←
Bug Bounty Notes - Just notes
Editing is locked. Unlock with an edit token →
Global Manual Bug Bounty Checklist
Purpose: A target-agnostic, manual-first checklist for authorized web, API, SaaS, identity, business-logic, integration, and client-side testing.
Important: No checklist can guarantee a valid or paid bug. A report must be in scope, reproducible, non-duplicate, and show real security impact. This checklist is designed to maximize coverage, discipline, and evidence quality.
How to use this checklist
- USE-001 — Read the live program policy before the first request of every session.
- USE-002 — Test only explicitly authorized assets and vulnerability classes.
- USE-003 — Use only accounts, organizations, projects, repositories, tenants, files, records, payments, and data you control.
- USE-004 — Create unique canary values for every private object used in testing.
- USE-005 — Capture an authorized baseline before altering any request.
- USE-006 — Change one variable at a time: identity, role, object, tenant, method, field, state, timing, or transport.
- USE-007 — Write the expected secure behavior before sending the modified request.
- USE-008 — Save the sanitized request, response, role, object ownership, timestamp, and cleanup action.
- USE-009 — Mark checks N/A only with a written reason.
- USE-010 — Stop immediately if unrelated private data appears.
- USE-011 — Do not perform denial-of-service, destructive actions, spam, credential stuffing, social engineering, or uncontrolled automation.
- USE-012 — Use conservative request rates and small controlled datasets.
- USE-013 — Prefer manual verification before writing any helper script.
- USE-014 — Reproduce every candidate from a clean session.
- USE-015 — Separate evidence collection from exploitation.
Scope, policy, and legal safety
- SCOPE-001 — Save the current program overview.
- SCOPE-002 — Save the current scope table.
- SCOPE-003 — Save the current rewards table.
- SCOPE-004 — Save all exclusions.
- SCOPE-005 — Record the policy last-updated date.
- SCOPE-006 — Record the scope last-updated date.
- SCOPE-007 — Record each eligible hostname, wildcard, mobile app, API, repository, and product.
- SCOPE-008 — Record each explicitly ineligible hostname, wildcard, app, API, and third-party provider.
- SCOPE-009 — Record maximum severity per asset.
- SCOPE-010 — Record prohibited testing methods.
- SCOPE-011 — Record automation limits.
- SCOPE-012 — Record rate limits.
- SCOPE-013 — Record account creation rules.
- SCOPE-014 — Record required researcher aliases or headers.
- SCOPE-015 — Record whether multiple controlled accounts are permitted.
- SCOPE-016 — Record whether production testing is restricted.
- SCOPE-017 — Record whether source-code review is permitted.
- SCOPE-018 — Record whether mobile testing is permitted.
- SCOPE-019 — Record whether cloud infrastructure is permitted.
- SCOPE-020 — Record whether third-party integrations are excluded.
- SCOPE-021 — Record disclosure requirements.
- SCOPE-022 — Record safe-harbor wording.
- SCOPE-023 — Record data-retention and evidence-handling requirements.
- SCOPE-024 — Record rules for accidental sensitive-data exposure.
- SCOPE-025 — Record rules for public zero-days.
- SCOPE-026 — Record rules for social engineering.
- SCOPE-027 — Record rules for brute force and rate limits.
- SCOPE-028 — Record rules for automated scanning.
- SCOPE-029 — Record rules for denial-of-service and resource exhaustion.
- SCOPE-030 — Record rules for testing real customer data.
- SCOPE-031 — Create a written stop procedure for accidental private-data access.
- SCOPE-032 — Create a written stop procedure for instability.
- SCOPE-033 — Create a written stop procedure for third-party traffic.
- SCOPE-034 — Confirm all active scanners are disabled unless explicitly permitted.
- SCOPE-035 — Confirm recursive crawlers and high-rate fuzzers are disabled.
- SCOPE-036 — Confirm no destructive payloads are queued.
