owasp / offat Goto Github PK

The OWASP OFFAT tool autonomously assesses your API for prevalent vulnerabilities, though full compatibility with OAS v3 is pending. The project remains a work in progress, continuously evolving towards completion.

Home Page: http://owasp.org/OFFAT/

License: MIT License

Ruby 0.05% HTML 8.17% Makefile 0.27% Python 91.50%

api-hacking api-rest api-security api-security-testing owasp offat

offat's Introduction

OWASP OFFAT

OWASP OFFAT (OFFensive Api Tester) is created to automatically test API for common vulnerabilities after generating tests from openapi specification file. It provides feature to automatically fuzz inputs and use user provided inputs during tests specified via YAML config file.

Demo

Note: The columns for 'data_leak' and 'result' in the table represent independent aspects. It's possible for there to be a data leak in the endpoint, yet the result for that endpoint may still be marked as 'Success'. This is because the 'result' column doesn't necessarily reflect the overall test result; it may indicate success even in the presence of a data leak.

Security Checks

Restricted HTTP Methods
SQLi
BOLA
Data Exposure
BOPLA / Mass Assignment
Broken Access Control
Basic Command Injection
Basic XSS/HTML Injection test

Features

Few Security Checks from OWASP API Top 10
Automated Testing
User Config Based Testing
API for Automating tests and Integrating Tool with other platforms/tools
CLI tool
Dockerized Project for Easy Usage
Open Source Tool with MIT License

Try Tool

Install Tool using pip

python -m pip install offat

Run Tool

offat -f swagger_file.json

For more usage options read README.md

offat's People

Contributors

Stargazers

Watchers

offat's Issues

Feature : Documentation

Documentation would requires more details for instance i got

1st lines indicate leak found ; yes but what can of leak ? , still the test passed successfully

2nd lines says Failed , but not a clear answer about why

having a 200 not clear why it is mentionned as suspicious ?

according to what i understood the datalleak is a parsing of sensitive data such as telephone as part of the returned payload ?
i got in mine for instance date, jwtToken, PhoneNumberIN, PhoneNumberUS
is that correct understanding ?

it is important to document here what the tooling is doing

Semaphore-Lock-Bug

This is raised when rate limit options are being used.

2023-10-28 14:02:10,820 - offat.tester.tester_utils - INFO - Checking for SQLi vulnerability: (tester_utils.py:76)
Traceback (most recent call last):
  File "/Users/apple/repos/OWASP/OFFAT/.venv/bin/offat", line 6, in <module>
    sys.exit(start())
             ^^^^^^^
  File "/Users/apple/repos/OWASP/OFFAT/src/offat/__main__.py", line 69, in start
    generate_and_run_tests(
  File "/Users/apple/repos/OWASP/OFFAT/src/offat/tester/tester_utils.py", line 78, in generate_and_run_tests
    results += run_test(test_runner=test_runner, tests=sqli_fuzz_tests, regex_pattern=regex_pattern)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/apple/repos/OWASP/OFFAT/src/offat/tester/tester_utils.py", line 36, in run_test
    test_results = run(test_runner.run_tests(tests))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/apple/.pyenv/versions/3.11.3/lib/python3.11/asyncio/runners.py", line 190, in run
    return runner.run(main)
           ^^^^^^^^^^^^^^^^
  File "/Users/apple/.pyenv/versions/3.11.3/lib/python3.11/asyncio/runners.py", line 118, in run
    return self._loop.run_until_complete(task)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/apple/.pyenv/versions/3.11.3/lib/python3.11/asyncio/base_events.py", line 653, in run_until_complete
    return future.result()
           ^^^^^^^^^^^^^^^
  File "/Users/apple/repos/OWASP/OFFAT/src/offat/tester/test_runner.py", line 119, in run_tests
    return await gather(*tasks)
           ^^^^^^^^^^^^^^^^^^^^
  File "/Users/apple/repos/OWASP/OFFAT/src/offat/tester/test_runner.py", line 89, in send_request
    response = await self._client.request(url=url, method=http_method, *args, **kwargs)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/apple/repos/OWASP/OFFAT/src/offat/http.py", line 128, in request
    async with self._semaphore:
  File "/Users/apple/.pyenv/versions/3.11.3/lib/python3.11/asyncio/locks.py", line 15, in __aenter__
    await self.acquire()
  File "/Users/apple/.pyenv/versions/3.11.3/lib/python3.11/asyncio/locks.py", line 379, in acquire
    fut = self._get_loop().create_future()
          ^^^^^^^^^^^^^^^^
  File "/Users/apple/.pyenv/versions/3.11.3/lib/python3.11/asyncio/mixins.py", line 20, in _get_loop
    raise RuntimeError(f'{self!r} is bound to a different event loop')
RuntimeError: <asyncio.locks.Semaphore object at 0x1052ba790 [locked]> is bound to a different event loop
Unclosed client session

