offat

module
v0.22.0-beta Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 18, 2024 License: MIT

README ¶

OFFAT - OFFensive Api Tester

OffAT Logo

Automatically Tests for vulnerabilities after generating tests from openapi specification file. Project is in Beta stage, so sometimes it might crash while running.

UnDocumented petstore API endpoint HTTP method results

[!WARNING]
At the moment HTTP 2/3 aren't supported since fasthttpclient is used under the hood to increase performance. Visit FastHTTP README for more details

Security Checks

  • Restricted HTTP Method/Verb
  • BOLA
  • BOPLA/Mass Assignment
  • SQL Injection
  • Command Injection
  • XSS/HTML Injection
  • SSTI
  • SSRF
  • Data Exposure (Detects Common Data Exposures)
  • Broken Access Control
  • Broken Authentication

Features

  • Supports openAPI specification (OAS) Doc
  • Few Security Checks from OWASP API Top 10
  • Automated Testing
  • User Config Based Testing
  • API for Automating tests and Integrating Tool with other platforms/tools
  • CLI tool
  • Proxy Support
  • Hardened Docker Images
  • Open Source Tool with MIT License
  • Trigger scans in CI/CD using GitHub Action

Swagger files are not supported at the moment

Github Action

  • Create github action secret url for your repo
  • Setup github action workflow in your repo .github/workflows/offat.yml
name: OWASP OFFAT Sample Workflow

on:
  push:
    branches:
      - dev
      - main

jobs:
  test:
    runs-on: ubuntu-latest

    steps:
      - name: "download OAS file"
        run: curl ${url} -o /tmp/oas.json
        env:
          url: ${{ secrets.url }}

      - name: "OWASP OFFAT CICD Scanner"
        uses: OWASP/OFFAT@main # OWASP/[email protected]
        with:
          file: /tmp/oas.json # or ${{ secrets.url }}
          rate_limit: 120
          artifact_retention_days: 1

Prefer locking action to specific version OWASP/[email protected] instead of using OWASP/OFFAT@main and bump OFFAT action version after testing.

Disclaimer

The disclaimer advises users to use the open-source project for ethical and legitimate purposes only and refrain from using it for any malicious activities. The creators and contributors of the project are not responsible for any illegal activities or damages that may arise from the misuse of the project. Users are solely responsible for their use of the project and should exercise caution and diligence when using it. Any unauthorized or malicious use of the project may result in legal action and other consequences.

Read More

Installation

Using Homebrew
homebrew install owasp-offat/tap/offat
Using Go
Github Hosted Method

  • Install latest release using below command

    go install -v github.com/owasp-offat/offat/cmd/offat@latest

  • Install main/dev branch

    go install -v github.com/owasp-offat/offat/cmd/offat@main # install main branch
go install -v github.com/owasp-offat/offat/cmd/offat@dev  # install dev branch
Clone Method

  • Clone repository

    git clone https://github.com/OWASP/OFFAT

  • Go source code is stored in src directory

    cd src

  • Run Go install command

    go install ./...
Using Containers/Docker

  • CLI Tool

    docker run --rm dmdhrumilmistry/offat -h

Start OffAT

CLI Tool

  • Run offat

    offat -f oas.json              # using file
offat -f https://example.com/docs.json  # using url

    JSON and YAML formats are supported

  • To get all the commands use help

    offat -h

  • Save result in json

    offat -f oas.json -o output.json

  • Get curl command for making requests

    jq -r '.[].concurrent_response.response.curl_command' output.json

    jq tool is required to run above command

  • Run tests only for endpoint paths matching regex pattern

    offat -f oas.yml -pr '/user'

  • Add headers to requests

    offat -f oas.json -H 'Accept: application/json' -H 'Authorization: Bearer YourJWTToken'

  • Run Test with Requests Rate Limited

    offat -f oas.json -r 1000

    r: requests rate limit per second

  • Use along with proxy

    # without ssl check
offat -f oas.json -p http://localhost:8080 -o output.json

# without ssl check
offat -f oas.json -p http://localhost:8080 -o output.json -ns

    Make sure that proxy can handle multiple requests at the same time

  • For Data Leak detection, create a new data leakage detection file from this sample file owasp-offat-data-leak-patterns.yml

    offat -f oas.yaml -dl owasp-offat-data-leak-patterns.yml

[!WARNING]
Remember to include only patterns whose data can be probably found in your APIs, since detection process can lead to CPU spikes.

Open In Google Cloud Shell

  • Temporary Session

    Open in Cloud Shell

  • Perisitent Session

    Open in Cloud Shell

Have any Ideas 💡 or issue

Create an issue OR fork the repo, update script and create a Pull Request

Contributing

Refer CONTRIBUTIONS.md for contributing to the project.

LICENSE

OWASP OFFAT is distributed under MIT License. Refer License for more information.

Directories ¶

Path Synopsis
cmd
offat
pkg
fuzzer
http
logging
parser
report
tgen
Tests for unrestricted HTTP methods/verbs
 Tests for unrestricted HTTP methods/verbs
trunner
trunner/postrunner
utils

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.
JackTT - Gopher 🇻🇳