- SCOPE-037 — Confirm Burp target scope contains only authorized assets.
- SCOPE-038 — Confirm known third parties are excluded from active testing.
- SCOPE-039 — Confirm logs and evidence do not store unredacted secrets.
- SCOPE-040 — Confirm your source IP, VPN, or test environment complies with policy.
Workspace and evidence preparation
- WORK-001 — Create directories for scope, notes, recon, requests, responses, evidence, Burp, scripts, reports, and secrets.
- WORK-002 — Create a hunting log.
- WORK-003 — Create an endpoint inventory.
- WORK-004 — Create an account and role matrix.
- WORK-005 — Create a hypotheses file.
- WORK-006 — Create a report draft.
- WORK-007 — Create a target-specific .gitignore.
- WORK-008 — Protect secrets with restrictive permissions.
- WORK-009 — Use separate browser profiles for each controlled identity.
- WORK-010 — Use separate password-manager records for each identity.
- WORK-011 — Use unique canaries for every sensitive test object.
- WORK-012 — Use descriptive evidence filenames.
- WORK-013 — Record browser version.
- WORK-014 — Record operating system and tool versions.
- WORK-015 — Record testing IP.
- WORK-016 — Record session start and end time.
- WORK-017 — Record every temporary token created.
- WORK-018 — Record every temporary webhook or integration created.
- WORK-019 — Record every disposable account and resource.
- WORK-020 — Plan cleanup before testing state-changing features.
Controlled identity and tenant lab
- LAB-001 — Create Account A as the highest-privileged controlled user.
- LAB-002 — Create Account B as a lower-privileged controlled user.
- LAB-003 — Create Account C as a complete outsider when policy permits.
- LAB-004 — Enable MFA on all controlled accounts.
- LAB-005 — Create Tenant or Organization A.
- LAB-006 — Create Tenant or Organization B.
- LAB-007 — Create private and public resources under each tenant.
- LAB-008 — Create resources owned individually and by organizations.
- LAB-009 — Create role states: owner, admin, manager, editor, contributor, viewer, guest, suspended, invited, removed.
- LAB-010 — Create direct membership and group-derived membership states.
- LAB-011 — Create external collaborator and internal member states.
- LAB-012 — Create active and expired invitation states.
- LAB-013 — Create pending email verification states.
- LAB-014 — Create pending MFA enrollment states.
- LAB-015 — Create stale sessions before role downgrade.
- LAB-016 — Create stale sessions before membership removal.
- LAB-017 — Create stale sessions before account suspension.
- LAB-018 — Create stale API tokens before revocation.
- LAB-019 — Create stale pagination cursors before revocation.
- LAB-020 — Create renamed resources.
- LAB-021 — Create transferred resources.
- LAB-022 — Create archived resources.
- LAB-023 — Create deleted and recreated names.
- LAB-024 — Create public-to-private transitions.
- LAB-025 — Create private-to-public transitions.
- LAB-026 — Create trial, free, paid, and disabled feature states when available.
- LAB-027 — Create objects with unique synthetic confidential content.
- LAB-028 — Create disposable files and exports.
- LAB-029 — Create disposable webhooks and API keys.
- LAB-030 — Create branch, project, issue, ticket, message, comment, invoice, payment, subscription, and report objects when applicable.
Reconnaissance and attack-surface mapping
- RECON-001 — Enumerate only authorized domains and subdomains.
- RECON-002 — Resolve DNS records for in-scope hosts.
- RECON-003 — Identify live HTTP services conservatively.
- RECON-004 — Record HTTP status, title, technology hints, redirects, and TLS names.
- RECON-005 — Map application entry points.
- RECON-006 — Map authentication entry points.
- RECON-007 — Map API base paths and versions.
- RECON-008 — Map GraphQL endpoints.
- RECON-009 — Map WebSocket and server-sent-event endpoints.