Support for HTTP/2

If I understand correctly, OFFAT does not currently work for HTTP/2? I tried to fuzz some API that uses HTTP/2, but OFFAT produces

RemoteDisconnected('Remote end closed connection without response')

Is support for this planned in the future?

False negative related to SQL Injection

The endpoint: https://brokencrystals.com/api/testimonials/count?query=%27 is vulnerable to an SQL injection

The endpoint does NOT return 50X error when the SQL injection occurs, thus: STATUS_CODE_FILTER doesn't catch it

I believe it would be a smart idea to look for common SQL errors such as:
' - unterminated quoted string at or near "'"

Other errors are listed here:
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection

I can't easily find one 'list' that has all the SQL errors

Need to be able to skip SSL Verification

Option -s , enables SSL verification and is on by default.

Testing within environments where there are self signed certs, is causing the tool to fail.

Debian (Kali) Certificate for this server is in ca-certificates folder and added. Error message is as follows, server name changed, etc.

[16:49:44] INFO Checking whether host example.com:443 is available tester_utils.py:41
ERROR Unable to connect to host example.com:443 due to error: SSLCertVerificationError(1, tester_utils.py:49
'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate
chain (_ssl.c:1006)')
ERROR Stopping tests due to unavailibility of host: example.com:443

Also, it appears your error message has the incorrect spelling of unavailability. :)

False positive on SSTI check

Broken Crystals is a demo site (listed here: https://owasp.org/www-project-vulnerable-web-applications-directory/ ) that can be used for testing your skills/software

The site highlights a few false positives that the engine generates, the most notable one is this one:

A few issues here:

The value of 49 appears unrelated to user input
There is no user input here, i.e. no where to put the payload in - from what I can see in the code, {7*7} is not sent - this test should have been skipped or at the very least:
A. Check if the 49 appears without sending anything
B. If it appears because of our payload, try another similar payload like {8*8} and if that also matches - return it as vulnerable

