# Pynt Security Tests Coverage {% hint style="success" %} **At a Glance**: 🔐 Pynt offers comprehensive API security testing by leveraging real-world attack simulations and homegrown tests. It addresses key risks highlighted in the **OWASP Top 10** while continuously enhancing its security scope. {% endhint %} ## Pynt Security Tests Coverage - Introduction Pynt's security tests cover a wide range of vulnerabilities using **real-world attack simulations** and **homegrown attack scenarios**, ensuring robust API security. These tests align with: * [**OWASP Top 10 for APIs**](https://owasp.org/www-project-api-security/): Tackling API-specific risks like broken authentication and data exposure. * [**OWASP Top 10 for Web Applications**](https://owasp.org/www-project-top-ten/): Covering general web vulnerabilities such as injection attacks. * [**OWASP Top 10 for LLMs**](https://owasp.org/www-project-top-10-for-large-language-model-applications/): Addressing emerging threats in large language models. Pynt goes beyond the **OWASP Top 10**, offering **homegrown tests** that identify gaps often missed by standard tools. These unique tests bolster your API's security by providing extra protection against potential threats. Learn more at [Pynt vs OWASP: Pynt’s Top-10 Focus](https://www.pynt.io/resources-hub/guides-and-reports/pynt-vs-owasp-pynt-top-10-api-vulnerabilties), for detailed insights. *** Pynt continuously evolves to provide maximum security coverage. Pynt integrates seamlessly into your CI/CD pipeline, ensuring high accuracy and minimal false positives while safeguarding critical endpoints. ## Pynt Test Cases {% hint style="info" %} 🛠️ **Note**: This list might be **partial** as it grows rapidly, so stay updated for expanded coverage! {% endhint %}
Test caseCategory
[BL001] User data leakage to other users - Resource-ID authorizationBusiness Logic
[BL002] User data leakage to other users - User-ID authorizationBusiness Logic
[BL003] User data leakage to other users - Resource-ID and User-ID authorizationBusiness Logic
[BL004] User data leakage to other users - credentials authorizationBusiness Logic
[BL005] User data manipulation by other users - Resource-ID authorizationBusiness Logic
[BL006] User data manipulation by other users - User-ID authorizationBusiness Logic
[BL007] User data manipulation by other users - Resource-ID and User-ID authorizationBusiness Logic
[BL008] User data manipulation by other users - credentials authorizationBusiness Logic
[BL009] Guessable resource identifierBusiness Logic
[INJ001] SQL InjectionInjections
[INJ002] MS-SQL InjectionInjections
[INJ003] MySQL InjectionInjections
[INJ004] SQLite InjectionInjections
[INJ005] PostgreSQL InjectionInjections
[INJ006] NoSQL InjectionInjections
[INJ007] Command InjectionInjections
[INJ008] Server-side template injectionInjections
[AB001] Ignored authentication tokenAuthentication bypass
[AB002] No signature validation in JWTAuthentication bypass
[AB003] JWT hashed without secretAuthentication bypass
[AB004] No signature in JWTAuthentication bypass
[AB005] Unsigned JWTAuthentication bypass
[MA001] Mass assignment by manipulation of hidden attributesMass Assignment
[MA002] Mass assignment by flag overloadingMass Assignment
[SSRF001] Local file accessServer-Side request forgery
[ST001] Stack trace in responseStack trace in response
[RES001] Resources limitingLack of Resources and Rate Limiting
[FM001] File path manipulationFile path manipulation
[GQL001] GraphQL introspectionGraphQL introspection Vulnerability
[GQL002] GraphQL Alias OverloadingGraphQL Alias Overloading
[LLM001] Direct prompt injectionLLM APIs Vulnerabilities
[LLM002] Prompt injection, alignmentLLM APIs Vulnerabilities
[LLM003] LLM Insecure output handling, type: XSSLLM APIs Vulnerabilities
[LLM004] LLM Insecure output handling, type: SSRFLLM APIs Vulnerabilities
[LLM005] LLM Insecure output handling, type: MarkdownLLM APIs Vulnerabilities
[TLS001] Insecure transport schemeInsecure transport scheme
[AB006] Basic AuthenticationBasic Authentication