The Security Test Agent in Qodex helps you proactively catch vulnerabilities like broken access control, token misuse, and OWASP Top 10 risks without needing to write complex security tests manually. It works alongside your functional testing to validate security rules across endpoints and environments.

What It Does

  • Scans your API flows for common security pitfalls
  • Auto-generates test scenarios based on OWASP Top 10
  • Injects edge-case payloads to simulate malicious behavior
  • Checks role-based access violations across endpoints
  • Surfaces real security gaps with detailed failure logs

Key Tests Included

  • Broken access control Attempts unauthorized access using standard and manipulated tokens
  • Token abuse checks Tests expired, missing, or malformed tokens
  • Rate limiting tests Simulates burst calls to check if limits are enforced
  • Sensitive data exposure Looks for unsecured PII fields or unencrypted responses
  • Custom security rules Define your own assertions for roles, headers, or response structure

How to Use It

  1. Create a test scenario using the AI Agent e.g., “Check if user without admin role can access /admin endpoints”
  2. Qodex suggests security-focused test rules Includes both status checks (403/401) and field-level validations
  3. Run the test Failures will show up in the Build tab with specific logs and auto-heal suggestions
  4. Monitor security posture Track failures, fix issues, and re-run updated tests