# What Issues Can Aikido Pentest Find?

Understand the main issue classes Aikido Pentest can validate during a run.

### Core web and API risks

We cover the high-impact issues that most often lead to real breaches.

* **BOLA / IDOR (Cross-Tenant Data Leakage)**
  * Broken Object Level Authorization and Insecure Direct Object References. We verify that User A cannot access User B’s private data (e.g., changing an ID in an API call).
* **Broken Access Control**
  * Privilege escalation (vertical) and unauthorized access to admin functions.
* **Injection Flaws**
  * Classic SQL Injection (SQLi) and Database Injection flaws.
* **Command Injection / Remote Code Execution (RCE)**
  * Detecting if untrusted data executes system commands or OS directives.
* **Cross-Site Scripting (XSS)**
  * Comprehensive scanning for stored and reflected XSS.
* **Authentication Failures**
  * Weak password policies, credential stuffing, cookie integrity issues, absence of rate limiting and session management failures.
* **Server-Side Request Forgery (SSRF)**
  * Tricking the server into making requests to internal resources or external systems.

### Agentic application risks

If your scope includes copilots, AI agents, or tool-using LLM workflows, we also test the main risks from the [OWASP Top 10 for Agentic Applications](https://help.aikido.dev/pentests/coverage-and-findings/what-issues-can-aikido-pentest-find/owasp-top-10-for-agentic-applications).

That includes:

* **Prompt injection**
* **Sensitive data leakage**
* **Excessive agency**
* **Insecure tool use**
* **Insecure output handling**
* **Memory poisoning**
* **Retrieval abuse**
* **Authorization failures in agent actions**
* **Resource exhaustion**
* **Integration and supply chain risk**

Use the dedicated child page for the full breakdown and examples.

### Additional exploit paths

Beyond the basics, we probe for complex vulnerabilities that often slip through standard scanners.

* **Business Logic Errors**
  * Flaws in application workflows that allow bypasses (e.g., skipping payment steps) and complex input validation errors.
* **Exotic Injections**
  * NoSQLi, LDAP Injection, XPath Injection, and Server-Side Template Injection (SSTI).
* **Files & Misconfigurations**
  * Scanning for file system risks including Local File Inclusion (LFI), Unrestricted File Uploads, Directory Listing, and Error Leakage.
* **Insecure Deserialization**
  * Executing malicious code by manipulating serialized objects.
* **Web Cache Poisoning**
  * Manipulating caching mechanisms to serve harmful content to other users.
* **Client-Side Attacks**
  * Cross-Site Scripting (XSS), CSRF, Open Redirects, and DOM-based vulnerabilities.
* **Cryptographic Failures**
  * Use of broken algorithms, weak signatures (JWT), hard-coded credentials, and sensitive data exposure.

### Hardening checks

We assess whether essential defensive controls are correctly implemented and resilient against common bypass techniques. This includes identifying missing, weak, or misconfigured protections that increase exploitability even when no single vulnerability is present.

**Our hardening checks include:**

* **GraphQL hardening gaps** – missing depth, complexity, or query cost limits; introspection exposure in production.
* **CORS misconfigurations** – overly permissive origins, credentials misuse, and unsafe wildcard configurations.
* **TLS & transport security issues** – weak cipher suites, outdated protocol versions, improper certificate chains, and missing HSTS.
* **HTTP security headers** – absent or misconfigured headers such as CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.
* **Rate limiting & abuse protection** – missing or ineffective controls on authentication, APIs, and sensitive endpoints.
* **Security defaults & environment exposure** – debug modes, verbose error handling, and non-hardened production settings.

These findings help reduce attack surface and prevent vulnerability chaining, turning “low-risk” issues into meaningful security improvements.

### Compliance

Running this pentest satisfies technical controls for **SOC 2 Type II, ISO 27001, and HIPAA**. You receive a detailed, auditor-ready report, and you can download a concrete example of the deliverables in our [sample pentest report](https://www.aikido.dev/attack/aipentest#report).

### Deep dives

<table data-view="cards"><thead><tr><th>Guide</th><th>What it covers</th><th data-hidden data-card-target data-type="content-ref">Target</th></tr></thead><tbody><tr><td><strong>Detecting IDOR Vulnerabilities</strong></td><td>A deeper look at one of the most common critical findings.</td><td><a href="what-issues-can-aikido-pentest-find/understanding-and-detecting-idor-vulnerabilities">understanding-and-detecting-idor-vulnerabilities</a></td></tr><tr><td><strong>OWASP Top 10 for Agentic Applications</strong></td><td>Dedicated coverage for copilots, AI agents, tools, memory, and retrieval risks.</td><td><a href="what-issues-can-aikido-pentest-find/owasp-top-10-for-agentic-applications">owasp-top-10-for-agentic-applications</a></td></tr></tbody></table>