search

OWASP / OFFAT

The OWASP OFFAT tool autonomously assesses your API for prevalent vulnerabilities, though full compatibility with OAS v3 is pending. The project remains a work in progress, continuously evolving towards completion.
http://owasp.org/OFFAT/
MIT License
453 stars 64 forks source link

Feature : Documentation #71

Closed LasneF closed 5 months ago

LasneF commented 6 months ago

Documentation would requires more details for instance i got

image

1st lines indicate leak found ; yes but what can of leak ? , still the test passed successfully

2nd lines says Failed , but not a clear answer about why

image

having a 200 not clear why it is mentionned as suspicious ?

according to what i understood the datalleak is a parsing of sensitive data such as telephone as part of the returned payload ? i got in mine for instance date, jwtToken, PhoneNumberIN, PhoneNumberUS is that correct understanding ?

it is important to document here what the tooling is doing

dmdhrumilmistry commented 6 months ago

Documentation would requires more details for instance i got

image

1st lines indicate leak found ; yes but what can of leak ? , still the test passed successfully

2nd lines says Failed , but not a clear answer about why

image

having a 200 not clear why it is mentionned as suspicious ?

according to what i understood the datalleak is a parsing of sensitive data such as telephone as part of the returned payload ? i got in mine for instance date, jwtToken, PhoneNumberIN, PhoneNumberUS is that correct understanding ?

it is important to document here what the tooling is doing

For time being I've separated Data Leak and API test, so currently they're interpreted individually.

Yes, telephone number could be leading to failure of Data leak test.

I'll be make necessary changes for data leak tests for be reflected in overall API test results.

LasneF commented 5 months ago

May be add as well a filter on the reporting HTML file

i am still not clear on what this kind of output means

Test Name: BOPLA Test Test Result: ❌ Failed Result Details: Endpoint might be vulnerable to BOPLA Test Response Filter: STATUS_CODE_FILTER Data Leak: No Data Leakage Found

we need to have further details on what STATUS_CODE_FILTER means

dmdhrumilmistry commented 5 months ago

May be add as well a filter on the reporting HTML file

i am still not clear on what this kind of output means

Test Name: BOPLA Test Test Result: ❌ Failed Result Details: Endpoint might be vulnerable to BOPLA Test Response Filter: STATUS_CODE_FILTER Data Leak: No Data Leakage Found

we need to have further details on what STATUS_CODE_FILTER means

HTML report is kinda buggy at the moment and I'm not planning to update it any time soon. There are several challenges while handling HTML reports such as sanitizing and formatting data correctly which can be tricky and If I miss something it can lead to security issues.

STATUS_CODE_FILTER is used internally to find indicator of vulnerability in few cases after receiving response from the API server.

https://github.com/OWASP/OFFAT/blob/ce7086c3a26cb6ba469e6741b0f0f753814240ec/src/offat/tester/post_test_processor.py#L183

I've clarified the usage of data_leak and result columns in the results table in README.md files for now.

PR: https://github.com/OWASP/OFFAT/pull/77

dmdhrumilmistry commented 5 months ago

Closing issue due to inactivity.