Authentication & Access Control
- Login, SSO and MFA bypass testing
- Session management and token handling
- Privilege escalation and IDOR/BOLA testing
- Role and tenant isolation review
Injection & Input Handling
- SQL, NoSQL, command and template injection
- Cross-site scripting and SSRF
- Deserialization and file-upload flaws
- Input validation across web and API layers
Business Logic & Data Security
- Workflow bypass, race conditions and abuse cases
- Mass assignment and excessive data exposure
- Sensitive data leakage in responses and logs
- Transaction and approval-flow tampering
Components, Config & Standards
- Vulnerable & outdated components (SCA, 20,000+ CVEs)
- Security headers, CORS, CSP and TLS review
- API and microservice endpoint testing
- Alignment with OWASP Top 10 and SANS Top 25