Skip to main content

✅ Security Tests Reference

Escape currently supports 139 tests

NameCategoryGraphQL Support(114)REST Support(104)Default SeverityOWASP 2023
Forced BrowsingAccess controlHIGHAPI1:2023
Private dataAccess controlHIGHAPI3:2023
Private fieldsAccess controlHIGHAPI1:2023
Tenant isolationAccess controlHIGHAPI5:2023
Broken Object Level AuthorizationAccess controlMEDIUMAPI1:2023
Public state-altering operationAccess controlMEDIUMAPI5:2023
Sensitive endpoint bruteforceAccess controlMEDIUMAPI3:2023
Authenticated route bypassAccess controlLOWAPI2:2023
Springboot Actuator Restart MisconfigurationConfigurationHIGHAPI8:2023
Springboot Actuator Shutdown MisconfigurationConfigurationHIGHAPI8:2023
domain takeoverConfigurationHIGHAPI8:2023
GraphQL Extension DisclosureConfigurationMEDIUMAPI8:2023
WAF BypassConfigurationMEDIUMAPI8:2023
Automatic Persisted QueriesConfigurationLOWAPI8:2023
Directory listingConfigurationLOWAPI1:2023
GraphQL IDEConfigurationLOWAPI7:2023
Proxy DisclosureConfigurationLOWAPI5:2023
Error type inconsistencyConfigurationINFOAPI8:2023
Unhandled endpointConfigurationINFOAPI2:2023
crashing pageConfigurationINFOAPI8:2023
AWS Docker Config ExposureInformation disclosureHIGHAPI8:2023
AWStats Config ExposureInformation disclosureHIGHAPI8:2023
AWStats ExposureInformation disclosureHIGHAPI8:2023
Airflow Config ExposureInformation disclosureHIGHAPI8:2023
AppVeyor Config ExposureInformation disclosureHIGHAPI8:2023
Data leakInformation disclosureHIGHAPI1:2023
Exposed MySQL ConfigInformation disclosureHIGHAPI8:2023
Exposed SQL DumpsInformation disclosureHIGHAPI8:2023
Exposed settings.phpInformation disclosureHIGHAPI8:2023
Source code disclosureInformation disclosureHIGHAPI7:2023
Springboot Actuator Disclosure of Heap DumpInformation disclosureHIGHAPI8:2023
Springboot Actuator Disclosure of MappingsInformation disclosureHIGHAPI8:2023
Springboot Actuator Disclosure of TraceInformation disclosureHIGHAPI8:2023
Ansible Config ExposureInformation disclosureMEDIUMAPI8:2023
Azure Tenant ID ExposureInformation disclosureMEDIUMAPI8:2023
Field suggestionInformation disclosureMEDIUMAPI7:2023
Leaking authenticationInformation disclosureMEDIUMAPI7:2023
Springboot Actuator Disclosure of EnvironmentInformation disclosureMEDIUMAPI7:2023
Springboot Actuator Disclosure of Thread DumpInformation disclosureMEDIUMAPI8:2023
StacktraceInformation disclosureMEDIUMAPI7:2023
Vulnerable PackageInformation disclosureMEDIUMAPI8:2023
Debug modeInformation disclosureLOWAPI7:2023
Field SuggestionInformation disclosureLOWAPI3:2023
File disclosureInformation disclosureLOWAPI7:2023
Private IPInformation disclosureLOWAPI1:2023
Software Component LeakInformation disclosureLOWAPI8:2023
console errorInformation disclosureLOWAPI8:2023
AWS Config ExposureInformation disclosureINFOAPI8:2023
Alibaba Canal LeakInformation disclosureINFOAPI8:2023
Appspec ExposureInformation disclosureINFOAPI8:2023
Introspection enabledInformation disclosureINFOAPI7:2023
Command InjectionInjectionHIGHAPI10:2023
Deserialization AttackInjectionHIGHAPI10:2023
Directory traversalInjectionHIGHAPI10:2023
File inclusionInjectionHIGHAPI10:2023
Improper Input Validation InjectionInjectionHIGHAPI10:2023
JWT Signature checkInjectionHIGHAPI2:2023
JWT algorithm confusionInjectionHIGHAPI2:2023
JWT no algorithmInjectionHIGHAPI2:2023
LLM Excessive AgencyInjectionHIGHAPI8:2023
LLM Insecure Output HandlingInjectionHIGHAPI8:2023
LLM Insecure Plugin DesignInjectionHIGHAPI8:2023
LLM JailBreakInjectionHIGHAPI8:2023
