Skip to content

Latest commit

 

History

History
39 lines (35 loc) · 8.03 KB

File metadata and controls

39 lines (35 loc) · 8.03 KB

13. API Security (Deep)

29 modules.

Module Description
graphql-alias-explosion Tests for GraphQL alias explosion DoS by sending a query with 10 aliases for the same field and measuring whether the server's response time exceeds 3 seconds or whether the server fails to enforce any alias count limit.
graphql-circular-fragments Tests for circular fragment DoS by sending a query containing mutually recursive fragment references (A spreads B, B spreads A). A compliant server must detect and reject the cycle during validation; servers that do not are vulnerable to infinite-recursion DoS.
graphql-batch-auth Tests batch query authorization bypass by posting a JSON array of GraphQL operations that combines a harmless query with a privileged one (users, emails, roles). Flags endpoints that return sensitive data from the privileged query without per-operation authorization.
graphql-persisted-query Tests for persisted query abuse by sending ID-only and APQ hash-only POST bodies and checking whether server error messages reveal stored query content, cache internals, or other implementation details about the persisted query mechanism.
graphql-introspection-bypass Tests whether GraphQL introspection is disabled and, if so, whether it can be bypassed via newline-formatted queries, mixed-case field names, __type queries, or fragment-based introspection. Flags both openly enabled introspection and successful restriction bypasses.
graphql-cost-analysis Tests for missing query cost analysis by sending queries of increasing complexity and checking whether the server applies rate limiting or cost-based rejection. Flags endpoints where all complexity levels are processed without any cost-limit error.
graphql-depth-analysis Tests for missing query depth limits by sending a 7-level nested GraphQL query (user→posts→comments→author→posts→comments→author→id) and checking whether the server rejects or silently accepts it without a depth-limit error.
graphql-file-upload-abuse Tests for GraphQL multipart file upload spec abuse by sending multipart/form-data requests with operations and map fields. Checks whether the file upload endpoint is reachable without authentication and whether mutation injection is possible via upload variables.
grpc-metadata-injection Tests whether a gRPC endpoint accepts and processes injected metadata headers (x-forwarded-for, authorization, x-user-id) that are typically trusted only from internal callers. A gRPC response to a request carrying these headers may indicate that the server trusts externally supplied metadata without validation.
grpc-reflection-bypass Tests whether gRPC Server Reflection is publicly accessible without authentication by sending a minimal reflection request to the ServerReflectionInfo endpoint. If the server responds with a non-401/403 status and gRPC-like content, it exposes all service and method definitions to unauthenticated callers.
grpc-message-fuzz Sends malformed protobuf bytes (\xff\xfe\x00\x01\x02\x03) to a gRPC endpoint and inspects the response for gRPC error status codes (INTERNAL, UNKNOWN, INVALID_ARGUMENT) or descriptive messages that reveal internal service structure.
grpc-compression Sends a gRPC POST request with 'grpc-encoding: gzip' to check whether the server echoes back the gzip encoding header, indicating that gRPC message compression is enabled. Compression can be a contributing factor in side-channel attacks if secrets and attacker-controlled data are compressed together.
rest-mass-pagination Tests for pagination abuse that leaks all records by sending requests with limit=999999, page_size=99999, and per_page=99999. A response exceeding 100 KB suggests the server returned all records without enforcing pagination limits.
rest-filter-injection Tests filter parameter injection by appending filter[role]=admin, filter={"role":"admin"}, and where={"isAdmin":true} to API endpoints. Checks response bodies for admin-level data that was absent in the baseline.
rest-sort-injection Tests sort parameter injection for SQL/NoSQL injection via ORDER BY clauses. Injects sort=id,sleep(3), sort={"$where":"sleep(3000)"}, and order=id DESC; SELECT SLEEP(3)-- and checks for timing anomalies exceeding 2.5 seconds.
rest-batch-abuse Tests batch/bulk endpoint abuse by sending 100-item bulk operation requests. Checks whether the server returns cross-user data or processes unauthorized resource IDs bundled in a batch payload.
rest-method-confusion Tests HTTP method override by sending POST requests with X-HTTP-Method-Override: DELETE, X-HTTP-Method: PUT, and _method=DELETE and checking if the server honours method overrides to bypass authorization.
rest-content-negotiation Tests content negotiation abuse by sending Accept: application/xml, Accept: text/csv, and Accept: application/x-www-form-urlencoded to JSON APIs and checking if alternate response formats leak additional sensitive fields.
rest-etag-race Tests ETag-based race conditions by fetching a resource's ETag and then sending multiple concurrent PATCH requests with the same If-Match: header. If more than one update succeeds, the server has a race condition in its ETag enforcement.
ws-auth-bypass Tests whether common WebSocket endpoints (/ws, /websocket, /socket, /api/ws) accept a WebSocket upgrade handshake without any Authorization or Cookie headers. A 101 response without credentials indicates missing authentication on the WS endpoint.
ws-message-auth Probes common WebSocket endpoints to determine whether the server enforces authentication (401/403) or freely accepts connections (101/200). Emits an informational finding for every reachable WS endpoint discovered.
ws-cross-site-hijack Tests for Cross-Site WebSocket Hijacking (CSWSH) by sending a WebSocket upgrade request with 'Origin: https://evil.com' to common WS paths (/ws, /websocket, /socket.io/). A 101 response indicates the server does not validate the Origin header and is vulnerable to CSWSH attacks from attacker-controlled pages.
ws-broadcast-leak Tests for exposed WebSocket broadcast endpoints (/ws/broadcast, /ws/notifications, /ws/events, /ws/feed) that accept unauthenticated connections. A 101 or 200 response without credentials may indicate that real-time events or sensitive data can be intercepted by unauthenticated clients.
ws-compression Checks whether the server negotiates WebSocket permessage-deflate compression by sending a WebSocket upgrade with 'Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits'. If the server responds with 101 and echoes permessage-deflate in the response extensions, it may be susceptible to CRIME-like compression side-channel attacks if secrets are transmitted over the WebSocket.
ws-binary-frame-fuzz Sends malformed WebSocket upgrade requests to /ws and /websocket, one with the required Connection and Sec-WebSocket-Key headers omitted, another with an invalid Sec-WebSocket-Key value, and inspects the response body for error messages that reveal internal implementation details (stack traces, file paths, panic output).
json-injection Injects JSON structural fragments (","key":"value", closing braces, etc.) into URL and POST body parameters. Checks if injected JSON keys appear in responses or cause parser errors indicating vulnerable JSON handling. Severity: High.
jsonp-abuse Appends ?callback=nox_test_callback to API endpoints. Detects if the response wraps JSON in the callback name, indicating a cross-origin data leakage vector. Severity: High.
json-duplicate-key Sends POST bodies with duplicate JSON keys ({"key":"value1","key":"value2"}) and compares server responses to detect parser confusion that could bypass validation. Severity: Medium.
content-type-confusion Sends JSON body with form Content-Type and form body with JSON Content-Type. Checks for server confusion or unexpected processing indicating vulnerable content-type handling. Severity: Medium.

Part of the NOX Module Reference guide.