search

flipkart-incubator / Astra

Automated Security Testing For REST API's
Apache License 2.0
2.5k stars 401 forks source link

Testing GET request returns error #51

Closed sugarjig closed 6 years ago

sugarjig commented 6 years ago

I'm trying to follow the instructions to get started, but I'm not getting very far. I have pulled the Mongo image and built the CLI Docker image. I'm running the service I want to test locally, and now I'm trying to run the following command, replacing <token> with a valid token I obtain ahead of time:

docker run --rm -it --link astra-mongo:mongo astra-cli -u http://docker.for.mac.localhost:8080/v1/users/me --headers '{"Authorization": "Bearer <token>"}'

I get the following stack trace:

Traceback (most recent call last):
  File "/usr/local/lib/python2.7/multiprocessing/process.py", line 267, in _bootstrap
    self.run()
  File "/usr/local/lib/python2.7/multiprocessing/process.py", line 114, in run
    self._target(*self._args, **self._kwargs)
  File "./astra.py", line 121, in modules_scan
    sqli_check(url,method,headers,body,scanid)
  File "/app/modules/sqli.py", line 116, in sqli_check
    set_option_status = set_options_list(url,method,headers,body,taskid)
  File "/app/modules/sqli.py", line 34, in set_options_list
    if options_list.status_code == 200:
AttributeError: 'NoneType' object has no attribute 'status_code'

I've also tried the same call in the Astra GUI, but I get "Broken Authentication and session management" and the API returning a 401. It's almost as if Astra is not properly sending the Authorization header.

Is there something I'm missing from the command? Am I supposed to pass the command a valid token?

sagarpo commented 6 years ago

@sugarjig. How are you passing Authorization header? It should be in proper JSON format Example: {"Auth-header": "Auth-header-value"}

sugarjig commented 6 years ago

AFAIK, I'm passing the header correctly. The command I'm executing has --headers '{"Authorization": "Bearer <token>"}'

sagarpo commented 6 years ago

@sugarjig Have you tried the same through the web interface? Are you getting the same error for web interface as well?

sugarjig commented 6 years ago

Yes, I have tried it through the GUI. The error I get there is "Broken Authentication and session management" with a payload from our service that matches that expected when the token is incorrect or missing.

sagarpo commented 6 years ago

@sugarjig I will look into this. Give me some time.

YUNUS0407 commented 4 months ago

helo evreone

YUNUS0407 commented 4 months ago

my comit