- RECON-010 — Map file-upload and file-download endpoints.
- RECON-011 — Map import, export, preview, conversion, and rendering endpoints.
- RECON-012 — Map webhooks, callbacks, integrations, and URL-fetching features.
- RECON-013 — Map password reset, invite, verification, and account recovery flows.
- RECON-014 — Map billing, subscription, checkout, credit, refund, coupon, and plan flows.
- RECON-015 — Map admin, support, moderation, impersonation, and audit features.
- RECON-016 — Map search, autocomplete, filtering, sorting, pagination, and bulk actions.
- RECON-017 — Map background jobs, queues, scheduled tasks, and asynchronous workflows.
- RECON-018 — Map mobile and desktop application backends if in scope.
- RECON-019 — Map API documentation and schema files.
- RECON-020 — Map robots.txt, sitemap files, well-known paths, and public manifests.
- RECON-021 — Map first-party JavaScript bundles.
- RECON-022 — Search first-party bundles for API paths.
- RECON-023 — Search first-party bundles for hidden routes.
- RECON-024 — Search first-party bundles for feature flags.
- RECON-025 — Search first-party bundles for role checks.
- RECON-026 — Search first-party bundles for object names and enums.
- RECON-027 — Search first-party bundles for storage keys.
- RECON-028 — Search first-party bundles for GraphQL operations.
- RECON-029 — Search first-party bundles for WebSocket URLs.
- RECON-030 — Search first-party bundles for upload, export, webhook, and URL-fetching code.
- RECON-031 — Record every method, path parameter, query parameter, body field, header, cookie, enum, cursor, and identifier.
- RECON-032 — Record all first-party redirect targets.
- RECON-033 — Record all third-party dependencies but do not test them unless authorized.
- RECON-034 — Compare documented and observed endpoints.
- RECON-035 — Compare current and legacy API versions.
- RECON-036 — Record caching and CORS behavior.
- RECON-037 — Record every place private data appears in frontend responses.
- RECON-038 — Record every UI-only validation rule.
- RECON-039 — Record every server-side validation rule inferred from responses.
- RECON-040 — Build endpoint-to-role, endpoint-to-object, endpoint-to-token, endpoint-to-state, and endpoint-to-impact matrices.
Authentication and login
- AUTHN-001 — Test login with missing credentials.
- AUTHN-002 — Test login with empty credentials.
- AUTHN-003 — Test login with invalid credentials.
- AUTHN-004 — Test username and email case handling.
- AUTHN-005 — Test leading and trailing whitespace.
- AUTHN-006 — Test Unicode normalization in identifiers.
- AUTHN-007 — Test multiple identifiers mapped to one account.
- AUTHN-008 — Test unverified email login.
- AUTHN-009 — Test disabled account login.
- AUTHN-010 — Test suspended account login.
- AUTHN-011 — Test deleted account login.
- AUTHN-012 — Test invited but unregistered account login.
- AUTHN-013 — Test expired invitation login.
- AUTHN-014 — Test login after password reset.
- AUTHN-015 — Test login after password change.
- AUTHN-016 — Test login after email change.
- AUTHN-017 — Test login after MFA enable and disable.
- AUTHN-018 — Test login after session revocation.
- AUTHN-019 — Test login from multiple browser profiles.
- AUTHN-020 — Test simultaneous controlled logins for identity mix-ups.
- AUTHN-021 — Test login CSRF where the flow exists and impact can be demonstrated.
- AUTHN-022 — Test session fixation using only controlled accounts.
- AUTHN-023 — Verify session identifier rotation after login.
- AUTHN-024 — Verify session identifier rotation after privilege change.
- AUTHN-025 — Verify logout invalidates the server-side session.
- AUTHN-026 — Verify logout clears all relevant cookies and client storage.
- AUTHN-027 — Test replay after logout.
- AUTHN-028 — Test browser back after logout.
- AUTHN-029 — Test old tabs after logout.
