Bug Bounty Notes - Just notes

Editing is locked. Unlock with an edit token →

Global Manual Bug Bounty Checklist

Purpose: A target-agnostic, manual-first checklist for authorized web, API, SaaS, identity, business-logic, integration, and client-side testing.

Important: No checklist can guarantee a valid or paid bug. A report must be in scope, reproducible, non-duplicate, and show real security impact. This checklist is designed to maximize coverage, discipline, and evidence quality.


How to use this checklist

  • USE-001 — Read the live program policy before the first request of every session.
  • USE-002 — Test only explicitly authorized assets and vulnerability classes.
  • USE-003 — Use only accounts, organizations, projects, repositories, tenants, files, records, payments, and data you control.
  • USE-004 — Create unique canary values for every private object used in testing.
  • USE-005 — Capture an authorized baseline before altering any request.
  • USE-006 — Change one variable at a time: identity, role, object, tenant, method, field, state, timing, or transport.
  • USE-007 — Write the expected secure behavior before sending the modified request.
  • USE-008 — Save the sanitized request, response, role, object ownership, timestamp, and cleanup action.
  • USE-009 — Mark checks N/A only with a written reason.
  • USE-010 — Stop immediately if unrelated private data appears.
  • USE-011 — Do not perform denial-of-service, destructive actions, spam, credential stuffing, social engineering, or uncontrolled automation.
  • USE-012 — Use conservative request rates and small controlled datasets.
  • USE-013 — Prefer manual verification before writing any helper script.
  • USE-014 — Reproduce every candidate from a clean session.
  • USE-015 — Separate evidence collection from exploitation.
  • SCOPE-001 — Save the current program overview.
  • SCOPE-002 — Save the current scope table.
  • SCOPE-003 — Save the current rewards table.
  • SCOPE-004 — Save all exclusions.
  • SCOPE-005 — Record the policy last-updated date.
  • SCOPE-006 — Record the scope last-updated date.
  • SCOPE-007 — Record each eligible hostname, wildcard, mobile app, API, repository, and product.
  • SCOPE-008 — Record each explicitly ineligible hostname, wildcard, app, API, and third-party provider.
  • SCOPE-009 — Record maximum severity per asset.
  • SCOPE-010 — Record prohibited testing methods.
  • SCOPE-011 — Record automation limits.
  • SCOPE-012 — Record rate limits.
  • SCOPE-013 — Record account creation rules.
  • SCOPE-014 — Record required researcher aliases or headers.
  • SCOPE-015 — Record whether multiple controlled accounts are permitted.
  • SCOPE-016 — Record whether production testing is restricted.
  • SCOPE-017 — Record whether source-code review is permitted.
  • SCOPE-018 — Record whether mobile testing is permitted.
  • SCOPE-019 — Record whether cloud infrastructure is permitted.
  • SCOPE-020 — Record whether third-party integrations are excluded.
  • SCOPE-021 — Record disclosure requirements.
  • SCOPE-022 — Record safe-harbor wording.
  • SCOPE-023 — Record data-retention and evidence-handling requirements.
  • SCOPE-024 — Record rules for accidental sensitive-data exposure.
  • SCOPE-025 — Record rules for public zero-days.
  • SCOPE-026 — Record rules for social engineering.
  • SCOPE-027 — Record rules for brute force and rate limits.
  • SCOPE-028 — Record rules for automated scanning.
  • SCOPE-029 — Record rules for denial-of-service and resource exhaustion.
  • SCOPE-030 — Record rules for testing real customer data.
  • SCOPE-031 — Create a written stop procedure for accidental private-data access.
  • SCOPE-032 — Create a written stop procedure for instability.
  • SCOPE-033 — Create a written stop procedure for third-party traffic.
  • SCOPE-034 — Confirm all active scanners are disabled unless explicitly permitted.
  • SCOPE-035 — Confirm recursive crawlers and high-rate fuzzers are disabled.
  • SCOPE-036 — Confirm no destructive payloads are queued.
  • SCOPE-037 — Confirm Burp target scope contains only authorized assets.
  • SCOPE-038 — Confirm known third parties are excluded from active testing.
  • SCOPE-039 — Confirm logs and evidence do not store unredacted secrets.
  • SCOPE-040 — Confirm your source IP, VPN, or test environment complies with policy.

