search

OWASP / OFFAT

The OWASP OFFAT tool autonomously assesses your API for prevalent vulnerabilities, though full compatibility with OAS v3 is pending. The project remains a work in progress, continuously evolving towards completion.
http://owasp.org/OFFAT/
MIT License
407 stars 59 forks source link

Strange values instead of Payloads #98

Closed nrathaus closed 1 month ago

nrathaus commented 2 months ago

I believe an issue with many of the false negative I am seeing:

def fill_params(params: list[dict], is_v3: bool) -> list[dict]:
    """fills params for OAS/swagger specs"""
    schema_params = []
    for index in range(len(params)):
        param_type = (
            params[index].get("schema", {}).get("type")
            if is_v3
            else params[index].get("type")
        )
        param_is_required = params[index].get("required")
        param_in = params[index].get("in")
        param_name = params[index].get("name", "")

        param_value = fuzz_type_value(param_type=param_type, param_name=param_name)

        if params[index].get("schema"):
            schema_type = params[index].get("schema", {}).get("type")
            if schema_type == "object":
                schema_obj = params[index].get("schema", {}).get("properties", {})
                filled_schema_params = fill_schema_params(
                    schema_obj, param_in, param_is_required
                )
            else:
                filled_schema_params = [
                    {
                        "in": param_in,
                        "name": param_name,
                        "required": param_is_required,
                        "value": param_value,
                    }
                ]

            schema_params.append(filled_schema_params)
        else:
            params[index]["value"] = param_value

This code does:

  1. Incorrectly store the string attribute - causing feature calls to the params to not see it as a string
  2. Overwrites the default value instead for example using the example field if it exists

I don't quite understand if this overwriting is intentional or not

Further the code could be easily written as: for index, _ in enumerate(params):

Instead of: for index in range(len(params)):

I believe the minimal fix to get it working would be to, change this:

                filled_schema_params = [
                    {
                        "in": param_in,
                        "name": param_name,
                        "required": param_is_required,
                        "value": param_value,
                    }
                ]

To this:

                filled_schema_params = [
                    {
                        "in": param_in,
                        "name": param_name,
                        "required": param_is_required,
                        "value": param_value,
                        "type": param_type
                    }
                ]
nrathaus commented 2 months ago

https://github.com/OWASP/OFFAT/pull/99

dmdhrumilmistry commented 1 month ago

respective PR has been merged and It should reduce no. of false positives as mentioned.