Vulnerability coverage
Dapper Lite specifically targets the following classes of exploitable vulnerabilities — the agent only reports findings it can prove by executing a real attack (“No Exploit, No Report”):
- Broken authentication & authorization — auth bypasses, IDOR, privilege
escalation, JWT attacks (alg confusion,
alg:none, weakkidinjection). - Injection — SQL, command, and other injection sinks reached via data-flow analysis from user-controlled sources.
- Cross-Site Scripting (XSS) — reflected, stored, and DOM-based.
- Server-Side Request Forgery (SSRF) — including internal network reconnaissance and cross-service token forwarding.
What Dapper Lite does not cover
The “proof-by-exploitation” model intentionally excludes findings that cannot be actively exploited, such as:
- Vulnerable third-party libraries (use
npm audit/ Dependabot / Snyk). - Insecure configurations (use a SAST or compliance scanner).
- Findings that require deep, whole-codebase static analysis.
These are a core focus of the advanced data-flow analysis engine in Dapper Pro.
Roadmap
For the full coverage matrix and active roadmap, see
COVERAGE.md in
the repository.