Workspace and evidence preparation

  • WORK-001 — Create directories for scope, notes, recon, requests, responses, evidence, Burp, scripts, reports, and secrets.
  • WORK-002 — Create a hunting log.
  • WORK-003 — Create an endpoint inventory.
  • WORK-004 — Create an account and role matrix.
  • WORK-005 — Create a hypotheses file.
  • WORK-006 — Create a report draft.
  • WORK-007 — Create a target-specific .gitignore.
  • WORK-008 — Protect secrets with restrictive permissions.
  • WORK-009 — Use separate browser profiles for each controlled identity.
  • WORK-010 — Use separate password-manager records for each identity.
  • WORK-011 — Use unique canaries for every sensitive test object.
  • WORK-012 — Use descriptive evidence filenames.
  • WORK-013 — Record browser version.
  • WORK-014 — Record operating system and tool versions.
  • WORK-015 — Record testing IP.
  • WORK-016 — Record session start and end time.
  • WORK-017 — Record every temporary token created.
  • WORK-018 — Record every temporary webhook or integration created.
  • WORK-019 — Record every disposable account and resource.
  • WORK-020 — Plan cleanup before testing state-changing features.

Controlled identity and tenant lab

  • LAB-001 — Create Account A as the highest-privileged controlled user.
  • LAB-002 — Create Account B as a lower-privileged controlled user.
  • LAB-003 — Create Account C as a complete outsider when policy permits.
  • LAB-004 — Enable MFA on all controlled accounts.
  • LAB-005 — Create Tenant or Organization A.
  • LAB-006 — Create Tenant or Organization B.
  • LAB-007 — Create private and public resources under each tenant.
  • LAB-008 — Create resources owned individually and by organizations.
  • LAB-009 — Create role states: owner, admin, manager, editor, contributor, viewer, guest, suspended, invited, removed.
  • LAB-010 — Create direct membership and group-derived membership states.
  • LAB-011 — Create external collaborator and internal member states.
  • LAB-012 — Create active and expired invitation states.
  • LAB-013 — Create pending email verification states.
  • LAB-014 — Create pending MFA enrollment states.
  • LAB-015 — Create stale sessions before role downgrade.
  • LAB-016 — Create stale sessions before membership removal.
  • LAB-017 — Create stale sessions before account suspension.
  • LAB-018 — Create stale API tokens before revocation.
  • LAB-019 — Create stale pagination cursors before revocation.
  • LAB-020 — Create renamed resources.
  • LAB-021 — Create transferred resources.
  • LAB-022 — Create archived resources.
  • LAB-023 — Create deleted and recreated names.
  • LAB-024 — Create public-to-private transitions.
  • LAB-025 — Create private-to-public transitions.
  • LAB-026 — Create trial, free, paid, and disabled feature states when available.
  • LAB-027 — Create objects with unique synthetic confidential content.
  • LAB-028 — Create disposable files and exports.
  • LAB-029 — Create disposable webhooks and API keys.
  • LAB-030 — Create branch, project, issue, ticket, message, comment, invoice, payment, subscription, and report objects when applicable.

