Unbounded Orchestration

Privacy compliance assessments & Data flow discovery

Dynamic testing

Requirements:

  • An endpoint managing consent data

  • A 3rd-party library/plugin embedded in web apps

  • A data controller/processor link in client-server requests

Using developer docs or API docs from

  • Map out all available endpoints or SDKs

  • Understand the intended integration flows (helps find deviations)

  • Identify weak authentication / consent enforcement

  • Spot optional parameters or undocumented behaviors

Scenarios:

  • Privacy Misrepresentation: Site claims consent is required, but tracking continues.

  • PII Disclosure: Consent system reveals identifiers like emails or cookies via redirects or debug data.

  • Access Control Issues: APIs meant for data deletion or opt-out are not properly authenticated.

  • Client-Side Misuse: Race conditions or localStorage tampering around consent state.

Targeting:

  • Fingerprinting its presence

  • Understanding consent flow leaks

  • Detecting if personal data is still being transferred despite user denial

  • Identifying hidden or undocumented endpoints

  • Possibly finding misconfigured consent banners or weak implementation logic (like CSRF in consent changes)

Capture and observe consent scripts:

  • See how they hook into form submissions or cookies.

  • Check if they enforce or just simulate consent behavior.

Inspect JavaScript execution

  • Find out any modification in DOM or cookies after certain triggers.

Network inspection

  • Does .. transmit any PII or unique IDs in requests?

  • Are any 3rd-party domains called regardless of consent?

Look for bypass or override potential

  • Can you still access tracking endpoints after denying consent?

  • Is the system just UI-deep and not enforced backend-wise?

PreviousAnatomy Of Security Document ControlsNextWords of Estimative Probability

Last updated