{
      "url": "https://brokencrystals.com:443/api/secrets",
      "endpoint": "/api/secrets",
      "method": "GET",
      "body_params": [],
      "query_params": [],
      "path_params": [],
      "security": [],
      "test_name": "SSTI Test",
      "malicious_payload": "*{7*7}",
      "result_details": "One or more parameter is vulnerable to SSTI Attack",
      "response_filter": "BODY_REGEX_FILTER",
      "response_match_regex": "49",
      "request_headers": {
        "Host": "brokencrystals.com",
        "Accept": "*/*",
        "Accept-Encoding": "gzip, deflate",
        "User-Agent": "Python/3.10 aiohttp/3.9.5"
      },
      "response_headers": {
        "Date": "Mon, 06 May 2024 06:30:00 GMT",
        "Content-Type": "application/json; charset=utf-8",
        "Content-Length": "1186",
        "Connection": "keep-alive",
        "Vary": "Origin",
        "Access-Control-Allow-Origin": "*",
        "x-xss-protection": "0",
        "strict-transport-security": "max-age=15724800; includeSubDomains",
        "x-content-type-options": "1",
        "content-security-policy": "default-src  * 'unsafe-inline' 'unsafe-eval'",
        "Set-Cookie": "bc-calls-counter=1714977000008"
      },
      "response_body": "{\"codeclimate\":\"CODECLIMATE_REPO_TOKEN=62864c476ade6ab9d10d0ce0901ae2c211924852a28c5f960ae5165c1fdfec73\",\"facebook\":\"EAACEdEose0cBAHyDF5HI5o2auPWv3lPP3zNYuWWpjMrSaIhtSvX73lsLOcas5k8GhC5HgOXnbF3rXRTczOpsbNb54CQL8LcQEMhZAWAJzI0AzmL23hZByFAia5avB6Q4Xv4u2QVoAdH0mcJhYTFRpyJKIAyDKUEBzz0GgZDZD\",\"google_b64\":\"QUl6YhT6QXlEQnbTr2dSdEI1W7yL2mFCX3c4PPP5NlpkWE65NkZV\",\"google_oauth\":\"188968487735-c7hh7k87juef6vv84697sinju2bet7gn.apps.googleusercontent.com\",\"google_oauth_token\":\"ya29.a0TgU6SMDItdQQ9J7j3FVgJuByTTevl0FThTEkBs4pA4-9tFREyf2cfcL-_JU6Trg1O0NWwQKie4uGTrs35kmKlxohWgcAl8cg9DTxRx-UXFS-S1VYPLVtQLGYyNTfGp054Ad3ej73-FIHz3RZY43lcKSorbZEY4BI\",\"heroku\":\"herokudev.staging.endosome.975138 pid=48751 request_id=0e9a8698-a4d2-4925-a1a5-113234af5f60\",\"hockey_app\":\"HockeySDK: 203d3af93f4a218bfb528de08ae5d30ff65e1cf\",\"outlook\":\"https://outlook.office.com/webhook/7dd49fc6-1975-443d-806c-08ebe8f81146@a532313f-11ec-43a2-9a7a-d2e27f4f3478/IncomingWebhook/8436f62b50ab41b3b93ba1c0a50a0b88/eff4cd58-1bb8-4899-94de-795f656b4a18\",\"paypal\":\"access_token$production$x0lb4r69dvmmnufd$3ea7cb281754b7da7dac131ef5783321\",\"slack\":\"xoxo-175588824543-175748345725-176608801663-826315f84e553d482bb7e73e8322sdf3\"}",
      "response_status_code": 200,
      "redirection": "()",
      "error": false,
      "regex_match_result": "<re.Match object; span=(717, 719), match='49'>",
      "result": false,
      "data_leak": {
        "ato_data": ["access_token"],
        "PhoneNumberIN": [
          [
            "188968487735",
            "",
            "",
            "",
            "",
            "",
            "188968487735",
            "188968487735",
            "",
            ""
          ],
          [
            "175588824543",
            "",
            "",
            "",
            "",
            "",
            "175588824543",
            "175588824543",
            "",
            ""
          ],
          [
            "175748345725",
            "",
            "",
            "",
            "",
            "",
            "175748345725",
            "175748345725",
            "",
            ""
          ],
          [
            "176608801663",
            "",
            "",
            "",
            "",
            "",
            "176608801663",
            "176608801663",
            "",
            ""
          ]
        ]
      }
    },

Additional tokens for `data_leak`

I would suggest to add the following to the list we currently have:

google_oauth_token
google_oauth
google_b64
awsBucket
xoxo-
(used by slack)
https://outlook.office.com/webhook/

Feature : Output filter

as the tools generate a lot of test more than 3.6k in for my small use case
it might be interesting to log in the output file only the failure via a dedicated flag, this help focusing on what really matter

Host/Server Parsing Bug leading to scan crash

          Hi @dmdhrumilmistry . As per your suggestion I have tried using offat with Python 3.11. But Unfortunately I am getting the same error:

Originally posted by @puriaayush01 in #45 (comment)

API Testing Error

I'm encountering an error whenever I attempt to test an API (which is an open-source API). However, when I utilize the following link (https://petstore.swagger.io/v2/swagger.json), the OFFAT Tool functions properly. Could you kindly assist me with resolving this issue?

Install Error

Hello. I made the recommended command for installing Tools, but this error returns and does not complete the installation. Has anyone here ever been through this situation?

Strange values instead of Payloads

I believe an issue with many of the false negative I am seeing:

def fill_params(params: list[dict], is_v3: bool) -> list[dict]:
    """fills params for OAS/swagger specs"""
    schema_params = []
    for index in range(len(params)):
        param_type = (
            params[index].get("schema", {}).get("type")
            if is_v3
            else params[index].get("type")
        )
        param_is_required = params[index].get("required")
        param_in = params[index].get("in")
        param_name = params[index].get("name", "")

        param_value = fuzz_type_value(param_type=param_type, param_name=param_name)

        if params[index].get("schema"):
            schema_type = params[index].get("schema", {}).get("type")
            if schema_type == "object":
                schema_obj = params[index].get("schema", {}).get("properties", {})
                filled_schema_params = fill_schema_params(
                    schema_obj, param_in, param_is_required
                )
            else:
                filled_schema_params = [
                    {
                        "in": param_in,
                        "name": param_name,
                        "required": param_is_required,
                        "value": param_value,
                    }
                ]

            schema_params.append(filled_schema_params)
        else:
            params[index]["value"] = param_value