Reconnaissance and attack-surface mapping

  • RECON-001 — Enumerate only authorized domains and subdomains.
  • RECON-002 — Resolve DNS records for in-scope hosts.
  • RECON-003 — Identify live HTTP services conservatively.
  • RECON-004 — Record HTTP status, title, technology hints, redirects, and TLS names.
  • RECON-005 — Map application entry points.
  • RECON-006 — Map authentication entry points.
  • RECON-007 — Map API base paths and versions.
  • RECON-008 — Map GraphQL endpoints.
  • RECON-009 — Map WebSocket and server-sent-event endpoints.
  • RECON-010 — Map file-upload and file-download endpoints.
  • RECON-011 — Map import, export, preview, conversion, and rendering endpoints.
  • RECON-012 — Map webhooks, callbacks, integrations, and URL-fetching features.
  • RECON-013 — Map password reset, invite, verification, and account recovery flows.
  • RECON-014 — Map billing, subscription, checkout, credit, refund, coupon, and plan flows.
  • RECON-015 — Map admin, support, moderation, impersonation, and audit features.
  • RECON-016 — Map search, autocomplete, filtering, sorting, pagination, and bulk actions.
  • RECON-017 — Map background jobs, queues, scheduled tasks, and asynchronous workflows.
  • RECON-018 — Map mobile and desktop application backends if in scope.
  • RECON-019 — Map API documentation and schema files.
  • RECON-020 — Map robots.txt, sitemap files, well-known paths, and public manifests.
  • RECON-021 — Map first-party JavaScript bundles.
  • RECON-022 — Search first-party bundles for API paths.
  • RECON-023 — Search first-party bundles for hidden routes.
  • RECON-024 — Search first-party bundles for feature flags.
  • RECON-025 — Search first-party bundles for role checks.
  • RECON-026 — Search first-party bundles for object names and enums.
  • RECON-027 — Search first-party bundles for storage keys.
  • RECON-028 — Search first-party bundles for GraphQL operations.
  • RECON-029 — Search first-party bundles for WebSocket URLs.
  • RECON-030 — Search first-party bundles for upload, export, webhook, and URL-fetching code.
  • RECON-031 — Record every method, path parameter, query parameter, body field, header, cookie, enum, cursor, and identifier.
  • RECON-032 — Record all first-party redirect targets.
  • RECON-033 — Record all third-party dependencies but do not test them unless authorized.
  • RECON-034 — Compare documented and observed endpoints.
  • RECON-035 — Compare current and legacy API versions.
  • RECON-036 — Record caching and CORS behavior.
  • RECON-037 — Record every place private data appears in frontend responses.
  • RECON-038 — Record every UI-only validation rule.
  • RECON-039 — Record every server-side validation rule inferred from responses.
  • RECON-040 — Build endpoint-to-role, endpoint-to-object, endpoint-to-token, endpoint-to-state, and endpoint-to-impact matrices.

Authentication and login

  • AUTHN-001 — Test login with missing credentials.
  • AUTHN-002 — Test login with empty credentials.
  • AUTHN-003 — Test login with invalid credentials.
  • AUTHN-004 — Test username and email case handling.
  • AUTHN-005 — Test leading and trailing whitespace.
  • AUTHN-006 — Test Unicode normalization in identifiers.
  • AUTHN-007 — Test multiple identifiers mapped to one account.
  • AUTHN-008 — Test unverified email login.
  • AUTHN-009 — Test disabled account login.
  • AUTHN-010 — Test suspended account login.
  • AUTHN-011 — Test deleted account login.
  • AUTHN-012 — Test invited but unregistered account login.
  • AUTHN-013 — Test expired invitation login.
  • AUTHN-014 — Test login after password reset.
  • AUTHN-015 — Test login after password change.
  • AUTHN-016 — Test login after email change.
  • AUTHN-017 — Test login after MFA enable and disable.
  • AUTHN-018 — Test login after session revocation.
  • AUTHN-019 — Test login from multiple browser profiles.
  • AUTHN-020 — Test simultaneous controlled logins for identity mix-ups.
  • AUTHN-021 — Test login CSRF where the flow exists and impact can be demonstrated.
  • AUTHN-022 — Test session fixation using only controlled accounts.
  • AUTHN-023 — Verify session identifier rotation after login.
  • AUTHN-024 — Verify session identifier rotation after privilege change.
  • AUTHN-025 — Verify logout invalidates the server-side session.
  • AUTHN-026 — Verify logout clears all relevant cookies and client storage.
  • AUTHN-027 — Test replay after logout.
  • AUTHN-028 — Test browser back after logout.
  • AUTHN-029 — Test old tabs after logout.
  • AUTHN-030 — Test session behavior after account suspension.
  • AUTHN-031 — Test session behavior after account deletion.
  • AUTHN-032 — Test session behavior after role downgrade.
  • AUTHN-033 — Test session behavior after tenant removal.
  • AUTHN-034 — Test session behavior after password reset.
  • AUTHN-035 — Test session behavior after MFA reset.
  • AUTHN-036 — Check whether credentials or session tokens appear in URLs.
  • AUTHN-037 — Check whether credentials or session tokens appear in referrers.
  • AUTHN-038 — Check whether credentials or session tokens appear in frontend logs.
  • AUTHN-039 — Check whether cookie domain and path are narrower than necessary.
  • AUTHN-040 — Check whether session lifetime matches documented behavior.
  • AUTHN-041 — Check whether multiple active sessions can be viewed or revoked.
  • AUTHN-042 — Check whether remember-me state survives security-sensitive changes.
  • AUTHN-043 — Test duplicate Authorization headers.
  • AUTHN-044 — Test harmless whitespace and case variations in authentication schemes.
  • AUTHN-045 — Test authentication with missing, malformed, expired, revoked, and wrong-audience tokens.
  • AUTHN-046 — Test token confusion among user tokens, API keys, service tokens, refresh tokens, and session cookies.
  • AUTHN-047 — Test whether lower-scope tokens can call higher-scope endpoints.
  • AUTHN-048 — Test whether tokens remain usable after owner, tenant, or application deletion.
  • AUTHN-049 — Test whether client identifiers or secrets are accepted in the wrong location.
  • AUTHN-050 — Test whether authentication errors leak account existence beyond program rules.

