add empty-array IDOR FP and OAST source-IP SSRF FP signals (#183)

This commit is contained in:
Jorge Moya
2026-05-03 20:19:57 -05:00
committed by GitHub
parent 8574119f4d
commit 6942ecb33e
2 changed files with 2 additions and 0 deletions
+1
View File
@@ -187,6 +187,7 @@ query IDOR {
- Soft-privatized data where content is already public
- Idempotent metadata lookups that do not reveal sensitive content
- Correct row-level checks enforced across all channels
- Empty array / null returned for another user's resource — silent enforcement, not exposure; compare against the owner's view to confirm the data is actually missing rather than just hidden from the response shape
## Impact
+1
View File
@@ -157,6 +157,7 @@ Server-Side Request Forgery enables the server to reach networks and services th
- Strict allowlists with DNS pinning and no redirect following
- SSRF simulators/mocks returning canned responses without real egress
- Blocked egress confirmed by uniform errors across all targets and protocols
- OAST callbacks where the source IP matches the tester's machine, not the server — the browser or a client-side fetch made the request, not the backend
## Impact