Authentication & Access Control
- Login, SSO and MFA bypass testing
- Session management and token handling
- Privilege escalation and IDOR/BOLA testing
- Role and tenant isolation review
Injection & Input Handling
- SQL, NoSQL, command and template injection
- Cross-site scripting and SSRF
- Vulnerabilidades de deserialización y de carga de archivos
- Input validation across web and API layers
Business Logic & Data Security
- Workflow bypass, race conditions and abuse cases
- Mass assignment and excessive data exposure
- Sensitive data leakage in responses and logs
- Transaction and approval-flow tampering
Components, Config & Standards
- Vulnerable & outdated components (SCA, 20,000+ CVEs)
- Revisión de headers de seguridad, CORS, CSP y TLS
- API and microservice endpoint testing
- Alignment with OWASP Top 10 and SANS Top 25