Password reset, invitations, and recovery

  • RECOV-001 — Test reset request for existing and nonexistent controlled accounts.
  • RECOV-002 — Compare reset response status, body, size, timing, and headers.
  • RECOV-003 — Test reset token single use.
  • RECOV-004 — Test reset token expiration.
  • RECOV-005 — Test reset token after requesting a newer token.
  • RECOV-006 — Test reset token after password change.
  • RECOV-007 — Test reset token after email change.
  • RECOV-008 — Test reset token after account suspension.
  • RECOV-009 — Test reset token across controlled accounts.
  • RECOV-010 — Test reset token binding to the intended account.
  • RECOV-011 — Test reset token binding to the intended tenant when relevant.
  • RECOV-012 — Test host, scheme, and forwarded-header handling only on controlled callback links.
  • RECOV-013 — Test whether reset links leak through referrers.
  • RECOV-014 — Test whether reset links appear in analytics or logs.
  • RECOV-015 — Test whether reset changes invalidate old sessions.
  • RECOV-016 — Test whether reset changes invalidate old API tokens where expected.
  • RECOV-017 — Test invitation token single use.
  • RECOV-018 — Test invitation token expiration.
  • RECOV-019 — Test invitation after role change.
  • RECOV-020 — Test invitation after cancellation.
  • RECOV-021 — Test invitation after email change.
  • RECOV-022 — Test invitation acceptance by a different controlled account.
  • RECOV-023 — Test invitation role tampering.
  • RECOV-024 — Test invitation tenant tampering.
  • RECOV-025 — Test invitation object tampering.
  • RECOV-026 — Test invitation replay.
  • RECOV-027 — Test account-recovery fallback methods.
  • RECOV-028 — Test recovery-code single use.
  • RECOV-029 — Test recovery-code revocation after MFA reset.
  • RECOV-030 — Test email-change confirmation tokens.
  • RECOV-031 — Test email-change rollback and old-email notifications.
  • RECOV-032 — Test phone or device verification flows if present.
  • RECOV-033 — Test support-assisted recovery only through authorized self-service simulations.

