Skip to content

Supported Security Tests and Vulnerability Categories

Escape covers thousands of test scenarios across 142 vulnerability categories (security assessments).

Each test contains different attack scenarios and payloads that’s adapted to the logic of your application.

Name Category GraphQL Support (114) REST Support (107) Default Severity OWASP 2023
Forced Browsing Access control API1:2023
Private data Access control API3:2023
Private fields Access control API1:2023
Tenant isolation Access control API5:2023
Broken Object Level Authorization Access control API1:2023
Public state-altering operation Access control API5:2023
Sensitive endpoint bruteforce Access control API3:2023
Authenticated route bypass Access control API2:2023
Domain Takeover Configuration API8:2023
Springboot Actuator Restart Misconfiguration Configuration API8:2023
Springboot Actuator Shutdown Misconfiguration Configuration API8:2023
compromised supply chain Configuration API9:2023
xss via domain takeover Configuration API8:2023
GraphQL Extension Disclosure Configuration API8:2023
WAF Bypass Configuration API8:2023
Automatic Persisted Queries Configuration API8:2023
Directory listing Configuration API1:2023
GraphQL IDE Configuration API7:2023
Proxy Disclosure Configuration API5:2023
excessive browser permissions Configuration API6:2023
Crashing Page Configuration API8:2023
Error type inconsistency Configuration API8:2023
Unhandled endpoint Configuration API2:2023
AWS Docker Config Exposure Information disclosure API8:2023
AWStats Config Exposure Information disclosure API8:2023
AWStats Exposure Information disclosure API8:2023
Airflow Config Exposure Information disclosure API8:2023
AppVeyor Config Exposure Information disclosure API8:2023
Data leak Information disclosure API1:2023
Exposed MySQL Config Information disclosure API8:2023
Exposed SQL Dumps Information disclosure API8:2023
Exposed settings.php Information disclosure API8:2023
Source code disclosure Information disclosure API7:2023
Springboot Actuator Disclosure of Heap Dump Information disclosure API8:2023
Springboot Actuator Disclosure of Mappings Information disclosure API8:2023
Springboot Actuator Disclosure of Trace Information disclosure API8:2023
Ansible Config Exposure Information disclosure API8:2023
Azure Tenant ID Exposure Information disclosure API8:2023
Field suggestion Information disclosure API7:2023
Leaking authentication Information disclosure API7:2023
Springboot Actuator Disclosure of Environment Information disclosure API7:2023
Springboot Actuator Disclosure of Thread Dump Information disclosure API8:2023
Stacktrace Information disclosure API7:2023
Vulnerable Package Information disclosure API8:2023
Debug mode Information disclosure API7:2023
Field Suggestion Information disclosure API3:2023
File disclosure Information disclosure API7:2023
Private IP Information disclosure API1:2023
Software Component Leak Information disclosure API8:2023
console error Information disclosure API8:2023
AWS Config Exposure Information disclosure API8:2023
Alibaba Canal Leak Information disclosure API8:2023
Appspec Exposure Information disclosure API8:2023
Introspection enabled Information disclosure API7:2023
Command Injection Injection API10:2023
Deserialization Attack Injection API10:2023
Directory traversal Injection API10:2023
File inclusion Injection API10:2023
Improper Input Validation Injection Injection API10:2023
JWT Signature check Injection API2:2023
