Changelog NotificationsAPIAikido login

What Issues Can Aikido Pentest Find?

OWASP Top 10 & Critical Risks

We cover the full OWASP Top 10, prioritizing the high-impact issues that actually cause data breaches.

  • BOLA / IDOR (Cross-Tenant Data Leakage)

    • Broken Object Level Authorization and Insecure Direct Object References. We verify that User A cannot access User B’s private data (e.g., changing an ID in an API call).

  • Broken Access Control

    • Privilege escalation (vertical) and unauthorized access to admin functions.

  • Injection Flaws

    • Classic SQL Injection (SQLi) and Database Injection flaws.

  • Command Injection / Remote Code Execution (RCE)

    • Detecting if untrusted data executes system commands or OS directives.

  • Cross-Site Scripting (XSS)

    • Comprehensive scanning for stored and reflected XSS.

  • Authentication Failures

    • Weak password policies, credential stuffing, cookie integrity issues, absence of rate limiting and session management failures.

  • Server-Side Request Forgery (SSRF)

    • Tricking the server into making requests to internal resources or external systems.

Advanced & Niche Attack Vectors

Beyond the basics, we probe for complex vulnerabilities that often slip through standard scanners.

  • LLM & Prompt Injection

    • Securing AI integrations against manipulation. We detect prompt injection, jailbreaking, and attempts to leak system context.

  • Business Logic Errors

    • Flaws in application workflows that allow bypasses (e.g., skipping payment steps) and complex input validation errors.

  • Exotic Injections

    • NoSQLi, LDAP Injection, XPath Injection, and Server-Side Template Injection (SSTI).

  • Files & Misconfigurations

    • Scanning for file system risks including Local File Inclusion (LFI), Unrestricted File Uploads, Directory Listing, and Error Leakage.

  • Insecure Deserialization

    • Executing malicious code by manipulating serialized objects.

  • Web Cache Poisoning

    • Manipulating caching mechanisms to serve harmful content to other users.

  • Client-Side Attacks

    • Cross-Site Scripting (XSS), CSRF, Open Redirects, and DOM-based vulnerabilities.

  • Cryptographic Failures

    • Use of broken algorithms, weak signatures (JWT), hard-coded credentials, and sensitive data exposure.

Compliance

Running this pentest satisfies technical controls for SOC 2 Type II, ISO 27001, and HIPAA. You get a detailed report ready for auditors.

Last updated

Was this helpful?