Coverage
Shannon focuses on exploitable findings that can be validated against a running application.
Current coverage
Section titled “Current coverage”- Broken Authentication
- Broken Authorization
- Injection
- Cross-Site Scripting
- Server-Side Request Forgery
Reporting philosophy
Section titled “Reporting philosophy”Shannon follows a proof-by-exploitation model. Findings that cannot be demonstrated with a working proof of concept are not included in the final report.
This reduces speculative noise, but it also means Shannon does not aim to report every possible security issue in a repository. It does not report on issues it cannot actively exploit, such as vulnerable third-party libraries, weak encryption algorithms, insecure configurations, and broad policy or static-analysis findings. Those static-analysis findings are the focus of Keygraph Code Security (SAST) on the Keygraph platform.
OWASP WSTG coverage
Section titled “OWASP WSTG coverage”This is the full OWASP Web Security Testing Guide checklist. A Yes marks controls Shannon reliably addresses. In practice detection often reaches beyond the marked rows, so the table understates coverage rather than overstating it. This table mirrors COVERAGE.md in the repository.
| Test ID | Test Name | Covered |
|---|---|---|
| WSTG-INFO | Information Gathering | |
| WSTG-INFO-01 | Search Engine Discovery for Information Leakage | |
| WSTG-INFO-02 | Fingerprint Web Server | Yes |
| WSTG-INFO-03 | Review Webserver Metafiles for Information Leakage | |
| WSTG-INFO-04 | Enumerate Applications on Webserver | |
| WSTG-INFO-05 | Review Webpage Content for Information Leakage | |
| WSTG-INFO-06 | Identify Application Entry Points | Yes |
| WSTG-INFO-07 | Map Execution Paths Through Application | Yes |
| WSTG-INFO-08 | Fingerprint Web Application Framework | Yes |
| WSTG-INFO-09 | Fingerprint Web Application | Yes |
| WSTG-INFO-10 | Map Application Architecture | Yes |
| WSTG-CONF | Configuration and Deploy Management | |
| WSTG-CONF-01 | Test Network Infrastructure Configuration | Yes |
| WSTG-CONF-02 | Test Application Platform Configuration | |
| WSTG-CONF-03 | Test File Extensions Handling for Sensitive Information | |
| WSTG-CONF-04 | Review Old Backup and Unreferenced Files | |
| WSTG-CONF-05 | Enumerate Infrastructure and Application Admin Interfaces | |
| WSTG-CONF-06 | Test HTTP Methods | |
| WSTG-CONF-07 | Test HTTP Strict Transport Security | |
| WSTG-CONF-08 | Test RIA Cross Domain Policy | |
| WSTG-CONF-09 | Test File Permission | |
| WSTG-CONF-10 | Test for Subdomain Takeover | Yes |
| WSTG-CONF-11 | Test Cloud Storage | |
| WSTG-CONF-12 | Testing for Content Security Policy | |
| WSTG-CONF-13 | Test Path Confusion | |
| WSTG-CONF-14 | Test Other HTTP Security Header Misconfigurations | |
| WSTG-IDNT | Identity Management | |
| WSTG-IDNT-01 | Test Role Definitions | Yes |
| WSTG-IDNT-02 | Test User Registration Process | Yes |
| WSTG-IDNT-03 | Test Account Provisioning Process | Yes |
| WSTG-IDNT-04 | Account Enumeration and Guessable User Account | Yes |
| WSTG-IDNT-05 | Weak or Unenforced Username Policy | Yes |
| WSTG-ATHN | Authentication | |
| WSTG-ATHN-01 | Credentials Transported over an Encrypted Channel | Yes |
| WSTG-ATHN-02 | Default Credentials | Yes |
| WSTG-ATHN-03 | Weak Lock Out Mechanism | Yes |
| WSTG-ATHN-04 | Bypassing Authentication Schema | Yes |
| WSTG-ATHN-05 | Vulnerable Remember Password | |
| WSTG-ATHN-06 | Browser Cache Weakness | |
| WSTG-ATHN-07 | Weak Password Policy | Yes |
| WSTG-ATHN-08 | Weak Security Question Answer | Yes |
| WSTG-ATHN-09 | Weak Password Change or Reset Functionalities | Yes |
| WSTG-ATHN-10 | Weaker Authentication in Alternative Channel | Yes |
| WSTG-ATHN-11 | Multi-Factor Authentication (MFA) | Yes |
| WSTG-ATHZ | Authorization | |