JWT algorithm confusion Injection API2:2023
JWT no algorithm Injection API2:2023
LLM Excessive Agency Injection API8:2023
LLM Insecure Output Handling Injection API8:2023
LLM Insecure Plugin Design Injection API8:2023
LLM JailBreak Injection API8:2023
LLM Model Denial of Service Injection API4:2023
LLM Model Theft Injection API8:2023
LLM Overreliance Injection API8:2023
LLM Prompt Injection Injection API8:2023
LLM Sensitive Information Disclosure Injection API8:2023
LLM Supply Chain Vulnerabilities Injection API8:2023
LLM Training Data Poisoning Injection API8:2023
Log4Shell Injection API8:2023
Mass Assignment Injection API1:2023
NoSQL Injection Injection API9:2023
NoSQL Injection Stored Injection API9:2023
SQL Injection Injection API9:2023
SSTI (Server-Side Template Injection) Injection API10:2023
Stored Improper Input Validation Injection Injection API10:2023
XXE Injection Injection API10:2023
CRLF Injection Injection API10:2023
LLM Endpoint Detection Injection API8:2023
Request smuggling Protocol API8:2023
SSL Certificate Protocol API2:2023
Server Error Protocol API5:2023
TLS Configuration Protocol API8:2023
TLS Configuration Ciphers Protocol API8:2023
TLS Protocol Configuration Protocol API8:2023
SSL enforced Protocol API2:2023
TLS Configuration Server Defaults Protocol API8:2023
TLS Configuration Server Preferences Protocol API8:2023
TLS vulnerabilities Protocol API8:2023
Access-Control-Allow-Origin Header Protocol API7:2023
CORS Protocol API7:2023
Cache Control Header Protocol API7:2023
Content Security Policy Header Protocol API7:2023
Content type Protocol API7:2023
Content-Type header Protocol API7:2023
Cookie Security Protocol API7:2023
Header leak Protocol API7:2023
Headers Protocol API2:2023
Strict Transport Security Protocol API7:2023
X-Content-Type-Options Protocol API7:2023
X-Frame-Options header Protocol API7:2023
Open redirection Forgery Request forgery API3:2023
Partial SSRF Request forgery API6:2023
Server Side Request Forgery Request forgery API7:2023
GET based CSRF Request forgery API2:2023
POST based CSRF Request forgery API2:2023
SSRF Injection in headers Request forgery API10:2023
Resource limiting bypass Resource limitation API4:2023
Depth limit Resource limitation API4:2023
Directive overloading Resource limitation API8:2023
Field limit Resource limitation API4:2023
Large JSON input Resource limitation API4:2023
Recursive Fragment Resource limitation API8:2023
Alias limit Resource limitation API5:2023
Batch Limit Resource limitation API8:2023
Character limit Resource limitation API8:2023
Cyclic query Resource limitation API7:2023
Pagination missing Resource limitation API8:2023
Response size Resource limitation API7:2023
Unreachable server Resource limitation API8:2023
Width limit Resource limitation API4:2023
Cyclic Recursive Query Resource limitation API8:2023
Field Duplication Resource limitation API4:2023
Security timeout Resource limitation API7:2023
Mismatching persisted queries and schema Schema API8:2023
Typing misconfiguration Schema API10:2023
Zombie object Schema API9:2023
Duplicated object Schema API9:2023
GraphQL Response Format Schema API9:2023
Invalid Persisted Query Schema API9:2023
Invalid condition in allOf Schema API9:2023
Invalid parameters in path Schema API9:2023
Invalid references Schema API9:2023
Permissive JSON Input Schema API10:2023
Positive integer validation Schema API8:2023
Response type mismatch Schema API10:2023
Swagger rules Schema API9:2023
Undefined objects Schema API9:2023

