23 modules.
| Module | Description |
|---|---|
session-puzzling |
Tests for session puzzling by sending multiple concurrent session-like parameters (session, token, auth, jwt) in cookies and query params, then checking for confused server behavior, inconsistent user context, or privilege escalation. |
session-timeout |
Analyzes session cookies for excessive or missing expiry (Max-Age / Expires). Flags session cookies with Max-Age > 86400s (24h), no expiry at all, and cookies that lack HttpOnly/Secure flags, which are prerequisites for safe timeout enforcement. |
concurrent-session-abuse |
Checks for concurrent session enforcement by inspecting response headers for session limiting controls and by detecting whether the server signals any limit on active sessions. Absence of X-Session-Limit, X-Active-Sessions, or policy disclosures is flagged. |
remember-me-token-check |
Detects persistent remember-me / stay-signed-in cookies and checks them for missing Secure/HttpOnly flags, excessive Max-Age, missing SameSite, and weak entropy, all of which increase the risk of token theft and account takeover. |
device-trust-bypass |
Probes for device trust headers/cookies (X-Device-ID, device_token, trusted_device) and checks whether sending arbitrary device identifiers bypasses two-factor auth or grants access to trusted-device-only endpoints. |
refresh-token-rotation |
Probes common refresh token endpoints and checks whether invalid/expired tokens return distinct responses that confirm a valid token exists (token oracle), and whether the endpoints accept repeated use of the same refresh token (rotation bypass). |
refresh-token-replay |
Tests refresh token replay by sending the same token request twice and checking whether both succeed. Also checks if replay is possible with expired tokens by probing /oauth/token and /api/auth/refresh with grant_type=refresh_token. |
logout-invalidation |
Tests logout invalidation by collecting a session cookie, calling the logout endpoint, and then retrying the session on /api/me or /api/profile. If the session remains valid post-logout, it is flagged as a server-side session invalidation failure. |
cookie-tossing |
Tests for cookie tossing by sending requests with both a host-only session cookie and a domain-scoped cookie of the same name, then checking which value the server uses. If the domain-scoped cookie overrides the host-only one, privilege escalation may be possible. |
cookie-shadowing |
Tests cookie shadowing by sending two cookies with the same name (different case variants or duplicate) and observing which value the server uses. Inconsistent handling between proxies and the backend application can enable session hijacking. |
duplicate-cookie-confusion |
Sends duplicate Cookie headers and same-named cookies with different values to detect parsing inconsistencies between proxies and the backend that could be exploited for session hijacking or authentication bypass. |
domain-path-cookie-confusion |
Inspects session cookies for overly broad Domain scope (leading dot) or missing Path restrictions. Broad domain scope allows cookies to be sent to all subdomains, increasing the attack surface if any subdomain is compromised. |
session-prediction |
Collects 5 session tokens from separate requests and analyzes them for sequential patterns, time-based values, short length, or character-set restrictions that suggest the tokens are predictable and could be enumerated. |
session-cloning |
Tests whether the same session token is accepted from two different User-Agent strings, which indicates the session is not bound to the client and can be cloned. Successfully cloning a session allows an attacker to use a stolen token alongside the victim. |
username-enum |
Tests for username/email enumeration via timing side-channels, response body length and content differences, and HTTP status code discrepancies across 17 common login path variations. Probes both JSON and form-urlencoded request formats. |
email-enum |
Tests for email enumeration via forgot-password and registration endpoints. Compares response body length and content for existing vs non-existing email addresses across 14 forgot-password paths and 9 registration paths. |
session-fixation |
Tests for session fixation by checking if pre-set session IDs survive login, whether the server accepts client-controlled session IDs, and whether session cookies lack Secure and HttpOnly attributes. Also checks PHP-style and generic session cookie names. |
session-cookie-entropy |
Analyzes session cookie security by collecting 5 session tokens and examining Shannon entropy, predictability (all-numeric, all-hex, base64 UUID), cookie flags (Secure, HttpOnly, SameSite), __Host-/__Secure- prefix conformance, and domain/path scope. |
password-reset-check |
Probes for password reset vulnerabilities including host header injection for reset link poisoning, token leakage via Referrer headers, weak/predictable tokens, missing rate limiting on reset endpoints, and dangling reset token acceptance. |
jwt-check |
Extracts JWTs from HTTP responses and probes for algorithm confusion (alg:none, RS256→HS256 confusion), missing expiry/audience claims, sensitive payload data, and JWT transmission in URL query strings. |
oauth-check |
Probes OAuth 2.0 / OIDC endpoints for misconfigurations including open redirect_uri, missing state parameter (CSRF), implicit flow, exposed .well-known metadata, PKCE enforcement bypass, and token endpoint misconfigurations. |
2fa-bypass-check |
Probes 2FA/MFA implementations for bypass vulnerabilities including OTP brute force (missing rate limiting), direct navigation bypasses, backup code weaknesses, response manipulation, and missing MFA enforcement on privileged endpoints. |
race-condition-check |
Probes state-changing endpoints (payment, coupon redemption, token generation, voting) for race condition vulnerabilities by sending N concurrent identical requests and detecting response divergence that indicates inconsistent server-side state management. |
Part of the NOX Module Reference guide.