Multi-factor authentication and step-up auth

  • MFA-001 — Test MFA enrollment without recent password confirmation.
  • MFA-002 — Test MFA disable without recent password confirmation.
  • MFA-003 — Test MFA reset without recent password confirmation.
  • MFA-004 — Test backup-code generation and revocation.
  • MFA-005 — Test backup-code single use.
  • MFA-006 — Test old backup codes after regeneration.
  • MFA-007 — Test TOTP replay within the same time window.
  • MFA-008 — Test TOTP across controlled accounts.
  • MFA-009 — Test clock-skew boundaries conservatively.
  • MFA-010 — Test remembered-device expiration.
  • MFA-011 — Test remembered-device revocation.
  • MFA-012 — Test device-cookie binding.
  • MFA-013 — Test MFA after password reset.
  • MFA-014 — Test MFA after email change.
  • MFA-015 — Test MFA after session revocation.
  • MFA-016 — Test step-up authentication for sensitive actions.
  • MFA-017 — Test stale step-up state.
  • MFA-018 — Test step-up state reuse across actions.
  • MFA-019 — Test step-up state reuse across controlled accounts.
  • MFA-020 — Test step-up state reuse across tenants.
  • MFA-021 — Test direct API calls that bypass UI step-up.
  • MFA-022 — Test alternate endpoints for the same sensitive action.
  • MFA-023 — Test recovery flow after MFA device removal.
  • MFA-024 — Test WebAuthn or passkey registration ownership.
  • MFA-025 — Test WebAuthn or passkey deletion authorization.
  • MFA-026 — Test passkey sign-in after account or tenant changes.

OAuth, OIDC, SAML, and SSO

  • SSO-001 — Record every supported identity provider and callback.
  • SSO-002 — Test missing state.
  • SSO-003 — Test empty state.
  • SSO-004 — Test reused state.
  • SSO-005 — Test state from another controlled browser session.
  • SSO-006 — Test expired state.
  • SSO-007 — Test cancelled authorization.
  • SSO-008 — Test missing authorization code.
  • SSO-009 — Test reused authorization code.
  • SSO-010 — Test code from another controlled session.
  • SSO-011 — Test account switching during authorization.
  • SSO-012 — Test simultaneous authorization flows.
  • SSO-013 — Test callback parameter reflection.
  • SSO-014 — Test alternate callback paths.
  • SSO-015 — Test redirect URI exact matching.
  • SSO-016 — Test open redirect chaining only where additional eligible impact exists.
  • SSO-017 — Test nonce enforcement in OIDC.
  • SSO-018 — Test issuer validation.
  • SSO-019 — Test audience validation.
  • SSO-020 — Test token type and algorithm validation without attempting unsafe infrastructure attacks.
  • SSO-021 — Test claims mapping for email, username, tenant, group, and role.
  • SSO-022 — Test unverified email claims.
  • SSO-023 — Test stale group and role claims.
  • SSO-024 — Test account linking between controlled identities.
  • SSO-025 — Test account unlinking.
  • SSO-026 — Test linking a provider already linked to another controlled account.
  • SSO-027 — Test SSO-required tenant behavior.
  • SSO-028 — Test login after SSO access removal.
  • SSO-029 — Test session after SSO group removal.
  • SSO-030 — Test JIT provisioning roles.
  • SSO-031 — Test SCIM deprovisioning effects.
  • SSO-032 — Test SAML RelayState handling.
  • SSO-033 — Test SAML response replay with controlled assertions.
  • SSO-034 — Test SAML destination and audience validation.
  • SSO-035 — Test tenant selection during SSO.
  • SSO-036 — Test domain-based tenant discovery.
  • SSO-037 — Test OAuth app consent and scope changes.
  • SSO-038 — Test revoked provider authorization.
  • SSO-039 — Test stale local sessions after provider revocation.

