Skip to main content
Shannon’s testing coverage is strategically focused on exploitable vulnerabilities in modern web application stacks. Shannon follows a proof-by-exploitation methodology, meaning every reported vulnerability includes a working proof-of-concept exploit.
Shannon currently targets classes of exploitable vulnerabilities. Issues that cannot be actively exploited (such as vulnerable third-party libraries, weak encryption algorithms, or insecure configurations) are not included in reports.

Coverage philosophy

No exploit, no report

Every vulnerability must be successfully exploited to be reported - eliminates false positives

Code-aware testing

White-box analysis combines source code review with dynamic exploitation

OWASP-aligned

Coverage maps to OWASP Web Security Testing Guide (WSTG) controls

Pentester-grade output

Reports include working PoCs, code references, and impact analysis

Current vulnerability coverage

Shannon currently targets five major vulnerability classes:

1. Broken authentication

  • Authentication bypass: SQL injection, NoSQL injection, logic flaws
  • Weak authentication: Default credentials, weak passwords, no lockout
  • Multi-factor authentication: TOTP bypass, backup code abuse
  • Session management: Fixation, hijacking, weak tokens
  • JWT attacks: Algorithm confusion, alg:none, weak signatures, kid injection
  • Password reset: Account enumeration, token prediction, bypass
  • Credential transport: Unencrypted channels, weak TLS
WSTG mapping: WSTG-ATHN-01 through WSTG-ATHN-11

2. Broken authorization

  • Horizontal privilege escalation: IDOR (Insecure Direct Object References)
  • Vertical privilege escalation: Admin access from regular user
  • Mass assignment: Privilege field injection
  • Broken function-level authorization: Missing role checks
  • OAuth weaknesses: Token theft, scope bypass
  • Directory traversal: Path manipulation, file access
  • Business logic bypass: Payment bypass, workflow circumvention
WSTG mapping: WSTG-ATHZ-01 through WSTG-ATHZ-05, WSTG-BUSL-*

3. Injection attacks

  • SQL injection: Union-based, boolean-based blind, time-based blind, error-based
  • NoSQL injection: MongoDB operator injection, JSON injection
  • Command injection: OS command execution, shell metacharacter abuse
  • Code injection: eval() exploitation, unsafe deserialization
  • Server-Side Template Injection (SSTI): Jinja2, Twig, Handlebars, etc.
  • XXE (XML External Entity): File disclosure, SSRF via XXE
  • YAML injection: Unsafe deserialization
WSTG mapping: WSTG-INPV-05, WSTG-INPV-11, WSTG-INPV-12, WSTG-INPV-18

4. Cross-site scripting (XSS)

  • Reflected XSS: Parameter-based, header-based, URL-based
  • Stored XSS: Database-stored, file-stored, log injection
  • DOM-based XSS: Client-side template injection, unsafe sinks
  • XSS filter bypass: Encoding, obfuscation, polyglot payloads
  • JSONP callback XSS: Unvalidated callbacks
  • Framework bypasses: Angular, React, Vue sanitization bypass
WSTG mapping: WSTG-INPV-01, WSTG-INPV-02, WSTG-CLNT-01, WSTG-CLNT-02, WSTG-CLNT-03

5. Server-Side Request Forgery (SSRF)

  • Internal service access: Redis, databases, admin panels
  • Cloud metadata: AWS, GCP, Azure instance metadata
  • Protocol bypass: file://, gopher://, dict://
  • Network scanning: Port enumeration, service fingerprinting
  • DNS rebinding: Time-of-check/time-of-use
  • SSRF to RCE: Exploiting internal services
WSTG mapping: WSTG-INPV-19

WSTG checklist coverage

Shannon’s coverage aligns with the OWASP Web Security Testing Guide (WSTG). See the detailed WSTG checklist for complete mapping.

Information gathering

8/10 WSTG-INFO controls covered

Authentication

9/11 WSTG-ATHN controls covered

Authorization

5/5 WSTG-ATHZ controls covered

Session management

8/11 WSTG-SESS controls covered

Input validation

10/20 WSTG-INPV controls covered

API testing

3/3 WSTG-APIT controls covered

What Shannon does not cover

Shannon focuses on dynamic exploitation. The following areas require static analysis and are planned for future products:
Not currently covered:
  • Vulnerable third-party dependencies (planned for Keygraph Code Security SAST)
  • Weak encryption algorithms and key management
  • Insecure server configurations
  • Certificate validation issues
  • Information disclosure in error messages (unless exploitable)
  • Client-side security (CORS, CSP, clickjacking) unless exploitable
  • Business logic issues that cannot be proven through exploitation

Integrated security tools

Shannon enhances its analysis by leveraging industry-standard security tools:
  • Port scanning and service enumeration
  • Version detection for exposed services
  • OS fingerprinting
  • SSL/TLS configuration analysis
  • Passive subdomain discovery
  • DNS record enumeration
  • Subdomain takeover detection
  • Framework and CMS detection
  • Server software identification
  • JavaScript library enumeration
  • Known vulnerability matching
  • OpenAPI/Swagger specification testing
  • Automated API endpoint discovery
  • Schema validation bypass detection
  • Input fuzzing and edge case testing
  • Automated login workflows
  • Dynamic page interaction
  • XSS payload execution
  • CSRF token handling
  • Screenshot capture for evidence

Performance metrics

XBOW benchmark

96.15% success rate (100/104 exploits) on hint-free source-aware variant

Real-world testing

20+ vulnerabilities in OWASP Juice Shop, 15 in ctal, 15+ in crAPI

Runtime

1-1.5 hours per complete assessment

Cost

~$50 USD per full pentest using Claude 4.5 Sonnet

Future coverage expansion

Shannon’s roadmap includes expanding coverage to additional vulnerability classes:
1

Phase 1: Enhanced injection detection

  • LDAP injection
  • XML injection
  • XPath injection
  • Format string vulnerabilities
2

Phase 2: Advanced client-side attacks

  • Clickjacking and UI redressing
  • CORS misconfiguration exploitation
  • WebSocket injection
  • PostMessage vulnerabilities
3

Phase 3: Business logic testing

  • Race conditions
  • Workflow bypass
  • Payment manipulation
  • Resource limit bypass
4

Phase 4: API security expansion

  • GraphQL injection and DoS
  • Rate limit bypass techniques
  • API versioning attacks
  • Batch request abuse

Vulnerability types

Detailed breakdown of each vulnerability class with WSTG mapping

Benchmark results

96.15% success rate on XBOW benchmark with full analysis

Sample reports

Real penetration testing results from Juice Shop, ctal, and crAPI

Run your first pentest

Get started with Shannon in under 10 minutes

Build docs developers (and LLMs) love

Get started for freeTalk to us