12 modules.
| Module | Description |
|---|---|
bopla-check |
Tests for Broken Object Property Level Authorization (BOPLA/OWASP API3). Sends PUT and PATCH requests with privileged fields (role, isAdmin, is_admin) and checks whether the server accepts and reflects them in the response. |
bfla-check |
Tests for Broken Function Level Authorization (BFLA/OWASP API5). Probes admin and management endpoint paths (/admin, /api/admin, /management, /internal, /api/internal, /admin/users, /api/management) without auth headers and reports HTTP 200/201 responses. Also tests POST on accessible GET paths. |
graphql-field-auth |
Tests GraphQL field-level authorization by sending an introspection query followed by direct queries for sensitive field names (password, secret, token, ssn, creditCard, privateKey, apiKey). Reports if sensitive fields are returned in schema or query responses without authentication. |
bulk-endpoint-auth |
Tests bulk and batch API endpoints for missing authorization controls. Probes /api/users/bulk, /api/batch, /api/export, /api/data/export, /api/v1/bulk, /api/v2/bulk without authentication and reports 200 responses. |
nested-object-auth |
Tests nested object authorization by appending cross-user ID combinations (/1/items/2, /2/items/1, /100/items/999) to the target URL and checking whether HTTP 200 responses with data indicate cross-user access. |
file-auth-check |
Tests file access endpoints for missing authorization controls. Probes /api/files/1, /api/files/2, /download?file=1, /attachments/1, /download/1 without authentication and reports HTTP 200 responses with content. |
search-filter-auth |
Tests search and filter endpoint authorization by appending privilege-escalating parameters (filter[role]=admin, role=admin, scope=all, includeDeleted=true, admin=true) to /api/search and /api/users. Reports 200 responses containing 'admin' or large datasets. |
export-auth-check |
Tests data export endpoints for missing authorization controls. Probes /api/export, /api/reports/export, /api/data.csv, /api/dump.json, /export, /api/v1/export without authentication and reports HTTP 200 responses. |
soft-delete-auth |
Tests whether soft-deleted records are accessible via query parameters (includeDeleted=true, showDeleted=1, archived=true, status=deleted, deleted=1). Reports HTTP 200 responses with non-trivial bodies (>50 bytes). |
bac-check |
Probes for Broken Access Control (BAC) including IDOR via object ID manipulation, horizontal privilege escalation (accessing other users' resources), vertical privilege escalation (accessing admin/privileged endpoints), and authentication bypass on protected paths. |
idor-check |
Detects IDOR vulnerabilities by testing 25+ REST resource endpoint patterns with sequential ID substitution (1 to 10 plus large IDs). Compares HTTP status codes and response sizes across different IDs to identify unauthorized data access. Also tests for parameter-based IDOR in existing URL query parameters. Checks object type: user, order, invoice, payment, profile, admin, account. |
mass-assignment-check |
Probes API endpoints for mass assignment vulnerabilities by injecting privileged fields (is_admin, role, permissions, account_type) into POST/PUT/PATCH request bodies and checking for acceptance. Also tests HTTP Parameter Pollution. |
Part of the NOX Module Reference guide.