorithm
- JWT Signature check
- Large JSON input
- Possible User Enumeration
- Log4Shell
- Mass Assignment
- Mismatching persisted queries and schema
- NoSQL Injection
- NoSQL Injection Stored
- Nuclei Issue
- Port Remediation
- Open redirection Forgery
- Pagination missing
- Password Field Autocompletion
- Permissive JSON Input
- Positive integer validation
- Vulnerable Package
- Private data
- Private fields
- Private IP
- Public state-altering operation
- Reflected URL Parameter
- Request smuggling
- Request URL Override
- Resource limiting bypass
- Response size
- GraphQL Response Type Mismatch
- Row Level Security Bypass
- Custom security checks
- Sensitive Comments
- Sensitive endpoint bruteforce
- Server Error
- Software Component Leak
- Springboot Actuator Disclosure of Thread Dump
- Springboot Actuator Disclosure of Environment
- Springboot Actuator Heapdump
- Springboot Actuator Disclosure of Logfile
- Springboot Actuator Disclosure of Mappings
- Springboot Actuator Restart Misconfiguration
- Springboot Actuator Shutdown Misconfiguration
- Springboot Actuator Disclosure of Trace
- SQL Injection
- SSL enforced
- SSL Certificate
- Server Side Request Forgery
- SSRF Injection in headers
- SSTI (Server-Side Template Injection)
- Stacktrace
- Subresource Integrity Missing
- Swagger rules
- Tenant isolation
- Security timeout
- TLS Configuration Ciphers
- TLS Protocol Configuration
- TLS Configuration
- TLS Configuration Server Defaults
- TLS Configuration Server Preferences
- TLS vulnerabilities
- Typing misconfiguration
- Undefined objects
- Unhandled endpoint
- Unreachable server
- Unsafe Function Use
- WAF Bypass
- WordPress oEmbed Endpoint Exposure
- WordPress RDF Feed Users Exposed
- WordPress REST API Users Exposed
- WordPress wp-cron Exposed
- WordPress xmlrpc.php Exposed
- XSS via Domain Takeover
- XXE Injection
- Zombie object
- Console Error
- Domain Takeover
- Excessive Browser Permissions
- Weak Flask Session Secret
- Character Limit
- GraphQL Alias Limit
- GraphQL Automatic Persisted Queries
- GraphQL Batch Limit
- GraphQL Cyclic Recursive Query
- GraphQL Content Type
- GraphQL Depth Limit
- GraphQL Directive Overloading
- GraphQL Extension Disclosure
- GraphQL Field Duplication
- GraphQL Field Limit
- GraphQL Field Suggestion
- GraphQL Recursive Fragment
- Response Format
- GraphQL Width Limit
- DNS record DKIM
- DNS record DMARC
- DNS record TXT length
- DNS record TXT sensitive
- DNSSEC not enabled
- DNS record loopback
- DNS record permissive SPF