General authorization and tenant isolation

  • AUTHZ-001 — For every read request, replace only the object identifier with another controlled object's identifier.
  • AUTHZ-002 — For every write request, replace only the object identifier with another controlled object's identifier.
  • AUTHZ-003 — For every delete request, replace only the object identifier with another controlled disposable object's identifier.
  • AUTHZ-004 — Swap tenant or organization identifiers.
  • AUTHZ-005 — Swap project, workspace, repository, account, invoice, ticket, message, file, and report identifiers.
  • AUTHZ-006 — Swap parent and child identifiers independently.
  • AUTHZ-007 — Compare unauthorized and nonexistent responses.
  • AUTHZ-008 — Check object-existence leaks through status, body, size, headers, timing, pagination, and counts.
  • AUTHZ-009 — Check lists filter unauthorized objects.
  • AUTHZ-010 — Check search filters unauthorized objects.
  • AUTHZ-011 — Check autocomplete filters unauthorized objects.
  • AUTHZ-012 — Check recent history filters unauthorized objects.
  • AUTHZ-013 — Check activity feeds filter unauthorized objects.
  • AUTHZ-014 — Check exports filter unauthorized objects.
  • AUTHZ-015 — Check aggregates and dashboards filter unauthorized objects.
  • AUTHZ-016 — Check bulk endpoints authorize every object independently.
  • AUTHZ-017 — Check partial failures do not leak unauthorized metadata.
  • AUTHZ-018 — Check parent and child objects are both authorized.
  • AUTHZ-019 — Check authorized parent plus unauthorized child.
  • AUTHZ-020 — Check unauthorized parent plus authorized child.
  • AUTHZ-021 — Check cross-tenant parent/child mixing.
  • AUTHZ-022 — Check direct URL access to hidden UI routes.
  • AUTHZ-023 — Check client-side role restrictions have server-side enforcement.
  • AUTHZ-024 — Check alternate HTTP methods.
  • AUTHZ-025 — Check method-override headers and parameters.
  • AUTHZ-026 — Check alternate content types.
  • AUTHZ-027 — Check API and dashboard enforcement consistency.
  • AUTHZ-028 — Check current and legacy endpoint enforcement consistency.
  • AUTHZ-029 — Check preview, simulator, validation, retry, confirmation, export, and background-job endpoints.
  • AUTHZ-030 — Check renamed resources.
  • AUTHZ-031 — Check transferred resources.
  • AUTHZ-032 — Check archived resources.
  • AUTHZ-033 — Check deleted and recreated names.
  • AUTHZ-034 — Check public-to-private transitions.
  • AUTHZ-035 — Check private-to-public transitions.
  • AUTHZ-036 — Check stale sessions after role downgrade.
  • AUTHZ-037 — Check stale sessions after membership removal.
  • AUTHZ-038 — Check stale tokens after revocation.
  • AUTHZ-039 — Check stale cursors after revocation.
  • AUTHZ-040 — Check delegated roles never exceed base roles.
  • AUTHZ-041 — Check group-derived permissions after group removal.
  • AUTHZ-042 — Check invitation-derived permissions after cancellation.
  • AUTHZ-043 — Check service accounts and API keys remain tenant-scoped.
  • AUTHZ-044 — Check public-resource access never grants private-resource access.
  • AUTHZ-045 — Check tenant membership alone does not grant every tenant resource.
  • AUTHZ-046 — Check object ownership and tenant membership are not confused.
  • AUTHZ-047 — Check support, moderation, impersonation, and admin features require explicit authorization.
  • AUTHZ-048 — Check audit logs identify the real actor.
  • AUTHZ-049 — Check role-management endpoints cannot assign a higher role than the caller owns.
  • AUTHZ-050 — Check self-role modification is prevented.

