29 modules.
| Module | Description |
|---|---|
graphql-alias-explosion |
Tests for GraphQL alias explosion DoS by sending a query with 10 aliases for the same field and measuring whether the server's response time exceeds 3 seconds or whether the server fails to enforce any alias count limit. |
graphql-circular-fragments |
Tests for circular fragment DoS by sending a query containing mutually recursive fragment references (A spreads B, B spreads A). A compliant server must detect and reject the cycle during validation; servers that do not are vulnerable to infinite-recursion DoS. |
graphql-batch-auth |
Tests batch query authorization bypass by posting a JSON array of GraphQL operations that combines a harmless query with a privileged one (users, emails, roles). Flags endpoints that return sensitive data from the privileged query without per-operation authorization. |
graphql-persisted-query |
Tests for persisted query abuse by sending ID-only and APQ hash-only POST bodies and checking whether server error messages reveal stored query content, cache internals, or other implementation details about the persisted query mechanism. |
graphql-introspection-bypass |
Tests whether GraphQL introspection is disabled and, if so, whether it can be bypassed via newline-formatted queries, mixed-case field names, __type queries, or fragment-based introspection. Flags both openly enabled introspection and successful restriction bypasses. |
graphql-cost-analysis |
Tests for missing query cost analysis by sending queries of increasing complexity and checking whether the server applies rate limiting or cost-based rejection. Flags endpoints where all complexity levels are processed without any cost-limit error. |
graphql-depth-analysis |
Tests for missing query depth limits by sending a 7-level nested GraphQL query (user→posts→comments→author→posts→comments→author→id) and checking whether the server rejects or silently accepts it without a depth-limit error. |
graphql-file-upload-abuse |
Tests for GraphQL multipart file upload spec abuse by sending multipart/form-data requests with operations and map fields. Checks whether the file upload endpoint is reachable without authentication and whether mutation injection is possible via upload variables. |
grpc-metadata-injection |
Tests whether a gRPC endpoint accepts and processes injected metadata headers (x-forwarded-for, authorization, x-user-id) that are typically trusted only from internal callers. A gRPC response to a request carrying these headers may indicate that the server trusts externally supplied metadata without validation. |
grpc-reflection-bypass |
Tests whether gRPC Server Reflection is publicly accessible without authentication by sending a minimal reflection request to the ServerReflectionInfo endpoint. If the server responds with a non-401/403 status and gRPC-like content, it exposes all service and method definitions to unauthenticated callers. |
grpc-message-fuzz |
Sends malformed protobuf bytes (\xff\xfe\x00\x01\x02\x03) to a gRPC endpoint and inspects the response for gRPC error status codes (INTERNAL, UNKNOWN, INVALID_ARGUMENT) or descriptive messages that reveal internal service structure. |
grpc-compression |
Sends a gRPC POST request with 'grpc-encoding: gzip' to check whether the server echoes back the gzip encoding header, indicating that gRPC message compression is enabled. Compression can be a contributing factor in side-channel attacks if secrets and attacker-controlled data are compressed together. |
rest-mass-pagination |
Tests for pagination abuse that leaks all records by sending requests with limit=999999, page_size=99999, and per_page=99999. A response exceeding 100 KB suggests the server returned all records without enforcing pagination limits. |
rest-filter-injection |
Tests filter parameter injection by appending filter[role]=admin, filter={"role":"admin"}, and where={"isAdmin":true} to API endpoints. Checks response bodies for admin-level data that was absent in the baseline. |
rest-sort-injection |
Tests sort parameter injection for SQL/NoSQL injection via ORDER BY clauses. Injects sort=id,sleep(3), sort={"$where":"sleep(3000)"}, and order=id DESC; SELECT SLEEP(3)-- and checks for timing anomalies exceeding 2.5 seconds. |
rest-batch-abuse |
Tests batch/bulk endpoint abuse by sending 100-item bulk operation requests. Checks whether the server returns cross-user data or processes unauthorized resource IDs bundled in a batch payload. |
rest-method-confusion |
Tests HTTP method override by sending POST requests with X-HTTP-Method-Override: DELETE, X-HTTP-Method: PUT, and _method=DELETE and checking if the server honours method overrides to bypass authorization. |
rest-content-negotiation |
Tests content negotiation abuse by sending Accept: application/xml, Accept: text/csv, and Accept: application/x-www-form-urlencoded to JSON APIs and checking if alternate response formats leak additional sensitive fields. |
rest-etag-race |
Tests ETag-based race conditions by fetching a resource's ETag and then sending multiple concurrent PATCH requests with the same If-Match: header. If more than one update succeeds, the server has a race condition in its ETag enforcement. |
ws-auth-bypass |
Tests whether common WebSocket endpoints (/ws, /websocket, /socket, /api/ws) accept a WebSocket upgrade handshake without any Authorization or Cookie headers. A 101 response without credentials indicates missing authentication on the WS endpoint. |
ws-message-auth |
Probes common WebSocket endpoints to determine whether the server enforces authentication (401/403) or freely accepts connections (101/200). Emits an informational finding for every reachable WS endpoint discovered. |
ws-cross-site-hijack |
Tests for Cross-Site WebSocket Hijacking (CSWSH) by sending a WebSocket upgrade request with 'Origin: https://evil.com' to common WS paths (/ws, /websocket, /socket.io/). A 101 response indicates the server does not validate the Origin header and is vulnerable to CSWSH attacks from attacker-controlled pages. |
ws-broadcast-leak |
Tests for exposed WebSocket broadcast endpoints (/ws/broadcast, /ws/notifications, /ws/events, /ws/feed) that accept unauthenticated connections. A 101 or 200 response without credentials may indicate that real-time events or sensitive data can be intercepted by unauthenticated clients. |
ws-compression |
Checks whether the server negotiates WebSocket permessage-deflate compression by sending a WebSocket upgrade with 'Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits'. If the server responds with 101 and echoes permessage-deflate in the response extensions, it may be susceptible to CRIME-like compression side-channel attacks if secrets are transmitted over the WebSocket. |
ws-binary-frame-fuzz |
Sends malformed WebSocket upgrade requests to /ws and /websocket, one with the required Connection and Sec-WebSocket-Key headers omitted, another with an invalid Sec-WebSocket-Key value, and inspects the response body for error messages that reveal internal implementation details (stack traces, file paths, panic output). |
json-injection |
Injects JSON structural fragments (","key":"value", closing braces, etc.) into URL and POST body parameters. Checks if injected JSON keys appear in responses or cause parser errors indicating vulnerable JSON handling. Severity: High. |
jsonp-abuse |
Appends ?callback=nox_test_callback to API endpoints. Detects if the response wraps JSON in the callback name, indicating a cross-origin data leakage vector. Severity: High. |
json-duplicate-key |
Sends POST bodies with duplicate JSON keys ({"key":"value1","key":"value2"}) and compares server responses to detect parser confusion that could bypass validation. Severity: Medium. |
content-type-confusion |
Sends JSON body with form Content-Type and form body with JSON Content-Type. Checks for server confusion or unexpected processing indicating vulnerable content-type handling. Severity: Medium. |
Part of the NOX Module Reference guide.