| Browser application |
Approved domains, routes, JavaScript bundles, test data, feature flags, and user journeys |
Crawl, DAST, client-side analysis, SAST, and security regression tests |
Which states are unreachable by crawling? What changes after login, role, tenant, or feature selection? |
Route inventory, crawl map, build, authenticated session proof, and tested journey list |
| REST API |
OpenAPI or other contract, base URLs, versions, methods, parameters, examples, and auth schemes |
Contract-seeded API scanning, schema fuzzing, DAST, SAST, and SCA |
Can one actor access another actor’s object, property, function, or workflow? |
Operation coverage by method, role, response class, and negative test case |
| GraphQL |
Endpoint, approved schema or operations, persisted queries, roles, tenants, depth and cost limits |
Schema-aware checks, operation corpus, SAST, query analysis, and bounded fuzzing |
Do field and resolver authorization rules hold across aliases, fragments, nested objects, and mutations? |
Tested operations, fields, resolver paths, actor matrix, limits, and sanitized results |
| Asynchronous and webhook paths |
Event definitions, callback destinations, signatures, queues, retry behavior, worker identities, and replay rules |
SAST, SCA, contract tests, secrets checks, and controlled integration tests |
Can events be forged, replayed, reordered, duplicated, redirected, or consumed across trust boundaries? |
Event cases, signature and freshness validation, destination allowlist, and worker logs |
| Administrative and support functions |
Admin routes, support tools, impersonation features, approval paths, audit logs, and privileged identities |
Authenticated DAST, SAST, configuration review, and role regression tests |
Can support or admin capabilities cross customer, tenant, approval, or data-minimization boundaries? |
Privileged function inventory, approvals, audit-event proof, and role/tenant test results |
| Identity and session flows |
Local login, SSO, OAuth/OIDC, MFA, password reset, invitations, recovery, token and cookie behavior |
DAST rules, protocol checks, SAST, secret detection, and session regression tests |
What happens across login, logout, refresh, revocation, recovery, concurrent sessions, and role change? |
Flow diagrams, client/redirect inventory, session states, token handling, and negative cases |
| Files, reports, and exports |
Allowed formats, content rules, storage path, processing workers, authorization, retention, and download links |
DAST, SAST, malware/content controls, SCA for parsers, and bounded file tests |
Can content escape validation, cross tenants, expose metadata, overwrite objects, or trigger unsafe processing? |
Approved test corpus, storage and access evidence, parser version, and cleanup confirmation |
| Consumed third-party APIs |
Vendor endpoints, data exchanged, credentials, egress rules, certificates, timeouts, validation, and fallback behavior |
SCA, SAST, secret checks, contract tests, and egress/configuration review |
Does the application trust third-party responses, redirects, files, or status values more than it should? |
Integration inventory, trust rules, validation tests, dependency owner, and incident path |