Skip to content

Coverage

Shannon focuses on exploitable findings that can be validated against a running application.

  • Broken Authentication
  • Broken Authorization
  • Injection
  • Cross-Site Scripting
  • Server-Side Request Forgery

Shannon follows a proof-by-exploitation model. Findings that cannot be demonstrated with a working proof of concept are not included in the final report.

This reduces speculative noise, but it also means Shannon does not aim to report every possible security issue in a repository. It does not report on issues it cannot actively exploit, such as vulnerable third-party libraries, weak encryption algorithms, insecure configurations, and broad policy or static-analysis findings. Those static-analysis findings are the focus of Keygraph Code Security (SAST) on the Keygraph platform.

This is the full OWASP Web Security Testing Guide checklist. A Yes marks controls Shannon reliably addresses. In practice detection often reaches beyond the marked rows, so the table understates coverage rather than overstating it. This table mirrors COVERAGE.md in the repository.

Test IDTest NameCovered
WSTG-INFOInformation Gathering
WSTG-INFO-01Search Engine Discovery for Information Leakage
WSTG-INFO-02Fingerprint Web ServerYes
WSTG-INFO-03Review Webserver Metafiles for Information Leakage
WSTG-INFO-04Enumerate Applications on Webserver
WSTG-INFO-05Review Webpage Content for Information Leakage
WSTG-INFO-06Identify Application Entry PointsYes
WSTG-INFO-07Map Execution Paths Through ApplicationYes
WSTG-INFO-08Fingerprint Web Application FrameworkYes
WSTG-INFO-09Fingerprint Web ApplicationYes
WSTG-INFO-10Map Application ArchitectureYes
WSTG-CONFConfiguration and Deploy Management
WSTG-CONF-01Test Network Infrastructure ConfigurationYes
WSTG-CONF-02Test Application Platform Configuration
WSTG-CONF-03Test File Extensions Handling for Sensitive Information
WSTG-CONF-04Review Old Backup and Unreferenced Files
WSTG-CONF-05Enumerate Infrastructure and Application Admin Interfaces
WSTG-CONF-06Test HTTP Methods
WSTG-CONF-07Test HTTP Strict Transport Security
WSTG-CONF-08Test RIA Cross Domain Policy
WSTG-CONF-09Test File Permission
WSTG-CONF-10Test for Subdomain TakeoverYes
WSTG-CONF-11Test Cloud Storage
WSTG-CONF-12Testing for Content Security Policy
WSTG-CONF-13Test Path Confusion
WSTG-CONF-14Test Other HTTP Security Header Misconfigurations
WSTG-IDNTIdentity Management
WSTG-IDNT-01Test Role DefinitionsYes
WSTG-IDNT-02Test User Registration ProcessYes
WSTG-IDNT-03Test Account Provisioning ProcessYes
WSTG-IDNT-04Account Enumeration and Guessable User AccountYes
WSTG-IDNT-05Weak or Unenforced Username PolicyYes
WSTG-ATHNAuthentication
WSTG-ATHN-01Credentials Transported over an Encrypted ChannelYes
WSTG-ATHN-02Default CredentialsYes
WSTG-ATHN-03Weak Lock Out MechanismYes
WSTG-ATHN-04Bypassing Authentication SchemaYes
WSTG-ATHN-05Vulnerable Remember Password
WSTG-ATHN-06Browser Cache Weakness
WSTG-ATHN-07Weak Password PolicyYes
WSTG-ATHN-08Weak Security Question AnswerYes
WSTG-ATHN-09Weak Password Change or Reset FunctionalitiesYes
