nrathaus
commented
3 months ago @mr-tomr At the moment there is no code that supports self-signed certificates (i.e. don't verify certificates of SSL)
Can you provide a patch to support it?
Closed mr-tomr closed 3 months ago
nrathaus
commented
3 months ago @mr-tomr At the moment there is no code that supports self-signed certificates (i.e. don't verify certificates of SSL)
Can you provide a patch to support it?
nrathaus
commented
3 months ago 
dmdhrumilmistry
commented
3 months ago fixed in latest release: https://github.com/OWASP/OFFAT/releases
sev-hack
commented
2 months ago Hello @dmdhrumilmistry @nrathaus
Still have the problem in with skipping SSL verification with self-signed certificates.
Tested on OFFAT v0.19.1, the output is the same as @mr-tomr mentioned
Is it possible to skip SSL verification at all?
nrathaus
commented
2 months ago Please provide the cmdline you used
sev-hack
commented
2 months ago Thanks for fast response!
Used this cmd:
offat -f scheme-openapi.yml -H 'Authorization: Bearer XXX' -rl 10 --server "https://internal-example.io/"I found the bug, it is related to two things (see PR) if you want to see what
sev-hack
commented
2 months ago @nrathaus thanks!
Do I understand correctly that there will be no SSL validation by default (in the next OFFAT release)?
dmdhrumilmistry
commented
2 months ago I found the bug, it is related to two things (see PR) if you want to see what
I'll release the latest version right away
dmdhrumilmistry
commented
2 months ago @nrathaus thanks!
Do I understand correctly that there will be no SSL validation by default (in the next OFFAT release)?
Yes! If you need to enforce SSL then you can use -s or --ssl-verify flag
sev-hack
commented
2 months ago @dmdhrumilmistry @nrathaus tested on new version, got next output:
ERROR Unable to send request due to error: RetryError[<Future at 0x108a62ef0 state=finished runner.py:150
raised ClientConnectorCertificateError>]
ERROR {'self': <offat.tester.runner.TestRunner object at 0x106398760>, 'test_task': {'url': runner.py:151
'https://internal-example.io:443/support/routes', 'endpoint':
'/support/routes', 'method': 'POST', 'body_params': [{'type': 'string', 'format': 'uuid',
'value': "{{7*'7'}}", 'name': 'dc_city_id', 'required': True, 'in': 'body'}, {'type':
'string', 'format': 'uuid', 'value': "{{7*'7'}}", 'name': 'target_city_id', 'required':
True, 'in': 'body'}, {'type': 'string', 'enum': ['qq', 'ww'], 'value': "{{7*'7'}}",
'name': 'distributor_code', 'required': True, 'in': 'body'}], 'query_params': [],
'path_params': [], 'security': [], 'test_name': 'SSTI Test', 'args': (), 'kwargs': {'json':
{'dc_city_id': "{{7*'7'}}", 'target_city_id': "{{7*'7'}}", 'distributor_code':
"{{7*'7'}}"}}, 'malicious_payload': "{{7*'7'}}", 'vuln_details': {True: 'One or more
parameter is vulnerable to SSTI Attack', False: 'Parameters are not vulnerable to SSTI
Attack'}, 'response_filter': 'BODY_REGEX_FILTER', 'response_match_regex': '49',
'request_headers': [], 'response_headers': [], 'response_body': 'No Response Body Found',
'response_status_code': -1, 'redirection': '', 'error': True}, 'url':
'https://internal-example.io:443/support/routes', 'http_method':
'POST', 'args': (), 'kwargs': {'json': {'dc_city_id': "{{7*'7'}}", 'target_city_id':
"{{7*'7'}}", 'distributor_code': "{{7*'7'}}"}}, 'body_params': [{'type': 'string',
'format': 'uuid', 'value': "{{7*'7'}}", 'name': 'dc_city_id', 'required': True, 'in':
'body'}, {'type': 'string', 'format': 'uuid', 'value': "{{7*'7'}}", 'name':
'target_city_id', 'required': True, 'in': 'body'}, {'type': 'string', 'enum': ['qq',
'ww'], 'value': "{{7*'7'}}", 'name': 'distributor_code', 'required': True, 'in': 'body'}],
'query_params': [], 'test_result': {'url':
'https://internal-example.io:443/support/routes', 'endpoint':
'/support/routes', 'method': 'POST', 'body_params': [{'type': 'string', 'format': 'uuid',
'value': "{{7*'7'}}", 'name': 'dc_city_id', 'required': True, 'in': 'body'}, {'type':
'string', 'format': 'uuid', 'value': "{{7*'7'}}", 'name': 'target_city_id', 'required':
True, 'in': 'body'}, {'type': 'string', 'enum': ['qq', 'ww'], 'value': "{{7*'7'}}",
'name': 'distributor_code', 'required': True, 'in': 'body'}], 'query_params': [],
'path_params': [], 'security': [], 'test_name': 'SSTI Test', 'args': (), 'kwargs': {'json':
{'dc_city_id': "{{7*'7'}}", 'target_city_id': "{{7*'7'}}", 'distributor_code':
"{{7*'7'}}"}}, 'malicious_payload': "{{7*'7'}}", 'vuln_details': {True: 'One or more
parameter is vulnerable to SSTI Attack', False: 'Parameters are not vulnerable to SSTI
Attack'}, 'response_filter': 'BODY_REGEX_FILTER', 'response_match_regex': '49',
'request_headers': [], 'response_headers': [], 'response_body': 'No Response Body Found',
'response_status_code': -1, 'redirection': '', 'error': True}, 'e': RetryError(<Future at
0x108a62ef0 state=finished raised ClientConnectorCertificateError>)}What could be the problem?
nrathaus
commented
2 months ago The problem is client side certificate as the error states
As this seems to be a commercial version - I think it's appropriate that you either provide a patch or sponsor the work of the author of this tool
dmdhrumilmistry
commented
2 months ago The problem is client side certificate as the error states
As this seems to be a commercial version - I think it's appropriate that you either provide a patch or sponsor the work of the author of this tool
Thanks, @nrathaus. @sev-hack contributions are accepted for the project in any possible way.