| WSTG-ATHZ-01 | Directory Traversal File Include | Yes |
| WSTG-ATHZ-02 | Bypassing Authorization Schema | Yes |
| WSTG-ATHZ-03 | Privilege Escalation | Yes |
| WSTG-ATHZ-04 | Insecure Direct Object References | Yes |
| WSTG-ATHZ-05 | OAuth Weaknesses | Yes |
| WSTG-SESS | Session Management | |
| WSTG-SESS-01 | Session Management Schema | Yes |
| WSTG-SESS-02 | Cookies Attributes | Yes |
| WSTG-SESS-03 | Session Fixation | Yes |
| WSTG-SESS-04 | Exposed Session Variables | |
| WSTG-SESS-05 | Cross Site Request Forgery | Yes |
| WSTG-SESS-06 | Logout Functionality | Yes |
| WSTG-SESS-07 | Session Timeout | Yes |
| WSTG-SESS-08 | Session Puzzling | |
| WSTG-SESS-09 | Session Hijacking | |
| WSTG-SESS-10 | JSON Web Tokens | Yes |
| WSTG-SESS-11 | Concurrent Sessions | |
| WSTG-INPV | Input Validation | |
| WSTG-INPV-01 | Reflected Cross Site Scripting | Yes |
| WSTG-INPV-02 | Stored Cross Site Scripting | Yes |
| WSTG-INPV-03 | HTTP Verb Tampering | |
| WSTG-INPV-04 | HTTP Parameter Pollution | |
| WSTG-INPV-05 | SQL Injection | Yes |
| WSTG-INPV-06 | LDAP Injection | |
| WSTG-INPV-07 | XML Injection | |
| WSTG-INPV-08 | SSI Injection | |
| WSTG-INPV-09 | XPath Injection | |
| WSTG-INPV-10 | IMAP SMTP Injection | |
| WSTG-INPV-11 | Code Injection | Yes |
| WSTG-INPV-12 | Command Injection | Yes |
| WSTG-INPV-13 | Format String Injection | |
| WSTG-INPV-14 | Incubated Vulnerabilities | |
| WSTG-INPV-15 | HTTP Splitting Smuggling | |
| WSTG-INPV-16 | HTTP Incoming Requests | |
| WSTG-INPV-17 | Host Header Injection | |
| WSTG-INPV-18 | Server-Side Template Injection | Yes |
| WSTG-INPV-19 | Server-Side Request Forgery | Yes |
| WSTG-INPV-20 | Mass Assignment | |
| WSTG-ERRH | Error Handling | |
| WSTG-ERRH-01 | Improper Error Handling | |
| WSTG-ERRH-02 | Stack Traces | |
| WSTG-CRYP | Cryptography | |
| WSTG-CRYP-01 | Weak Transport Layer Security | Yes |
| WSTG-CRYP-02 | Padding Oracle | |
| WSTG-CRYP-03 | Sensitive Information Sent Via Unencrypted Channels | Yes |
| WSTG-CRYP-04 | Weak Encryption | |
| WSTG-BUSL | Business Logic | |
| WSTG-BUSL-01 | Test Business Logic Data Validation | |
| WSTG-BUSL-02 | Test Ability to Forge Requests | |
| WSTG-BUSL-03 | Test Integrity Checks | |
| WSTG-BUSL-04 | Test for Process Timing | |
| WSTG-BUSL-05 | Test Number of Times a Function Can Be Used Limits | |
| WSTG-BUSL-06 | Test Circumvention of Work Flows | |
| WSTG-BUSL-07 | Test Defenses Against Application Misuse | |
| WSTG-BUSL-08 | Test Upload of Unexpected File Types | |
| WSTG-BUSL-09 | Test Upload of Malicious Files | |
| WSTG-BUSL-10 | Test Payment Functionality | |
| WSTG-CLNT | Client-side | |
| WSTG-CLNT-01 | DOM Based Cross Site Scripting | Yes |
| WSTG-CLNT-02 | JavaScript Execution | Yes |
| WSTG-CLNT-03 | HTML Injection | Yes |
| WSTG-CLNT-04 | Client-Side URL Redirect | Yes |
| WSTG-CLNT-05 | CSS Injection | |
| WSTG-CLNT-06 | Client-Side Resource Manipulation | |
| WSTG-CLNT-07 | Test Cross Origin Resource Sharing | |
| WSTG-CLNT-08 | Cross Site Flashing | |
| WSTG-CLNT-09 | Clickjacking | |
| WSTG-CLNT-10 | Testing WebSockets | |
| WSTG-CLNT-11 | Test Web Messaging | |
| WSTG-CLNT-12 | Test Browser Storage | Yes |
| WSTG-CLNT-13 | Cross Site Script Inclusion | Yes |
| WSTG-CLNT-14 | Reverse Tabnabbing | |
| WSTG-APIT | API | |
| WSTG-APIT-01 | API Reconnaissance | Yes |
| WSTG-APIT-02 | API Broken Object Level Authorization | Yes |
| WSTG-APIT-99 | Testing GraphQL | Yes |
Beyond Shannon Open Source
Section titled “Beyond Shannon Open Source”For organizations that need broader static and organizational coverage, the Keygraph platform adds Code Property Graph SAST, SCA with reachability, secrets, IaC and container scanning, black-box and grey-box testing, finding management, remediation, and verification.