Pynt Security Tests Coverage

The following page describe the updated security test coverage by Pynt

At a Glance: ๐Ÿ” Pynt offers comprehensive API security testing by leveraging real-world attack simulations and homegrown tests. It addresses key risks highlighted in the OWASP Top 10 while continuously enhancing its security scope.

Pynt Security Tests Coverage - Introduction

Pynt's security tests cover a wide range of vulnerabilities using real-world attack simulations and homegrown attack scenarios, ensuring robust API security. These tests align with:

Pynt goes beyond the OWASP Top 10, offering homegrown tests that identify gaps often missed by standard tools. These unique tests bolster your API's security by providing extra protection against potential threats. Learn more at Pynt vs OWASP: Pyntโ€™s Top-10 Focus, for detailed insights.


Pynt continuously evolves to provide maximum security coverage. Pynt integrates seamlessly into your CI/CD pipeline, ensuring high accuracy and minimal false positives while safeguarding critical endpoints.

Pynt Test Cases

๐Ÿ› ๏ธ Note: This list might be partial as it grows rapidly, so stay updated for expanded coverage!

Test case
Category

[BL001] User data leakage to other users - Resource-ID authorization

Business Logic

[BL002] User data leakage to other users - User-ID authorization

Business Logic

[BL003] User data leakage to other users - Resource-ID and User-ID authorization

Business Logic

[BL004] User data leakage to other users - credentials authorization

Business Logic

[BL005] User data manipulation by other users - Resource-ID authorization

Business Logic

[BL006] User data manipulation by other users - User-ID authorization

Business Logic

[BL007] User data manipulation by other users - Resource-ID and User-ID authorization

Business Logic

[BL008] User data manipulation by other users - credentials authorization

Business Logic

[BL009] Guessable resource identifier

Business Logic

[INJ001] SQL Injection

Injections

[INJ002] MS-SQL Injection

Injections

[INJ003] MySQL Injection

Injections

[INJ004] SQLite Injection

Injections

[INJ005] PostgreSQL Injection

Injections

[INJ006] NoSQL Injection

Injections

[INJ007] Command Injection

Injections

[INJ008] Server-side template injection

Injections

[AB001] Ignored authentication token

Authentication bypass

[AB002] No signature validation in JWT

Authentication bypass

[AB003] JWT hashed without secret

Authentication bypass

[AB004] No signature in JWT

Authentication bypass

[AB005] Unsigned JWT

Authentication bypass

[MA001] Mass assignment by manipulation of hidden attributes

Mass Assignment

[MA002] Mass assignment by flag overloading

Mass Assignment

[SSRF001] Local file access

Server-Side request forgery

[ST001] Stack trace in response

Stack trace in response

[RES001] Resources limiting

Lack of Resources and Rate Limiting

[FM001] File path manipulation

File path manipulation

[GQL001] GraphQL introspection

GraphQL introspection Vulnerability

[GQL002] GraphQL Alias Overloading

GraphQL Alias Overloading

[LLM001] Direct prompt injection

LLM APIs Vulnerabilities

[LLM002] Prompt injection, alignment

LLM APIs Vulnerabilities

[LLM003] LLM Insecure output handling, type: XSS

LLM APIs Vulnerabilities

[LLM004] LLM Insecure output handling, type: SSRF

LLM APIs Vulnerabilities

[LLM005] LLM Insecure output handling, type: Markdown

LLM APIs Vulnerabilities

[TLS001] Insecure transport scheme

Insecure transport scheme

[AB006] Basic Authentication

Basic Authentication

Last updated