Skip to content
Fendix logo
Back to Docs
13CAPABILITIES

Capabilities

Fendix finds vulnerabilities in APIs and source code before attackers do. It combines live HTTP probing (black-box) with static analysis (white-box) for maximum coverage.

Live API Security Testing

Black-box checks that send real HTTP requests to your API.

Authentication & Access Control

  • Detects API endpoints accessible without any authentication
  • Tests for JWT token validation bypasses (malformed tokens, expired tokens, unsigned tokens)
  • Detects broken access control where one user can access another user's data (IDOR)

Browser Security (CORS)

  • Detects misconfigured cross-origin policies that allow any website to make requests to the API
  • Identifies configurations that could enable credential theft from browsers

Security Headers

  • Checks for missing HTTPS enforcement (HSTS)
  • Checks for missing clickjacking protection (X-Frame-Options)
  • Checks for missing Content Security Policy
  • Detects server version information leakage

Sensitive Data Exposure

  • Detects passwords, API keys, and tokens returned in API responses
  • Detects stack traces and internal error messages exposed to users
  • Detects internal IP addresses leaked in responses

Rate Limiting

  • Detects endpoints with no rate limiting, vulnerable to brute-force attacks

Cookie Flags

Passive — runs without --enable-active (new in v0.18)
  • Detects cookies missing the Secure attribute, allowing transmission over plaintext HTTP (CWE-614)
  • Detects cookies missing HttpOnly, leaving them readable by client-side JavaScript (CWE-1004)
  • Detects cookies missing SameSite, widening the CSRF surface (CWE-1275)

Active Injection Probes

Requires --enable-active flag — the active probe set grew from 3 to 9 checks in v0.18
  • SQL injection probes: time-based blind, error-based signatures, boolean comparison (MySQL, Postgres, MSSQL, SQLite, Oracle)
  • Command injection via safe echo canary detection
  • CRLF header injection via %0d%0a Set-Cookie probe
  • Reflected XSS — payload reflected unescaped into the response (CWE-79) (v0.18)
  • Open redirect — user-controlled redirect target (CWE-601) (v0.18)
  • In-band SSRF — server-side request forgery confirmed in the response body (CWE-918) (v0.18)
  • Host-header injection — poisoned Host / X-Forwarded-Host reflected into links or redirects (CWE-644/601) (v0.18)
  • GraphQL introspection — schema introspection left enabled (CWE-200) (v0.18)
  • HTTP method tampering — unsafe or override methods accepted (CWE-650/693/285) (v0.18)

Source Code Security Analysis

White-box checks that analyze your codebase without making any network requests.

Hardcoded Secrets

  • AWS access keys and secret keys
  • Private cryptographic keys
  • API tokens and passwords embedded in code
  • Database connection strings with credentials
  • JWT tokens committed to source control

Injection Vulnerabilities

  • SQL injection via string formatting (Python and JavaScript)
  • Command injection via shell execution
  • Code injection via eval/exec with user input
  • Cross-site scripting (XSS) via innerHTML and document.write

Vulnerable Dependencies

  • Scans Python (requirements.txt), JavaScript (package.json), and Go (go.mod) dependencies
  • Transitive SCA: parses poetry.lock and Pipfile.lock as the full resolved dependency closure, catching CVEs in indirect deps the requirements.txt-only path misses (v0.16+)
  • Primary paths via pip-audit, npm audit, and govulncheck against real OSV/CVE databases
  • Curated offline fallback list when primary tools aren't installed
  • Flags unpinned dependency versions

API Specification Analysis

  • Detects endpoints with no authentication requirement in OpenAPI specs
  • Detects use of insecure HTTP instead of HTTPS
  • Detects weak authentication schemes (HTTP Basic Auth)
  • Identifies explicitly public endpoints that may need review

Framework-Specific Checks

  • Flask routes missing login protection
  • Django views missing authentication mixins
  • FastAPI routes missing auth dependencies
  • JWT token decoding without signature verification
  • Proven Path v1: route-table extraction binds a request route to its handler and exports the full route → handler → source → sink taint chain as SARIF codeFlows, with a source_tier provenance tag (v0.16+)

Key Differentiators

Hybrid approach

Combines live API testing with static code analysis for higher confidence findings

Zero configuration

Point it at a URL and it discovers endpoints automatically

Developer-first

Runs on every commit, not just in CI — a diff-aware scan of staged files finishes in ~18ms, and `fendix hook install` wires it as a pre-commit gate

Safe by default

Active/destructive tests are disabled unless explicitly enabled

Single report

Both API and code findings in one unified output

No external dependencies

HTML reports are fully self-contained, no internet required to view

Reporting & Integration

Multiple output formats, CI/CD gating, and credential safety built in.

Output Formats

  • JSON — machine-readable for integration with other tools
  • HTML — self-contained visual report with severity badges and expandable finding details
  • SARIF 2.1.0 — compatible with GitHub Code Scanning and Azure DevOps

Safety & Classification

  • Five severity levels: Critical, High, Medium, Low, Info
  • Severity based on impact, confidence, and correlation multiplier
  • All credentials automatically redacted as [REDACTED]
  • Baseline diffing to show only new findings between scans
Back to docsCheck Library