What Issues Can Aikido Pentest Find?

OWASP Top 10 & Critical Risks

We cover the full OWASP Top 10, prioritizing the high-impact issues that actually cause data breaches.

• BOLA / IDOR (Cross-Tenant Data Leakage)

  • Broken Object Level Authorization and Insecure Direct Object References. We verify that User A cannot access User B’s private data (e.g., changing an ID in an API call).

• Broken Access Control

  • Privilege escalation (vertical) and unauthorized access to admin functions.

• Injection Flaws

  • Classic SQL Injection (SQLi)

  • Command Injection / Remote Code Execution (RCE)

  • Cross-Site Scripting (XSS)

• Authentication Failures

  • Weak password policies, credential stuffing, and session management failures.

• Server-Side Request Forgery (SSRF)

  • Tricking the server into making requests to internal resources or external systems.

Advanced & Niche Attack Vectors

Beyond the basics, we probe for complex vulnerabilities that often slip through standard scanners.

• Business Logic Errors: Flaws in application workflows that allow bypasses (e.g., skipping payment steps).

• Exotic Injections: LDAP Injection, XPath Injection, and Server-Side Template Injection (SSTI).

• Insecure Deserialization: Executing malicious code by manipulating serialized objects.

• Web Cache Poisoning: Manipulating caching mechanisms to serve harmful content to other users.

• Client-Side Attacks: Cross-Site Scripting (XSS), CSRF, and Open Redirects.

• Cryptographic Failures: Use of broken algorithms, weak signatures (JWT), or hard-coded credentials.

Compliance

Running this pentest satisfies technical controls for SOC 2 Type II, ISO 27001, and HIPAA. You get a detailed report ready for auditors.