| .NET stack trace / YSOD |
|
| access_token/id_token in URL |
|
| Admin/management path observed |
|
| Android assetlinks.json observed |
|
| API docs endpoint observed |
|
| api_key/key in URL |
|
| Apple app-site-association observed |
|
| Avoid eval with string literals |
|
| Avoid execScript dynamic execution |
|
| Avoid Function constructor with strings |
|
| Avoid string-based timers |
|
| AWS Access Key ID pattern |
|
| Cache-Control public/max-age with Set-Cookie |
|
| Clear-Site-Data present but missing executionContexts |
|
| Clear-Site-Data uses wildcard * |
|
| Cloud metadata IP referenced |
|
| COEP present but value is not 'require-corp' or 'credentialless' |
|
| COOP present but value is not 'same-origin' |
|
| COOP set without COEP/CORP (incomplete cross-origin isolation) |
|
| CORS allows any origin with credentials |
|
| CORS allows broad headers |
|
| CORS allows broad methods |
|
| Credit Card Number |
|
| CSP 'frame-ancestors' missing or overly broad |
|
| CSP allows inline/eval or wildcards in script/style |
|
| CSP Report-Only present without enforcing CSP |
|
| data: URL assigned to script.src |
|
| Debug/diagnostic path observed |
|
| Deprecated Feature-Policy or unknown/overly-permissive Permissions-Policy |
|
| Disallow direct document.cookie assignment (incl. bracket access) |
|
| Disallow direct navigation primitives |
|
| Disallow document.write()/writeln() |
|
| Disallow innerHTML/outerHTML assignments |
|
| Disallow insertAdjacentHTML() |
|
| DOM XSS via document.write |
|
| DOM XSS via DOM mutations |
|
| DOM XSS via Element.innerHTML |
|
| DOM XSS via Element.outerHTML |
|
| DOM XSS via inline event handler |
|
| DOM XSS via innerHTML (Angular) |
|
| DOM XSS via insertAdjacentHTML |
|
| DOM-based Cookie Manipulation (taint flow) |
|
| DOM-based JavaScript Injection (taint flow) |
|
| DOM-based Open Redirection (taint flow) |
|
| DOM-based XSS (taint flow) |
|
| Dynamic ACAO without Vary: Origin |
|
| Dynamic code execution via eval |
|
| Dynamic code execution via Function constructor |
|
| Dynamic code execution via Function.apply |
|
| Environment hints (dev/staging/test) in response |
|
| Environment/config file observed |
|
| Expect-CT is deprecated |
|
| Exposure of Git repository |
|
| Exposure of Mercurial repository |
|
| Exposure of SVN repository |
|
| File/path candidate parameter |
|
| Firebase config exposed |
|
| Form action manipulated by tainted route or body input |
|
| formAction manipulated by tainted route or body input |
|
| GitHub token pattern |
|
| Google API key pattern |
|
| GraphiQL / GraphQL Playground detected |
|
| GraphQL endpoint observed |
|
| GraphQL path observed |
|
| HSTS max-age too low or missing includeSubDomains |
|
| HTML references .map files |
|
| IDOR candidate parameter |
|
| Inline event handler built from dynamic data |
|
| Internal file path disclosure |
|
| Internal IP address leaked in response |
|
| Java stack trace |
|
| JavaScript includes sourceMappingURL |
|
| javascript: URL assigned to form action |
|
| javascript: URL assigned to formAction |
|
| javascript: URL assigned to href |
|
| javascript: URL assigned to iframe.src |
|
| javascript: URL navigated via location.href |
|
| JWT None Algorithm (Authorization header) |
|
| JWT None Algorithm (Cookie) |
|
| JWT None Algorithm (Form body param) |
|
| JWT None Algorithm (JSON body) |
|
| JWT Probe (Authorization + JWT cookies removed) |
|
| JWT Probe (Authorization header removed) |
|
| JWT Probe (JWT cookies removed) |
|
| JWT-like value in URL |
|
| localhost/127.0.0.1 referenced in response |
|
| Mapbox token exposed |
|
| Missing Content-Security-Policy header |
|
| Missing or invalid X-Content-Type-Options |
|
| Missing or weak Referrer-Policy |
|
| Missing Strict-Transport-Security header (on HTTPS) |
|
| Next.js build metadata exposed |
|
| Node.js / Express stack trace |
|
| OIDC well-known configuration observed |
|
| Open redirect candidate parameter |
|
| Open redirect via Navigation API |
|
| Open redirect via window.open |
|
| OpenAPI spec detected |
|
| OS Command Injection - Unix cat /etc/passwd (pipe) |
|
| PHP fatal error / warning |
|
| phpinfo endpoint observed |
|
| Potential .git exposure path observed |
|
| Potential backup file observed |
|
| Potentially authenticated content lacks no-store |
|
| Private key material exposed |
|
| Prototype pollution influenced fetch() init |
|
| Public-Key-Pins is deprecated |
|
| Python traceback |
|
| Response field rendered via document.write |
|
| Response field rendered via innerHTML |
|
| Review DOMParser.parseFromString with dynamic HTML/XML |
|
| Review uses of appendChild |
|
| Route-controlled history.replaceState |
|
| Route-controlled Navigation API transition |
|
| Same-origin URL mutations |
|
| security.txt observed |
|
| Sensitive cookies missing security flags |
|
| Sentry DSN exposed |
|
| Server banner discloses software/version |
|
| Slack token pattern |
|
| Social Security Number |
|
| SPA hash DOM XSS |
|
| Spring Boot actuator endpoint observed |
|
| SQL Injection - Double Quote (after) |
|
| SQL Injection - Double Quote (before) |
|
| SQL Injection - Single Quote (after) |
|
| SQL Injection - Single Quote (before) |
|
| SSRF / webhook URL candidate parameter |
|
| Strict-Transport-Security sent over HTTP (ineffective) |
|
| Stripe publishable key exposed |
|
| Swagger UI detected |
|
| Swagger/OpenAPI path observed |
|
| template.innerHTML with dynamic content |
|
| Webpack dev-server / hot reload artifacts |
|
| ws:// from HTTPS context |
|
| X-Powered-By header or equivalent present |
|
| X-XSS-Protection header is a legacy directive |
|
| XSS - Img onerror |
|
| XSS - Img onerror |
|
| XSS - Script tag after noscript tag |
|
| XSS - Svg tag with animation event |
|
| XSS - Unfiltered <script> tag |
|