Issue with running the tool

[puriaayush01]

Hi @dmdhrumilmistry / @OWASPFoundation / @nrathaus ,

1) I wanted to know if the OFFAT tool can run for the VAmPI API?

You can clone the project from [https://github.com/erev0s/VAmPI] and run app.py to start the server. The JSON file can be found at this URL: http://127.0.0.1:5000/openapi.json

2) In case I have a bearer token or the client id & secret (which is used to generate the token)- to authenticate my API, what changes do I need to make in the case of OpenAPI v3?

Could you guide me if that works for you?

Thanks!

[dmdhrumilmistry]

1. Server URL is missing in JSON file.

Fix:

2. Currently, We haven't added any feature that can accept secrets from OAS docs and use it during the scan. But we have functionality of providing the headers using -H flag.

[puriaayush01]

It works for me; thank you @dmdhrumilmistry !

Regarding the Header Flag, I attempted to run an API documentation that requires an access token for authorization, so I passed the bearer token along with the header:

offat -f swagger_file.json -H 'Accept: application/json' -H 'Authorization: Bearer YourJWTToken'

However, I'm facing some issues. Would it be possible for us to connect over a Teams call or Google Meet? This way, I can clearly explain what I’m trying to achieve. Without the authorization, the OFFAT tool is unable to test each end point.

[dmdhrumilmistry]

sure you can ping me on discord id: dmdhrumilmistry

[dmdhrumilmistry]

closing due to inactivity