It turned out that ssl_verify was not being passed to TestRunner due to which it was using the default True value.
nrathaus
commented
2 months ago Sev hack issue is related to OFFAT support client side certificate
dmdhrumilmistry
commented
2 months ago @dmdhrumilmistry @nrathaus tested on new version, got next output:
ERROR Unable to send request due to error: RetryError[<Future at 0x108a62ef0 state=finished runner.py:150 raised ClientConnectorCertificateError>] ERROR {'self': <offat.tester.runner.TestRunner object at 0x106398760>, 'test_task': {'url': runner.py:151 'https://internal-example.io:443/support/routes', 'endpoint': '/support/routes', 'method': 'POST', 'body_params': [{'type': 'string', 'format': 'uuid', 'value': "{{7*'7'}}", 'name': 'dc_city_id', 'required': True, 'in': 'body'}, {'type': 'string', 'format': 'uuid', 'value': "{{7*'7'}}", 'name': 'target_city_id', 'required': True, 'in': 'body'}, {'type': 'string', 'enum': ['qq', 'ww'], 'value': "{{7*'7'}}", 'name': 'distributor_code', 'required': True, 'in': 'body'}], 'query_params': [], 'path_params': [], 'security': [], 'test_name': 'SSTI Test', 'args': (), 'kwargs': {'json': {'dc_city_id': "{{7*'7'}}", 'target_city_id': "{{7*'7'}}", 'distributor_code': "{{7*'7'}}"}}, 'malicious_payload': "{{7*'7'}}", 'vuln_details': {True: 'One or more parameter is vulnerable to SSTI Attack', False: 'Parameters are not vulnerable to SSTI Attack'}, 'response_filter': 'BODY_REGEX_FILTER', 'response_match_regex': '49', 'request_headers': [], 'response_headers': [], 'response_body': 'No Response Body Found', 'response_status_code': -1, 'redirection': '', 'error': True}, 'url': 'https://internal-example.io:443/support/routes', 'http_method': 'POST', 'args': (), 'kwargs': {'json': {'dc_city_id': "{{7*'7'}}", 'target_city_id': "{{7*'7'}}", 'distributor_code': "{{7*'7'}}"}}, 'body_params': [{'type': 'string', 'format': 'uuid', 'value': "{{7*'7'}}", 'name': 'dc_city_id', 'required': True, 'in': 'body'}, {'type': 'string', 'format': 'uuid', 'value': "{{7*'7'}}", 'name': 'target_city_id', 'required': True, 'in': 'body'}, {'type': 'string', 'enum': ['qq', 'ww'], 'value': "{{7*'7'}}", 'name': 'distributor_code', 'required': True, 'in': 'body'}], 'query_params': [], 'test_result': {'url': 'https://internal-example.io:443/support/routes', 'endpoint': '/support/routes', 'method': 'POST', 'body_params': [{'type': 'string', 'format': 'uuid', 'value': "{{7*'7'}}", 'name': 'dc_city_id', 'required': True, 'in': 'body'}, {'type': 'string', 'format': 'uuid', 'value': "{{7*'7'}}", 'name': 'target_city_id', 'required': True, 'in': 'body'}, {'type': 'string', 'enum': ['qq', 'ww'], 'value': "{{7*'7'}}", 'name': 'distributor_code', 'required': True, 'in': 'body'}], 'query_params': [], 'path_params': [], 'security': [], 'test_name': 'SSTI Test', 'args': (), 'kwargs': {'json': {'dc_city_id': "{{7*'7'}}", 'target_city_id': "{{7*'7'}}", 'distributor_code': "{{7*'7'}}"}}, 'malicious_payload': "{{7*'7'}}", 'vuln_details': {True: 'One or more parameter is vulnerable to SSTI Attack', False: 'Parameters are not vulnerable to SSTI Attack'}, 'response_filter': 'BODY_REGEX_FILTER', 'response_match_regex': '49', 'request_headers': [], 'response_headers': [], 'response_body': 'No Response Body Found', 'response_status_code': -1, 'redirection': '', 'error': True}, 'e': RetryError(<Future at 0x108a62ef0 state=finished raised ClientConnectorCertificateError>)}What could be the problem?
This has been patched, you can use the latest version v0.19.3
sev-hack
commented
2 months ago Hi there @dmdhrumilmistry @nrathaus !
Thank you again for fast fix, now it works as expected.
Option -s , enables SSL verification and is on by default.
Testing within environments where there are self signed certs, is causing the tool to fail.
Debian (Kali) Certificate for this server is in ca-certificates folder and added. Error message is as follows, server name changed, etc.
[16:49:44] INFO Checking whether host example.com:443 is available tester_utils.py:41 ERROR Unable to connect to host example.com:443 due to error: SSLCertVerificationError(1, tester_utils.py:49 '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate
chain (_ssl.c:1006)')
ERROR Stopping tests due to unavailibility of host: example.com:443
Also, it appears your error message has the incorrect spelling of unavailability. :)