- AUTHN-030 — Test session behavior after account suspension.
- AUTHN-031 — Test session behavior after account deletion.
- AUTHN-032 — Test session behavior after role downgrade.
- AUTHN-033 — Test session behavior after tenant removal.
- AUTHN-034 — Test session behavior after password reset.
- AUTHN-035 — Test session behavior after MFA reset.
- AUTHN-036 — Check whether credentials or session tokens appear in URLs.
- AUTHN-037 — Check whether credentials or session tokens appear in referrers.
- AUTHN-038 — Check whether credentials or session tokens appear in frontend logs.
- AUTHN-039 — Check whether cookie domain and path are narrower than necessary.
- AUTHN-040 — Check whether session lifetime matches documented behavior.
- AUTHN-041 — Check whether multiple active sessions can be viewed or revoked.
- AUTHN-042 — Check whether remember-me state survives security-sensitive changes.
- AUTHN-043 — Test duplicate Authorization headers.
- AUTHN-044 — Test harmless whitespace and case variations in authentication schemes.
- AUTHN-045 — Test authentication with missing, malformed, expired, revoked, and wrong-audience tokens.
- AUTHN-046 — Test token confusion among user tokens, API keys, service tokens, refresh tokens, and session cookies.
- AUTHN-047 — Test whether lower-scope tokens can call higher-scope endpoints.
- AUTHN-048 — Test whether tokens remain usable after owner, tenant, or application deletion.
- AUTHN-049 — Test whether client identifiers or secrets are accepted in the wrong location.
- AUTHN-050 — Test whether authentication errors leak account existence beyond program rules.
Password reset, invitations, and recovery
- RECOV-001 — Test reset request for existing and nonexistent controlled accounts.
- RECOV-002 — Compare reset response status, body, size, timing, and headers.
- RECOV-003 — Test reset token single use.
- RECOV-004 — Test reset token expiration.
- RECOV-005 — Test reset token after requesting a newer token.
- RECOV-006 — Test reset token after password change.
- RECOV-007 — Test reset token after email change.
- RECOV-008 — Test reset token after account suspension.
- RECOV-009 — Test reset token across controlled accounts.
- RECOV-010 — Test reset token binding to the intended account.
- RECOV-011 — Test reset token binding to the intended tenant when relevant.
- RECOV-012 — Test host, scheme, and forwarded-header handling only on controlled callback links.
- RECOV-013 — Test whether reset links leak through referrers.
- RECOV-014 — Test whether reset links appear in analytics or logs.
- RECOV-015 — Test whether reset changes invalidate old sessions.
- RECOV-016 — Test whether reset changes invalidate old API tokens where expected.
- RECOV-017 — Test invitation token single use.
- RECOV-018 — Test invitation token expiration.
- RECOV-019 — Test invitation after role change.
- RECOV-020 — Test invitation after cancellation.
- RECOV-021 — Test invitation after email change.
- RECOV-022 — Test invitation acceptance by a different controlled account.
- RECOV-023 — Test invitation role tampering.
- RECOV-024 — Test invitation tenant tampering.
- RECOV-025 — Test invitation object tampering.
- RECOV-026 — Test invitation replay.
- RECOV-027 — Test account-recovery fallback methods.
- RECOV-028 — Test recovery-code single use.
- RECOV-029 — Test recovery-code revocation after MFA reset.
- RECOV-030 — Test email-change confirmation tokens.
- RECOV-031 — Test email-change rollback and old-email notifications.
- RECOV-032 — Test phone or device verification flows if present.
- RECOV-033 — Test support-assisted recovery only through authorized self-service simulations.
Multi-factor authentication and step-up auth
- MFA-001 — Test MFA enrollment without recent password confirmation.
- MFA-002 — Test MFA disable without recent password confirmation.
- MFA-003 — Test MFA reset without recent password confirmation.