API parsing, validation, and mass assignment

  • API-001 — Send the documented content type.
  • API-002 — Omit Content-Type.
  • API-003 — Use text/plain.
  • API-004 — Use form encoding when accepted by the UI.
  • API-005 — Send malformed JSON.
  • API-006 — Send duplicate JSON keys.
  • API-007 — Send conflicting duplicate authorization-sensitive keys.
  • API-008 — Check whether first or last duplicate wins.
  • API-009 — Send arrays where scalars are expected.
  • API-010 — Send scalars where arrays are expected.
  • API-011 — Send nested objects where IDs are expected.
  • API-012 — Send null for optional fields.
  • API-013 — Send null for required fields.
  • API-014 — Omit one required field at a time.
  • API-015 — Add undocumented fields.
  • API-016 — Add server-managed IDs.
  • API-017 — Add server-managed owner fields.
  • API-018 — Add server-managed tenant fields.
  • API-019 — Add server-managed role fields.
  • API-020 — Add server-managed status fields.
  • API-021 — Add server-managed scope fields.
  • API-022 — Attempt to update immutable identifiers.
  • API-023 — Attempt to update immutable ownership.
  • API-024 — Attempt to update immutable tenant association.
  • API-025 — Test enum case handling.
  • API-026 — Test enum whitespace.
  • API-027 — Test unknown enum values.
  • API-028 — Test duplicate enum values.
  • API-029 — Test empty strings.
  • API-030 — Test whitespace-only strings.
  • API-031 — Test documented maximum lengths.
  • API-032 — Test one character above maximum.
  • API-033 — Test Unicode normalization.
  • API-034 — Test harmless control characters.
  • API-035 — Test newlines in text fields.
  • API-036 — Test duplicate array values.
  • API-037 — Test empty arrays.
  • API-038 — Test negative integers.
  • API-039 — Test zero where positive values are expected.
  • API-040 — Test large but non-disruptive integers.
  • API-041 — Test floating-point values where integers are expected.
  • API-042 — Test scientific notation.
  • API-043 — Test booleans as strings.
  • API-044 — Test numbers as strings.
  • API-045 — Test unknown query parameters.
  • API-046 — Test duplicate query parameters.
  • API-047 — Test conflicting path and body identifiers.
  • API-048 — Test conflicting query and body identifiers.
  • API-049 — Test trailing slashes.
  • API-050 — Test repeated slashes.
  • API-051 — Test path case variations.
  • API-052 — Test safe dot-segment normalization.
  • API-053 — Test pagination minimum.
  • API-054 — Test pagination maximum.
  • API-055 — Test one above pagination maximum.
  • API-056 — Test invalid cursors.
  • API-057 — Test cross-account cursors.
  • API-058 — Test cross-tenant cursors.
  • API-059 — Test stale cursors.
  • API-060 — Test sort authorization.
  • API-061 — Test filter authorization.
  • API-062 — Test date range boundaries.
  • API-063 — Test timezone boundaries.
  • API-064 — Test duplicate create requests.
  • API-065 — Test request replay.
  • API-066 — Test idempotency behavior.
  • API-067 — Check errors never echo tokens, cookies, secrets, or unauthorized private data.

GraphQL

  • GQL-001 — Identify GraphQL endpoints.
  • GQL-002 — Record operation names.
  • GQL-003 — Record variables and custom scalars.
  • GQL-004 — Test unauthenticated introspection only if permitted.
  • GQL-005 — Do not report introspection alone.
  • GQL-006 — Test hidden fields for authorization.
  • GQL-007 — Test nested resolver authorization.
  • GQL-008 — Test node or global-ID authorization.
  • GQL-009 — Test aliases for duplicate sensitive operations.
  • GQL-010 — Test batched operations.
  • GQL-011 — Test fragments that request hidden fields.
  • GQL-012 — Test field-level authorization.
  • GQL-013 — Test mutation-level authorization.
  • GQL-014 — Test parent-child authorization.
  • GQL-015 — Test pagination cursors across accounts and tenants.
  • GQL-016 — Test search and aggregate resolvers.
  • GQL-017 — Test GraphQL error leakage.
  • GQL-018 — Test over-posting through input objects.
  • GQL-019 — Test server-managed fields in mutations.
  • GQL-020 — Test nullability edge cases.
  • GQL-021 — Test enum edge cases.
  • GQL-022 — Test duplicate input keys through raw JSON.
  • GQL-023 — Test GET versus POST behavior.
  • GQL-024 — Test persisted-query authorization.
  • GQL-025 — Test subscription authorization if present.
  • GQL-026 — Test stale subscriptions after role removal.
  • GQL-027 — Test object existence through errors and timing.
  • GQL-028 — Test query depth only conservatively and do not stress the service.
  • GQL-029 — Test cost or complexity controls only at low volume.