This code does:

Incorrectly store the string attribute - causing feature calls to the params to not see it as a string
Overwrites the default value instead for example using the example field if it exists

I don't quite understand if this overwriting is intentional or not

Further the code could be easily written as:
for index, _ in enumerate(params):

Instead of:
for index in range(len(params)):

I believe the minimal fix to get it working would be to, change this:

                filled_schema_params = [
                    {
                        "in": param_in,
                        "name": param_name,
                        "required": param_is_required,
                        "value": param_value,
                    }
                ]

To this:

                filled_schema_params = [
                    {
                        "in": param_in,
                        "name": param_name,
                        "required": param_is_required,
                        "value": param_value,
                        "type": param_type
                    }
                ]

Make output more clear if the endpoint is or not vulnerable

At the moment the outcome of endpoint testing is very "human" oriented and very "grammar" sensitive, meaning that a person needs to read each sentence and use logic to understand if the endpoint is or not vulnerable, for example:
Parameters are not vulnerable to SQLi Payload

vs
One or more parameter is vulnerable to SQL Injection Attack

While this is very human way of describing the outcome, going over a report that has a few hundred or thousands of endpoint and trying to find which one are vulnerable is not an easy task

May I suggest two things:

Add a config option that allows returning only endpoints that have a vulnerability (it seems OFFAT returns everything)
Make the outcome True/False rather than textual, result returns True when not vulnerable is the opposite of what people would expect, maybe changing this to vulnerable field and returning True/False or adding a new field called vulnerable that will return True/False when its vulnerable

False negative in OS Injection

The endpoint:
https://brokencrystals.com/api/spawn

Is vulnerable to OS command injection via the command value, passing it cat /etc/passwd will return:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
node:x:1000:1000::/home/node:/bin/bash

Issue running the OFFAT tool to scan Open Source API's

Hi @dmdhrumilmistry ,
I tried using the OFFAT Tool, it did work when I use the https://petstore.swagger.io/v2/swagger.json, but when I try using other open source API's swagger.json, the tool fails to run and throws errors. I tried using multiple API's but it throws error for all of them. I tried to compare the JSON file, it's almost similar. So just wanted to understand what the issue is!

Also, do you have any documentation on what has to be inserted when we use the Docker to Run the tool. Like what should be the user input for "OpenAPI" in the api/v1/scan?

`PhoneNumberIN` returns empty values in the array

Testing of https://brokencrystals.com/api/secrets returns empty fields in the array of leaked information:

"data_leak": {
        "ato_data": ["access_token"],
        "PhoneNumberIN": [
          [
            "188968487735",
            "",
            "",
            "",
            "",
            "",
            "188968487735",
            "188968487735",
            "",
            ""
          ],
          [
            "175588824543",
            "",
            "",
            "",
            "",
            "",
            "175588824543",
            "175588824543",
            "",
            ""
          ],
          [
            "175748345725",
            "",
            "",
            "",
            "",
            "",
            "175748345725",
            "175748345725",
            "",
            ""
          ],
          [
            "176608801663",
            "",
            "",
            "",
            "",
            "",
            "176608801663",
            "176608801663",
            "",
            ""
          ]
        ]
      }
    },

Add automated tests

Currently each and every PR raised need to be tested manually. Add automated tests using pytest/unittest library which can test PR before merging using Github actions.

Installation fails on Ubuntu / venv

Recreate:

mkdir /tmp/test
cd /tmp/test
python3 -mvenv venv
source venv/bin/activate
pip3 install offat

Results in:

ERROR: Could not find a version that satisfies the requirement offat (from versions: none)
ERROR: No matching distribution found for offat

[feature] capability to set Host and port , and even basePath

Hello

given than an OAS spec can be used in various implementation ( dev , uat, prod)
the server section is not always accurate

it would be great to be able to override the setting with a command like this

offat -f .\openapi.yml http://myHost:myPort/myPath

notice it is not as same as setting a proxy

this use case it taken into consideration for tooling such as prism or vaccum