- MFA-004 — Test backup-code generation and revocation.
- MFA-005 — Test backup-code single use.
- MFA-006 — Test old backup codes after regeneration.
- MFA-007 — Test TOTP replay within the same time window.
- MFA-008 — Test TOTP across controlled accounts.
- MFA-009 — Test clock-skew boundaries conservatively.
- MFA-010 — Test remembered-device expiration.
- MFA-011 — Test remembered-device revocation.
- MFA-012 — Test device-cookie binding.
- MFA-013 — Test MFA after password reset.
- MFA-014 — Test MFA after email change.
- MFA-015 — Test MFA after session revocation.
- MFA-016 — Test step-up authentication for sensitive actions.
- MFA-017 — Test stale step-up state.
- MFA-018 — Test step-up state reuse across actions.
- MFA-019 — Test step-up state reuse across controlled accounts.
- MFA-020 — Test step-up state reuse across tenants.
- MFA-021 — Test direct API calls that bypass UI step-up.
- MFA-022 — Test alternate endpoints for the same sensitive action.
- MFA-023 — Test recovery flow after MFA device removal.
- MFA-024 — Test WebAuthn or passkey registration ownership.
- MFA-025 — Test WebAuthn or passkey deletion authorization.
- MFA-026 — Test passkey sign-in after account or tenant changes.
OAuth, OIDC, SAML, and SSO
- SSO-001 — Record every supported identity provider and callback.
- SSO-002 — Test missing state.
- SSO-003 — Test empty state.
- SSO-004 — Test reused state.
- SSO-005 — Test state from another controlled browser session.
- SSO-006 — Test expired state.
- SSO-007 — Test cancelled authorization.
- SSO-008 — Test missing authorization code.
- SSO-009 — Test reused authorization code.
- SSO-010 — Test code from another controlled session.
- SSO-011 — Test account switching during authorization.
- SSO-012 — Test simultaneous authorization flows.
- SSO-013 — Test callback parameter reflection.
- SSO-014 — Test alternate callback paths.
- SSO-015 — Test redirect URI exact matching.
- SSO-016 — Test open redirect chaining only where additional eligible impact exists.
- SSO-017 — Test nonce enforcement in OIDC.
- SSO-018 — Test issuer validation.
- SSO-019 — Test audience validation.
- SSO-020 — Test token type and algorithm validation without attempting unsafe infrastructure attacks.
- SSO-021 — Test claims mapping for email, username, tenant, group, and role.
- SSO-022 — Test unverified email claims.
- SSO-023 — Test stale group and role claims.
- SSO-024 — Test account linking between controlled identities.
- SSO-025 — Test account unlinking.
- SSO-026 — Test linking a provider already linked to another controlled account.
- SSO-027 — Test SSO-required tenant behavior.
- SSO-028 — Test login after SSO access removal.
- SSO-029 — Test session after SSO group removal.
- SSO-030 — Test JIT provisioning roles.
- SSO-031 — Test SCIM deprovisioning effects.
- SSO-032 — Test SAML RelayState handling.
- SSO-033 — Test SAML response replay with controlled assertions.
- SSO-034 — Test SAML destination and audience validation.
- SSO-035 — Test tenant selection during SSO.
- SSO-036 — Test domain-based tenant discovery.
- SSO-037 — Test OAuth app consent and scope changes.
- SSO-038 — Test revoked provider authorization.
- SSO-039 — Test stale local sessions after provider revocation.
General authorization and tenant isolation
- AUTHZ-001 — For every read request, replace only the object identifier with another controlled object's identifier.
- AUTHZ-002 — For every write request, replace only the object identifier with another controlled object's identifier.
- AUTHZ-003 — For every delete request, replace only the object identifier with another controlled disposable object's identifier.
- AUTHZ-004 — Swap tenant or organization identifiers.
- AUTHZ-005 — Swap project, workspace, repository, account, invoice, ticket, message, file, and report identifiers.
