Skip to content

API

Index

  Access Control

  •    Authenticated route bypass

  •    Broken Object Level Authorization

  •    Forced Browsing

  •    Private data

  •    Private fields

  •    Public state-altering operation

  •    Sensitive endpoint bruteforce

  •    Tenant isolation

  Configuration

  •    Compromised Supply Chain

  •    Crashing Page

  •    Directory listing

  •    Domain Takeover

  •    Error type inconsistency

  •    Excessive Browser Permissions

  •    Automatic Persisted Queries

  •    GraphQL Extension Disclosure

  •    GraphQL IDE

  •    Proxy Disclosure

  •    Springboot Actuator Restart Misconfiguration

  •    Springboot Actuator Shutdown Misconfiguration

  •    Configuration_SubresourceIntegrityMissing

  •    Unhandled endpoint

  •    Unsafe Function Use

  •    WAF Bypass

  •    XSS via Domain Takeover

  Information Disclosure

  •    Airflow Config Exposure

  •    Alibaba Canal Leak

  •    Ansible Config Exposure

  •    Appspec Exposure

  •    AppVeyor Config Exposure

  •    AWS Config Exposure

  •    AWS Docker Config Exposure

  •    AWStats Config Exposure

  •    AWStats Exposure

  •    Azure Tenant ID Exposure

  •    Source code disclosure

  •    Console Error

  •    Data leak

  •    Debug mode

  •    Exposed MySQL Config

  •    Exposed settings.php

  •    Exposed SQL Dumps

  •    File disclosure

  •    Field suggestion

  •    Introspection enabled

  •    Leaking authentication

  •    Vulnerable Package

  •    Private IP

  •    Field Suggestion

  •    Software Component Leak

  •    Springboot Actuator Disclosure of Thread Dump

  •    Springboot Actuator Disclosure of Environment

  •    Springboot Actuator Disclosure of Heap Dump

  •    Springboot Actuator Disclosure of Mappings

  •    Springboot Actuator Disclosure of Trace

  •    Stacktrace

  Injection

  •    Command Injection

  •    CRLF Injection

  •    Deserialization Attack

  •    Directory traversal

  •    File inclusion

  •    Improper Input Validation Injection

  •    Stored Improper Input Validation Injection

  •    JWT algorithm confusion

  •    JWT no algorithm

  •    JWT Signature check

  •    LLM Endpoint Detection

  •    LLM Excessive Agency

  •    LLM Insecure Output Handling

  •    LLM Insecure Plugin Design

  •    LLM JailBreak

  •    LLM Model Denial of Service

  •    LLM Model Theft

  •    LLM Overreliance

  •    LLM Prompt Injection

  •    LLM Sensitive Information Disclosure

  •    LLM Supply Chain Vulnerabilities

  •    LLM Training Data Poisoning

  •    Log4Shell

  •    Mass Assignment

  •    NoSQL Injection

  •    NoSQL Injection Stored

  •    SQL Injection

  •    SSTI (Server-Side Template Injection)

  •    XXE Injection

  Protocol

  •    CORS

  •    Content type

  •    Access-Control-Allow-Origin Header

  •    Cache Control Header

  •    Content Security Policy Header

  •    Content-Type header

  •    Header leak

  •    Cookie Security

  •    Strict Transport Security

  •    X-Content-Type-Options

  •    X-Frame-Options header

  •    Headers

  •    Request smuggling

  •    Server Error

  •    SSL enforced

  •    SSL Certificate

  •    TLS Configuration Ciphers

  •    TLS Protocol Configuration

  •    TLS Configuration

  •    TLS Configuration Server Defaults

  •    TLS Configuration Server Preferences

  •    TLS vulnerabilities

  Request Forgery

  •    GET based CSRF

  •    POST based CSRF

  •    Open redirection Forgery

  •    Server Side Request Forgery

  •    SSRF Injection in headers

  •    Partial SSRF

  Resource Limitation

  •    Character limit

  •    Cyclic query

  •    Alias limit

  •    Batch Limit

  •    Cyclic Recursive Query

  •    Depth limit

  •    Directive overloading

  •    Field Duplication

  •    Field limit

  •    Recursive Fragment

  •    Width limit

  •    Large JSON input

  •    Pagination missing

  •    Resource limiting bypass

  •    Response size

  •    Security timeout

  •    Unreachable server

  Schema

  •    Duplicated object

  •    GraphQL Response Format

  •    Invalid condition in allOf

  •    Invalid parameters in path

  •    Invalid Persisted Query

  •    Invalid references

  •    Mismatching persisted queries and schema

  •    Permissive JSON Input

  •    Positive integer validation

  •    Response type mismatch

  •    Swagger rules

  •    Typing misconfiguration

  •    Undefined objects

  •    Zombie object