| SQL Injection | scan_injection | Error-based, blind boolean, time-based, UNION, second-order. DB fingerprinting: MySQL / PG / MSSQL / Oracle / SQLite. |
| NoSQL Injection | scan_injection | MongoDB operator injection ($gt, $ne, $regex, $where), auth bypass. |
| Command Injection | scan_injection | Output + blind, pipe/semicolon/backtick/$(), time-based (ping / sleep). |
| SSTI | scan_injection | Jinja2, Twig, Mako, ERB, Freemarker. |
| XXE | scan_injection | Classic, blind, parameter entities, billion laughs. |
| SSRF | scan_injection | Cloud metadata (AWS IMDSv1/v2, GCP, Azure, DO), encoding bypasses, OAST via interactsh. |
| LDAP Injection | scan_injection | Filter injection, auth bypass, blind boolean. |
| Open Redirect | scan_injection | 25+ param names, 12 bypass techniques. |
| Header Injection | scan_injection | CRLF, response splitting, host header poisoning. |
| Reflected/Stored XSS | scan_client_side | Context-aware detection (tag / attribute / script / JS). |
| DOM XSS | scan_dom_xss | Static source→sink + Playwright-based dynamic injection. |
| CSRF | scan_client_side | Token absence/weakness, SameSite bypass, double-submit check. |
| Clickjacking | scan_client_side | X-Frame-Options + CSP frame-ancestors analysis. |
| Session management | scan_auth | Timeout, fixation, hijacking, concurrent sessions. |
| JWT attacks | scan_auth | none algorithm, RS256→HS256 confusion, claim tampering. |
| Brute force | scan_auth | Account enumeration via timing, lockout, rate limits. |
| MFA bypass | scan_mfa_bypass | Direct endpoint access, OTP brute force, race conditions. |
| OAuth/OIDC | scan_oauth | redirect_uri bypass, state validation, token leakage, PKCE bypass. |
| IDOR | scan_authz | Numeric + UUID enumeration, parameter substitution. |
| Privilege escalation | scan_authz | Vertical + horizontal, role injection, forced browsing. |
| Mass assignment | scan_api | Rails attr_accessible, Django admin fields, Laravel whitelist bypass. |
| GraphQL | scan_api | Introspection, depth limits, batch limits, field suggestion. |
| WebSocket | scan_websocket | CSWSH, auth bypass, message injection. |
| HTTP smuggling | scan_advanced | CL.TE, TE.CL, TE.TE with 12 header obfuscations. |
| Cache poisoning | scan_advanced | Unkeyed headers, cache deception, fat GET. |
| Deserialization | scan_advanced | Java gadgets, Python pickle, .NET ViewState, YAML. |
| Prototype pollution | scan_advanced | Server-side JSON + client-side URL param. |
| Subdomain takeover | scan_subdomain_takeover | 20+ dangling-CNAME services, NS delegation. |
| Cloud metadata | scan_cloud | IMDS access via SSRF, role assumption. |
| S3 buckets | scan_cloud | Public list/read/write, ACL checks. |
| File upload | scan_file_handling | Double-ext, MIME confusion, magic-byte injection, polyglots. |
| Path traversal | scan_file_handling | Encoding bypasses, null-byte, UNC paths. |
| Rate limiting | scan_business_logic | Header bypass, IP rotation, parameter variation. |
| Race conditions | scan_business_logic | TOCTOU, double-spend, concurrent state mutation. |
| Workflow bypass | scan_business_logic | Step skip, state tampering, token reuse. |