- AUTHZ-006 — Swap parent and child identifiers independently.
- AUTHZ-007 — Compare unauthorized and nonexistent responses.
- AUTHZ-008 — Check object-existence leaks through status, body, size, headers, timing, pagination, and counts.
- AUTHZ-009 — Check lists filter unauthorized objects.
- AUTHZ-010 — Check search filters unauthorized objects.
- AUTHZ-011 — Check autocomplete filters unauthorized objects.
- AUTHZ-012 — Check recent history filters unauthorized objects.
- AUTHZ-013 — Check activity feeds filter unauthorized objects.
- AUTHZ-014 — Check exports filter unauthorized objects.
- AUTHZ-015 — Check aggregates and dashboards filter unauthorized objects.
- AUTHZ-016 — Check bulk endpoints authorize every object independently.
- AUTHZ-017 — Check partial failures do not leak unauthorized metadata.
- AUTHZ-018 — Check parent and child objects are both authorized.
- AUTHZ-019 — Check authorized parent plus unauthorized child.
- AUTHZ-020 — Check unauthorized parent plus authorized child.
- AUTHZ-021 — Check cross-tenant parent/child mixing.
- AUTHZ-022 — Check direct URL access to hidden UI routes.
- AUTHZ-023 — Check client-side role restrictions have server-side enforcement.
- AUTHZ-024 — Check alternate HTTP methods.
- AUTHZ-025 — Check method-override headers and parameters.
- AUTHZ-026 — Check alternate content types.
- AUTHZ-027 — Check API and dashboard enforcement consistency.
- AUTHZ-028 — Check current and legacy endpoint enforcement consistency.
- AUTHZ-029 — Check preview, simulator, validation, retry, confirmation, export, and background-job endpoints.
- AUTHZ-030 — Check renamed resources.
- AUTHZ-031 — Check transferred resources.
- AUTHZ-032 — Check archived resources.
- AUTHZ-033 — Check deleted and recreated names.
- AUTHZ-034 — Check public-to-private transitions.
- AUTHZ-035 — Check private-to-public transitions.
- AUTHZ-036 — Check stale sessions after role downgrade.
- AUTHZ-037 — Check stale sessions after membership removal.
- AUTHZ-038 — Check stale tokens after revocation.
- AUTHZ-039 — Check stale cursors after revocation.
- AUTHZ-040 — Check delegated roles never exceed base roles.
- AUTHZ-041 — Check group-derived permissions after group removal.
- AUTHZ-042 — Check invitation-derived permissions after cancellation.
- AUTHZ-043 — Check service accounts and API keys remain tenant-scoped.
- AUTHZ-044 — Check public-resource access never grants private-resource access.
- AUTHZ-045 — Check tenant membership alone does not grant every tenant resource.
- AUTHZ-046 — Check object ownership and tenant membership are not confused.
- AUTHZ-047 — Check support, moderation, impersonation, and admin features require explicit authorization.
- AUTHZ-048 — Check audit logs identify the real actor.
- AUTHZ-049 — Check role-management endpoints cannot assign a higher role than the caller owns.
- AUTHZ-050 — Check self-role modification is prevented.
API parsing, validation, and mass assignment
- API-001 — Send the documented content type.
- API-002 — Omit Content-Type.
- API-003 — Use text/plain.
- API-004 — Use form encoding when accepted by the UI.
- API-005 — Send malformed JSON.
- API-006 — Send duplicate JSON keys.
- API-007 — Send conflicting duplicate authorization-sensitive keys.
- API-008 — Check whether first or last duplicate wins.
- API-009 — Send arrays where scalars are expected.
- API-010 — Send scalars where arrays are expected.
- API-011 — Send nested objects where IDs are expected.
- API-012 — Send null for optional fields.
- API-013 — Send null for required fields.
- API-014 — Omit one required field at a time.
