CodeWallDocs
Reference

Target Types

Supported target categories and their specific requirements.

Web Application

Description: Browser-accessible web applications with interactive interfaces.

Requirements:

  • Accessible via HTTP/HTTPS
  • Renders in a modern browser (Chrome-compatible)
  • Login page accessible if authentication is required

What CodeWall tests:

  • Crawling and endpoint discovery
  • Form input testing (XSS, SQLi, command injection)
  • Authentication and session management
  • Access control and authorization
  • File upload handling
  • Information disclosure
  • Security headers and configuration

Web API

Description: REST, GraphQL, or SOAP API endpoints.

Requirements:

  • Accessible via HTTP/HTTPS
  • Responds to API requests with structured data (JSON, XML)
  • API specification (OpenAPI/Swagger) recommended but not required

What CodeWall tests:

  • Endpoint enumeration and discovery
  • Input validation (injection, type confusion, mass assignment)
  • Authentication mechanism testing (API keys, OAuth, JWT)
  • Broken object-level authorization (BOLA/IDOR)
  • Rate limiting and resource exhaustion
  • Error handling and information disclosure
  • CORS misconfiguration

MCP Server

Description: Model Context Protocol servers that expose tools over SSE or stdio transport.

Requirements:

  • SSE transport: A publicly reachable SSE endpoint URL for the MCP server
  • stdio transport: A shell command to start the server process, plus any required environment variables
  • The server must respond to MCP protocol messages (tool listing, tool invocation)

What CodeWall tests:

  • Tool enumeration and schema analysis
  • Tool parameter injection (SQL injection, command injection, path traversal, SSRF)
  • Authentication and authorization probing on tool endpoints
  • Input validation across all exposed tools
  • Information disclosure through error messages and tool descriptions

LLM Application

Description: LLM-powered applications with chat or completion API endpoints.

Requirements:

  • An API endpoint URL (e.g., https://api.example.com/v1/chat/completions)
  • Request format: OpenAI-compatible, Anthropic Messages API, or custom (with a Jinja2 request template and JSONPath response extractor)
  • Optionally, a known system prompt for measuring extraction completeness

What CodeWall tests:

  • Direct and indirect prompt injection
  • System prompt extraction
  • Data exfiltration from context, RAG documents, and tool results
  • Jailbreak and guardrail bypass techniques
  • Output manipulation and harmful content generation

Surface Discovery

Description: External attack surface mapping from a domain or company name, without active exploitation.

Requirements:

  • A domain name or company name as the seed
  • No credentials or access needed

What CodeWall tests:

  • Subdomain and related domain enumeration
  • Exposed services and open port identification
  • Technology and software version fingerprinting
  • Asset inventory mapping

Use Surface Discovery as a starting point to understand what is publicly visible before running deeper tests.

Reference

Technical specifications for target types, attack types, authentication methods, and more.

Attack Types

Vulnerability classes that CodeWall tests for during penetration testing.

On this page

Web ApplicationWeb APIMCP ServerLLM ApplicationSurface Discovery