Fendix logo
Docs

Capabilities

Fendix finds vulnerabilities in APIs and source code before attackers do. It combines live HTTP probing (black-box) with static analysis (white-box) for maximum coverage.

Live API Security Testing

Black-box checks that send real HTTP requests to your API.

Authentication & Access Control

  • Detects API endpoints accessible without any authentication
  • Tests for JWT token validation bypasses (malformed tokens, expired tokens, unsigned tokens)
  • Detects broken access control where one user can access another user's data (IDOR)

Browser Security (CORS)

  • Detects misconfigured cross-origin policies that allow any website to make requests to the API
  • Identifies configurations that could enable credential theft from browsers

Security Headers

  • Checks for missing HTTPS enforcement (HSTS)
  • Checks for missing clickjacking protection (X-Frame-Options)
  • Checks for missing Content Security Policy
  • Detects server version information leakage

Sensitive Data Exposure

  • Detects passwords, API keys, and tokens returned in API responses
  • Detects stack traces and internal error messages exposed to users
  • Detects internal IP addresses leaked in responses

Rate Limiting

  • Detects endpoints with no rate limiting, vulnerable to brute-force attacks

Active Injection Probes

Requires --enable-active flag
  • Time-based blind SQL injection (MySQL SLEEP, Postgres pg_sleep, MSSQL WAITFOR)
  • Command injection via safe echo canary detection
  • CRLF header injection via %0d%0a Set-Cookie probe

Source Code Security Analysis

White-box checks that analyze your codebase without making any network requests.

Hardcoded Secrets

  • AWS access keys and secret keys
  • Private cryptographic keys
  • API tokens and passwords embedded in code
  • Database connection strings with credentials
  • JWT tokens committed to source control

Injection Vulnerabilities

  • SQL injection via string formatting (Python and JavaScript)
  • Command injection via shell execution
  • Code injection via eval/exec with user input
  • Cross-site scripting (XSS) via innerHTML and document.write

Vulnerable Dependencies

  • Scans Python (requirements.txt) and JavaScript (package.json) dependencies
  • Matches against known CVE databases (PyPI and npm)
  • Flags unpinned dependency versions

API Specification Analysis

  • Detects endpoints with no authentication requirement in OpenAPI specs
  • Detects use of insecure HTTP instead of HTTPS
  • Detects weak authentication schemes (HTTP Basic Auth)
  • Identifies explicitly public endpoints that may need review

Framework-Specific Checks

  • Flask routes missing login protection
  • Django views missing authentication mixins
  • FastAPI routes missing auth dependencies
  • JWT token decoding without signature verification

Key Differentiators

Hybrid approach

Combines live API testing with static code analysis for higher confidence findings

Zero configuration

Point it at a URL and it discovers endpoints automatically

Developer-first

Integrates into CI/CD pipelines with pass/fail exit codes

Safe by default

Active/destructive tests are disabled unless explicitly enabled

Single report

Both API and code findings in one unified output

No external dependencies

HTML reports are fully self-contained, no internet required to view

Reporting & Integration

Multiple output formats, CI/CD gating, and credential safety built in.

Output Formats

  • JSON — machine-readable for integration with other tools
  • HTML — self-contained visual report with severity badges and expandable finding details
  • SARIF 2.1.0 — compatible with GitHub Code Scanning and Azure DevOps

Safety & Classification

  • Five severity levels: Critical, High, Medium, Low, Info
  • Severity based on impact, confidence, and correlation multiplier
  • All credentials automatically redacted as [REDACTED]
  • Baseline diffing to show only new findings between scans
Back to docsCheck Library