WSTG-ATHN-10Weaker Authentication in Alternative ChannelYes
WSTG-ATHN-11Multi-Factor Authentication (MFA)Yes
WSTG-ATHZAuthorization
WSTG-ATHZ-01Directory Traversal File IncludeYes
WSTG-ATHZ-02Bypassing Authorization SchemaYes
WSTG-ATHZ-03Privilege EscalationYes
WSTG-ATHZ-04Insecure Direct Object ReferencesYes
WSTG-ATHZ-05OAuth WeaknessesYes
WSTG-SESSSession Management
WSTG-SESS-01Session Management SchemaYes
WSTG-SESS-02Cookies AttributesYes
WSTG-SESS-03Session FixationYes
WSTG-SESS-04Exposed Session Variables
WSTG-SESS-05Cross Site Request ForgeryYes
WSTG-SESS-06Logout FunctionalityYes
WSTG-SESS-07Session TimeoutYes
WSTG-SESS-08Session Puzzling
WSTG-SESS-09Session Hijacking
WSTG-SESS-10JSON Web TokensYes
WSTG-SESS-11Concurrent Sessions
WSTG-INPVInput Validation
WSTG-INPV-01Reflected Cross Site ScriptingYes
WSTG-INPV-02Stored Cross Site ScriptingYes
WSTG-INPV-03HTTP Verb Tampering
WSTG-INPV-04HTTP Parameter Pollution
WSTG-INPV-05SQL InjectionYes
WSTG-INPV-06LDAP Injection
WSTG-INPV-07XML Injection
WSTG-INPV-08SSI Injection
WSTG-INPV-09XPath Injection
WSTG-INPV-10IMAP SMTP Injection
WSTG-INPV-11Code InjectionYes
WSTG-INPV-12Command InjectionYes
WSTG-INPV-13Format String Injection
WSTG-INPV-14Incubated Vulnerabilities
WSTG-INPV-15HTTP Splitting Smuggling
WSTG-INPV-16HTTP Incoming Requests
WSTG-INPV-17Host Header Injection
WSTG-INPV-18Server-Side Template InjectionYes
WSTG-INPV-19Server-Side Request ForgeryYes
WSTG-INPV-20Mass Assignment
WSTG-ERRHError Handling
WSTG-ERRH-01Improper Error Handling
WSTG-ERRH-02Stack Traces
WSTG-CRYPCryptography
WSTG-CRYP-01Weak Transport Layer SecurityYes
WSTG-CRYP-02Padding Oracle
WSTG-CRYP-03Sensitive Information Sent Via Unencrypted ChannelsYes
WSTG-CRYP-04Weak Encryption
WSTG-BUSLBusiness Logic
WSTG-BUSL-01Test Business Logic Data Validation
WSTG-BUSL-02Test Ability to Forge Requests
WSTG-BUSL-03Test Integrity Checks
WSTG-BUSL-04Test for Process Timing
WSTG-BUSL-05Test Number of Times a Function Can Be Used Limits
WSTG-BUSL-06Test Circumvention of Work Flows
WSTG-BUSL-07Test Defenses Against Application Misuse
WSTG-BUSL-08Test Upload of Unexpected File Types
WSTG-BUSL-09Test Upload of Malicious Files
WSTG-BUSL-10Test Payment Functionality
WSTG-CLNTClient-side
WSTG-CLNT-01DOM Based Cross Site ScriptingYes
WSTG-CLNT-02JavaScript ExecutionYes
WSTG-CLNT-03HTML InjectionYes
WSTG-CLNT-04Client-Side URL RedirectYes
WSTG-CLNT-05CSS Injection
WSTG-CLNT-06Client-Side Resource Manipulation
WSTG-CLNT-07Test Cross Origin Resource Sharing
WSTG-CLNT-08Cross Site Flashing
WSTG-CLNT-09Clickjacking
WSTG-CLNT-10Testing WebSockets
WSTG-CLNT-11Test Web Messaging
WSTG-CLNT-12Test Browser StorageYes
WSTG-CLNT-13Cross Site Script InclusionYes
WSTG-CLNT-14Reverse Tabnabbing
WSTG-APITAPI
WSTG-APIT-01API ReconnaissanceYes
WSTG-APIT-02API Broken Object Level AuthorizationYes
WSTG-APIT-99Testing GraphQLYes

For organizations that need broader static and organizational coverage, the Keygraph platform adds Code Property Graph SAST, SCA with reachability, secrets, IaC and container scanning, black-box and grey-box testing, finding management, remediation, and verification.