Index

  •    LLM Security Testing

  Access Control

  •    Authenticated route bypass

  •    Broken Object Level Authorization

  •    Forced Browsing

  •    Private data

  •    Private fields

  •    Public state-altering operation

  •    Sensitive endpoint bruteforce

  •    Tenant isolation

  Configuration

  •    compromised supply chain

  •    Crashing Page

  •    Directory listing

  •    Domain Takeover

  •    Error type inconsistency

  •    excessive browser permissions

  •    Automatic Persisted Queries

  •    GraphQL Extension Disclosure

  •    GraphQL IDE

  •    Proxy Disclosure

  •    Springboot Actuator Restart Misconfiguration

  •    Springboot Actuator Shutdown Misconfiguration

  •    Unhandled endpoint

  •    WAF Bypass

  •    xss via domain takeover

  Information Disclosure

  •    Airflow Config Exposure

  •    Alibaba Canal Leak

  •    Ansible Config Exposure

  •    Appspec Exposure

  •    AppVeyor Config Exposure

  •    AWS Config Exposure

  •    AWS Docker Config Exposure

  •    AWStats Config Exposure

  •    AWStats Exposure

  •    Azure Tenant ID Exposure

  •    Source code disclosure

  •    console error

  •    Data leak

  •    Debug mode

  •    Exposed MySQL Config

  •    Exposed settings.php

  •    Exposed SQL Dumps

  •    File disclosure

  •    Field suggestion

  •    Introspection enabled

  •    Leaking authentication

  •    Vulnerable Package

  •    Private IP

  •    Field Suggestion

  •    Software Component Leak

  •    Springboot Actuator Disclosure of Thread Dump

  •    Springboot Actuator Disclosure of Environment

  •    Springboot Actuator Disclosure of Heap Dump

  •    Springboot Actuator Disclosure of Mappings

  •    Springboot Actuator Disclosure of Trace

  •    Stacktrace

  Injection

  •    Command Injection

  •    CRLF Injection

  •    Deserialization Attack

  •    Directory traversal

  •    File inclusion

  •    Improper Input Validation Injection

  •    Stored Improper Input Validation Injection

  •    JWT algorithm confusion

  •    JWT no algorithm

  •    JWT Signature check

  •    Vulnerable LLM

  •    LLM Endpoint Detection

  •    LLM Excessive Agency

  •    LLM Insecure Output Handling

  •    LLM Insecure Plugin Design

  •    LLM JailBreak

  •    LLM Model Denial of Service

  •    LLM Model Theft

  •    LLM Overreliance

  •    LLM Prompt Injection

  •    LLM Sensitive Information Disclosure

  •    LLM Supply Chain Vulnerabilities

  •    LLM Training Data Poisoning

  •    Log4Shell

  •    Mass Assignment

  •    NoSQL Injection

  •    NoSQL Injection Stored

  •    SQL Injection

  •    SSTI (Server-Side Template Injection)

  •    XXE Injection

  Protocol

  •    CORS

  •    Content type

  •    Access-Control-Allow-Origin Header

  •    Cache Control Header

  •    Content Security Policy Header

  •    Content-Type header

  •    Header leak

  •    Cookie Security

  •    Strict Transport Security

  •    X-Content-Type-Options

  •    X-Frame-Options header

  •    Headers

  •    HeartBleed

  •    Request smuggling

  •    Server Error

  •    SSL enforced

  •    SSL Certificate

  •    TLS Configuration Ciphers

  •    TLS Protocol Configuration

  •    TLS Configuration

  •    TLS Configuration Server Defaults

  •    TLS Configuration Server Preferences

  •    TLS vulnerabilities

  Request Forgery

  •    GET based CSRF

  •    POST based CSRF

  •    Open redirection Forgery

  •    Server Side Request Forgery

  •    SSRF Injection in headers

  •    Partial SSRF

  Resource Limitation

  •    Character limit

  •    Cyclic query

  •    Alias limit

  •    Batch Limit

  •    Cyclic Recursive Query

  •    Depth limit

  •    Directive overloading

  •    Field Duplication

  •    Field limit

  •    Recursive Fragment

  •    Width limit

  •    Large JSON input

  •    Pagination missing

  •    Resource limiting bypass

  •    Response size

  •    Security timeout

  •    Unreachable server

  Schema

  •    Duplicated object

  •    GraphQL Response Format

  •    Invalid condition in allOf

  •    Invalid parameters in path

  •    Invalid Persisted Query

  •    Invalid references

  •    Mismatching persisted queries and schema

  •    Permissive JSON Input

  •    Positive integer validation

  •    Response type mismatch

  •    Response type mismatch

  •    Self compliant spec

  •    Swagger rules

  •    Typing misconfiguration

  •    Undefined objects

  •    Weak JSON typing

  •    Zombie object