When an API is called with parameter value set to patterns that were associated with attacks that can cause critical/high severity damage, the API returns 200 with OK data. It appears that the application not only processes the fuzz parameter, but also is at risk of leaking data.
When an API is called with parameter value set to patterns that were associated with known attacks that can cause medium/low severity damages, the API returns 200 OK with data. It appears that the app not only processes the fuzz parameter but also is at risk of leaking data.
When an API is called with parameter value set to patterns that were associated with known attacks that can cause critical/high severity damages, the API returns 200 OK with no data. Though it does not appear that the app is at risk of leaking data, the app might have processed the fuzzed input, which can cause subsequent security issues.
When an API is called with parameter value set to patterns that were associated with known attacks that can cause medium/low severity damages, the API returns 200 OK with no data. Though it does not appear that the app is at risk of leaking data, the app might have processed the fuzzed input, which can cause subsequent security issues.
API | Category |
|
Tests Request/Response |
---|---|---|---|
{{api}} |
{{each_record.get('attack', '-')}}
|
{{each_record.get('pri', '-')}} {{each_record.get('count', '-')}}
{{each_record.get('classification', '-')}}
|
{{each_record.get('testinput', '-')}} |