OWASP API Top 10 in Qodex
Qodex uses the OWASP API Top 10 as a practical testing map. For each risk category, the agent can create probes, save scenarios, verify whether the app blocks the attack, and open findings when the attack succeeds. This page focuses on how Qodex runs those checks. OWASP remains the source of truth for the formal category definitions.Start with a security skill
Security testing is skill-driven. You can invoke a skill directly in chat:What Qodex checks
| OWASP category | What Qodex does | Typical finding |
|---|---|---|
| API1: Broken Object Level Authorization | Uses one user’s resource ID with another user’s token across read and write actions. | BOLA or IDOR with cross-user data access. |
| API2: Broken Authentication | Tests token tampering, expired tokens, weak reset flows, default credentials, and missing rate limits. | Auth bypass, weak session handling, or missing brute-force protection. |
| API3: Broken Object Property Level Authorization | Looks for excessive response fields and mass assignment payloads such as role: admin. | Excessive data exposure or privilege escalation. |
| API4: Unrestricted Resource Consumption | Sends controlled request bursts while respecting environment rate limits. | Missing rate limiting on auth or expensive endpoints. |
| API5: Broken Function Level Authorization | Calls admin or internal endpoints as a lower-privileged user. | Privilege escalation or unauthorized admin access. |
| API6: Unrestricted Access to Sensitive Business Flows | Exercises state-changing flows such as coupon use, balance transfer, or multi-step workflow bypass. | Race condition or skipped-step acceptance. |
| API7: SSRF | Tests server-side fetch inputs such as webhooks, avatar URLs, imports, and link previews. | Internal service exposure or cloud metadata access. |
| API8: Security Misconfiguration | Audits headers, cookie flags, CORS, exposed files, and framework fingerprints. | Missing security headers, unsafe CORS, or exposed secrets. |
| API9: Improper Inventory Management | Compares documented routes with older, internal, or debug versions. | Unprotected legacy route or stale API version. |
| API10: Unsafe Consumption of APIs | Checks how the app handles malformed, slow, or hostile upstream responses. | Chained SSRF, weak upstream validation, or unsafe webhook handling. |
How a finding is created
When a probe confirms a vulnerability, Qodex files a finding with the facts needed to reproduce it:- Severity such as
critical,high,medium,low, orinfo. - OWASP category and attack type.
- Affected endpoint or flow.
- Request and response evidence.
- Reproduction steps.
- Suggested remediation.
How scenarios are saved
Each confirmed or blocked probe can become a scenario. The expected result is always the secure behavior. For example, a BOLA scenario expects403 or 404 when User B tries to read User A’s resource.
If the app returns 200, the scenario fails and Qodex opens a finding. The assertion is not relaxed to match the vulnerable behavior.
How to scope a run
Security testing can be broad or narrow. For a safer, clearer run, name the exact surface:Related
Security scenarios
Learn how OWASP probes become saved scenarios.
Inverted semantics
Understand why pass means blocked and fail means vulnerable.
Sensitive endpoints
Scope destructive and invasive checks by environment.
Findings
See where confirmed vulnerabilities are tracked.