Skip to content
This repository has been archived by the owner on Apr 15, 2024. It is now read-only.

Latest commit

 

History

History
279 lines (195 loc) · 8.58 KB

README.md

File metadata and controls

279 lines (195 loc) · 8.58 KB
Raw

OFFAT - OFFensive Api Tester

OffAT Logo

Automatically Tests for vulnerabilities after generating tests from openapi specification file. Project is in Beta stage, so sometimes it might crash while running.

UnDocumented petstore API endpoint HTTP method results

Notice

Project proposal has been approved by the OWASP Foundation. As a result, OFFAT will now be taken care of within the OWASP Repository and will go by the name OWASP OFFAT.

For the most up-to-date releases and updates, be sure to check out the OWASP OFFAT Repository at this link.

Security Checks

  • Restricted HTTP Methods
  • SQLi
  • BOLA (Might need few bug fixes)
  • Data Exposure (Detects Common Data Exposures)
  • BOPLA / Mass Assignment
  • Broken Access Control
  • Basic Command Injection
  • Basic XSS/HTML Injection test
  • Broken Authentication

Features

  • Few Security Checks from OWASP API Top 10
  • Automated Testing
  • User Config
  • API for Automating tests and Integrating Tool with other platforms/tools
  • CLI tool
  • Dockerized Project for Easy Usage
  • Open Source Tool with MIT License

Demo

asciicast

PyPi Downloads

Upload offat Python Package to PyPi

Period Count
Weekly Downloads
Monthy Downloads
Total Downloads

Disclaimer

The disclaimer advises users to use the open-source project for ethical and legitimate purposes only and refrain from using it for any malicious activities. The creators and contributors of the project are not responsible for any illegal activities or damages that may arise from the misuse of the project. Users are solely responsible for their use of the project and should exercise caution and diligence when using it. Any unauthorized or malicious use of the project may result in legal action and other consequences.

Read More

Join Our Discord Community

Join our Discord server!

Installation

Using pip

  • Install main branch using pip

    python3 -m pip install git+https://github.com/dmdhrumilmistry/offat.git

  • Install Release from PyPi

    python3 -m pip install offat        # only cli tool
python3 -m pip install offat[api]   # cli + api

Using Containers

Docker

  • Build Image

    make build-local-images

  • CLI Tool

    docker run --rm dmdhrumilmistry/offat

  • API

    docker compose up -d

    POST openapi documentation to /api/v1/scan/ endpoint with its valid type (json/yaml); job_id will be returned, job_id should

Manual Method

  • Open terminal

  • Install git package

    sudo apt install git python3 -y

  • Install Poetry

  • clone the repository to your machine

    git clone https://github.com/dmdhrumilmistry/offat.git

  • Change directory

    cd offat

  • install with poetry

    # without options
poetry install

Start OffAT

API

CLI Tool

  • Run offat

    offat -f swagger_file.json

  • To get all the commands use help

    offat -h

  • Run tests only for endpoint paths matching regex pattern

    offat -f swagger_file.json -pr '/user'

  • Add headers to requests

    offat -f swagger_file.json -H 'Accept: application/json' -H 'Authorization: Bearer YourJWTToken'

  • Run Test with Requests Rate Limited

    offat -f swagger_file.json -rl 1000 -dr 0.001

    rl: requests rate limit, dr: delay between requests

  • Use user provided inputs for generating tests

    offat -f swagger_file.json -tdc test_data_config.yaml

    test_data_config.yaml

    actors:
- actor1:
    request_headers:
      - name: Authorization
        value: Bearer [Token1]
      - name: User-Agent
        value: offat-actor1

    query:
      - name: id
        value: 145
        type: int
      - name: country
        value: uk
        type: str
      - name: city
        value: london
        type: str

    body:
      - name: name
        value: actorone
        type: str
      - name: email
        value: actorone@example.com
        type: str
      - name: phone
        value: +11233211230
        type: str

    unauthorized_endpoints: # For broken access control
      - '/store/order/.*'

- actor2:
    request_headers:
      - name: Authorization
        value: Bearer [Token2]
      - name: User-Agent
        value: offat-actor2

    query:
      - name: id
        value: 199
        type: int
      - name: country
        value: uk
        type: str
      - name: city
        value: leeds
        type: str

    body:
      - name: name
        value: actortwo
        type: str
      - name: email
        value: actortwo@example.com
        type: str
      - name: phone
        value: +41912312311
        type: str

If you're using Termux or windows, then use pip instead of pip3.
Few features are only for linux os, hence they might not work on windows and require admin priviliges.

Open In Google Cloud Shell

  • Temporary Session
    Open in Cloud Shell
  • Perisitent Session
    Open in Cloud Shell

Have any Ideas 💡 or issue

  • Create an issue
  • Fork the repo, update script and create a Pull Request

Contributing

Refer CONTRIBUTIONS.md for contributing to the project.

LICENSE

Offat is distributed under MIT License. Refer License for more information.

Connect With Me

Platforms
GitHub LinkedIn Twitter
Instagram Blog Youtube