LLM Model Denial of ServiceInjectionHIGHAPI4:2023
LLM Model TheftInjectionHIGHAPI8:2023
LLM OverrelianceInjectionHIGHAPI8:2023
LLM Prompt InjectionInjectionHIGHAPI8:2023
LLM Sensitive Information DisclosureInjectionHIGHAPI8:2023
LLM Supply Chain VulnerabilitiesInjectionHIGHAPI8:2023
LLM Training Data PoisoningInjectionHIGHAPI8:2023
Log4ShellInjectionHIGHAPI8:2023
Mass AssignmentInjectionHIGHAPI1:2023
NoSQL InjectionInjectionHIGHAPI9:2023
NoSQL Injection StoredInjectionHIGHAPI9:2023
SQL InjectionInjectionHIGHAPI9:2023
SSTI (Server-Side Template Injection)InjectionHIGHAPI10:2023
Stored Improper Input Validation InjectionInjectionHIGHAPI10:2023
XXE InjectionInjectionHIGHAPI10:2023
CRLF InjectionInjectionMEDIUMAPI10:2023
LLM Endpoint DetectionInjectionLOWAPI8:2023
SSL CertificateProtocolHIGHAPI2:2023
Server ErrorProtocolHIGHAPI5:2023
TLS ConfigurationProtocolHIGHAPI8:2023
TLS Configuration CiphersProtocolHIGHAPI8:2023
TLS Protocol ConfigurationProtocolHIGHAPI8:2023
request smugglingProtocolHIGHAPI8:2023
SSL enforcedProtocolMEDIUMAPI2:2023
TLS Configuration Server DefaultsProtocolMEDIUMAPI8:2023
TLS Configuration Server PreferencesProtocolMEDIUMAPI8:2023
TLS vulnerabilitiesProtocolMEDIUMAPI8:2023
Access-Control-Allow-Origin HeaderProtocolLOWAPI7:2023
CORSProtocolLOWAPI7:2023
Cache Control HeaderProtocolLOWAPI7:2023
Content Security Policy HeaderProtocolLOWAPI7:2023
Content typeProtocolLOWAPI7:2023
Content-Type headerProtocolLOWAPI7:2023
Cookie SecurityProtocolLOWAPI7:2023
Header leakProtocolLOWAPI7:2023
HeadersProtocolLOWAPI2:2023
Strict Transport SecurityProtocolLOWAPI7:2023
X-Content-Type-OptionsProtocolLOWAPI7:2023
X-Frame-Options headerProtocolLOWAPI7:2023
Open redirection ForgeryRequest forgeryHIGHAPI3:2023
Partial SSRFRequest forgeryHIGHAPI6:2023
Server Side Request ForgeryRequest forgeryHIGHAPI7:2023
GET based CSRFRequest forgeryMEDIUMAPI2:2023
POST based CSRFRequest forgeryMEDIUMAPI2:2023
SSRF Injection in headersRequest forgeryLOWAPI10:2023
Resource limiting bypassResource limitationHIGHAPI4:2023
Depth limitResource limitationMEDIUMAPI4:2023
Directive overloadingResource limitationMEDIUMAPI8:2023
Field limitResource limitationMEDIUMAPI4:2023
Large JSON inputResource limitationMEDIUMAPI4:2023
Recursive FragmentResource limitationMEDIUMAPI8:2023
Alias limitResource limitationLOWAPI5:2023
Batch LimitResource limitationLOWAPI8:2023
Character limitResource limitationLOWAPI8:2023
Cyclic queryResource limitationLOWAPI7:2023
Pagination missingResource limitationLOWAPI8:2023
Response sizeResource limitationLOWAPI7:2023
Unreachable serverResource limitationLOWAPI8:2023
Width limitResource limitationLOWAPI4:2023
Cyclic Recursive QueryResource limitationINFOAPI8:2023
Field DuplicationResource limitationINFOAPI4:2023
Security timeoutResource limitationINFOAPI7:2023
Mismatching persisted queries and schemaSchemaMEDIUMAPI8:2023
Typing misconfigurationSchemaMEDIUMAPI10:2023
Zombie objectSchemaLOWAPI9:2023
Duplicated objectSchemaINFOAPI9:2023
GraphQL Response FormatSchemaINFOAPI9:2023
Invalid Persisted QuerySchemaINFOAPI9:2023
Invalid condition in allOfSchemaINFOAPI9:2023
Invalid parameters in pathSchemaINFOAPI9:2023
Invalid referencesSchemaINFOAPI9:2023
Permissive JSON InputSchemaINFOAPI10:2023
Positive integer validationSchemaINFOAPI8:2023
Response type mismatchSchemaINFOAPI10:2023
Swagger rulesSchemaINFOAPI9:2023
Undefined objectsSchemaINFOAPI9:2023

Create your own custom rule

https://docs.escape.tech/api-dast/custom-rules/