- API-015 — Add undocumented fields.
- API-016 — Add server-managed IDs.
- API-017 — Add server-managed owner fields.
- API-018 — Add server-managed tenant fields.
- API-019 — Add server-managed role fields.
- API-020 — Add server-managed status fields.
- API-021 — Add server-managed scope fields.
- API-022 — Attempt to update immutable identifiers.
- API-023 — Attempt to update immutable ownership.
- API-024 — Attempt to update immutable tenant association.
- API-025 — Test enum case handling.
- API-026 — Test enum whitespace.
- API-027 — Test unknown enum values.
- API-028 — Test duplicate enum values.
- API-029 — Test empty strings.
- API-030 — Test whitespace-only strings.
- API-031 — Test documented maximum lengths.
- API-032 — Test one character above maximum.
- API-033 — Test Unicode normalization.
- API-034 — Test harmless control characters.
- API-035 — Test newlines in text fields.
- API-036 — Test duplicate array values.
- API-037 — Test empty arrays.
- API-038 — Test negative integers.
- API-039 — Test zero where positive values are expected.
- API-040 — Test large but non-disruptive integers.
- API-041 — Test floating-point values where integers are expected.
- API-042 — Test scientific notation.
- API-043 — Test booleans as strings.
- API-044 — Test numbers as strings.
- API-045 — Test unknown query parameters.
- API-046 — Test duplicate query parameters.
- API-047 — Test conflicting path and body identifiers.
- API-048 — Test conflicting query and body identifiers.
- API-049 — Test trailing slashes.
- API-050 — Test repeated slashes.
- API-051 — Test path case variations.
- API-052 — Test safe dot-segment normalization.
- API-053 — Test pagination minimum.
- API-054 — Test pagination maximum.
- API-055 — Test one above pagination maximum.
- API-056 — Test invalid cursors.
- API-057 — Test cross-account cursors.
- API-058 — Test cross-tenant cursors.
- API-059 — Test stale cursors.
- API-060 — Test sort authorization.
- API-061 — Test filter authorization.
- API-062 — Test date range boundaries.
- API-063 — Test timezone boundaries.
- API-064 — Test duplicate create requests.
- API-065 — Test request replay.
- API-066 — Test idempotency behavior.
- API-067 — Check errors never echo tokens, cookies, secrets, or unauthorized private data.
GraphQL
- GQL-001 — Identify GraphQL endpoints.
- GQL-002 — Record operation names.
- GQL-003 — Record variables and custom scalars.
- GQL-004 — Test unauthenticated introspection only if permitted.
- GQL-005 — Do not report introspection alone.
- GQL-006 — Test hidden fields for authorization.
- GQL-007 — Test nested resolver authorization.
- GQL-008 — Test node or global-ID authorization.
- GQL-009 — Test aliases for duplicate sensitive operations.
- GQL-010 — Test batched operations.
- GQL-011 — Test fragments that request hidden fields.
- GQL-012 — Test field-level authorization.
- GQL-013 — Test mutation-level authorization.
- GQL-014 — Test parent-child authorization.
- GQL-015 — Test pagination cursors across accounts and tenants.
- GQL-016 — Test search and aggregate resolvers.
- GQL-017 — Test GraphQL error leakage.
- GQL-018 — Test over-posting through input objects.
- GQL-019 — Test server-managed fields in mutations.
- GQL-020 — Test nullability edge cases.
- GQL-021 — Test enum edge cases.
- GQL-022 — Test duplicate input keys through raw JSON.
- GQL-023 — Test GET versus POST behavior.
- GQL-024 — Test persisted-query authorization.
- GQL-025 — Test subscription authorization if present.
- GQL-026 — Test stale subscriptions after role removal.
- GQL-027 — Test object existence through errors and timing.
- GQL-028 — Test query depth only conservatively and do not stress the service.
- GQL-029 — Test cost or complexity controls only at low volume.