OFFAT - OFFensive Api Tester

Automatically Tests for vulnerabilities after generating tests from openapi specification file. Project is in Beta stage, so sometimes it might crash while running.

[!WARNING]
At the moment HTTP 2/3 aren't supported since fasthttpclient is used under the hood to increase performance. Visit FastHTTP README for more details

Security Checks

• [x] Restricted HTTP Method/Verb
• [x] BOLA
• [x] BOPLA/Mass Assignment
• [x] SQL Injection
• [x] Command Injection
• [x] XSS/HTML Injection
• [x] SSTI
• [x] SSRF
• [x] Data Exposure (Detects Common Data Exposures)
• [ ] Broken Access Control
• [ ] Broken Authentication

Features

• Supports openAPI specification (OAS) Doc
• Few Security Checks from OWASP API Top 10
• Automated Testing
• User Config Based Testing
• API for Automating tests and Integrating Tool with other platforms/tools
• CLI tool
• Proxy Support
• Hardened Docker Images
• Open Source Tool with MIT License
• Trigger scans in CI/CD using GitHub Action

Swagger files are not supported at the moment

Github Action

• Create github action secret url for your repo
• Setup github action workflow in your repo .github/workflows/offat.yml

name: OWASP OFFAT Sample Workflow

on:
  push:
    branches:
      - dev
      - main

jobs:
  test:
    runs-on: ubuntu-latest

    steps:
      - name: "download OAS file"
        run: curl ${url} -o /tmp/oas.json
        env:
          url: ${{ secrets.url }}

      - name: "OWASP OFFAT CICD Scanner"
        uses: OWASP/OFFAT@main # OWASP/OFFAT@v0.20.0
        with:
          file: /tmp/oas.json # or ${{ secrets.url }}
          rate_limit: 120
          artifact_retention_days: 1

Prefer locking action to specific version OWASP/OFFAT@v0.20.0 instead of using OWASP/OFFAT@main and bump OFFAT action version after testing.

Disclaimer

The disclaimer advises users to use the open-source project for ethical and legitimate purposes only and refrain from using it for any malicious activities. The creators and contributors of the project are not responsible for any illegal activities or damages that may arise from the misuse of the project. Users are solely responsible for their use of the project and should exercise caution and diligence when using it. Any unauthorized or malicious use of the project may result in legal action and other consequences.

Read More

Installation

Using Homebrew

homebrew install owasp-offat/tap/offat

Using Go

Github Hosted Method

• Install latest release using below command

  go install -v github.com/owasp-offat/offat/cmd/offat@latest

• Install main/dev branch

  go install -v github.com/owasp-offat/offat/cmd/offat@main # install main branch
  go install -v github.com/owasp-offat/offat/cmd/offat@dev  # install dev branch

Clone Method

• Clone repository

  git clone https://github.com/OWASP/OFFAT

• Go source code is stored in src directory

  cd src

• Run Go install command

  go install ./...

Using Containers/Docker

• CLI Tool

  docker run --rm dmdhrumilmistry/offat -h

Start OffAT

CLI Tool

• Run offat

  offat -f oas.json              # using file
  offat -f https://example.com/docs.json  # using url

  JSON and YAML formats are supported

• To get all the commands use help

  offat -h

• Save result in json

  offat -f oas.json -o output.json

• Get curl command for making requests

  jq -r '.[].concurrent_response.response.curl_command' output.json

  jq tool is required to run above command

• Run tests only for endpoint paths matching regex pattern

  offat -f oas.yml -pr '/user'

• Add headers to requests

  offat -f oas.json -H 'Accept: application/json' -H 'Authorization: Bearer YourJWTToken'

• Run Test with Requests Rate Limited

  offat -f oas.json -r 1000

  r: requests rate limit per second

• Use along with proxy

  # without ssl check
  offat -f oas.json -p http://localhost:8080 -o output.json
  
  # without ssl check
  offat -f oas.json -p http://localhost:8080 -o output.json -ns

  Make sure that proxy can handle multiple requests at the same time

• For Data Leak detection, create a new data leakage detection file from this sample file owasp-offat-data-leak-patterns.yml

  offat -f oas.yaml -dl owasp-offat-data-leak-patterns.yml

[!WARNING]
Remember to include only patterns whose data can be probably found in your APIs, since detection process can lead to CPU spikes.

Open In Google Cloud Shell

• Temporary Session

  

• Perisitent Session

  

Have any Ideas 💡 or issue

Create an issue OR fork the repo, update script and create a Pull Request

Contributing

Refer CONTRIBUTIONS.md for contributing to the project.

LICENSE

OWASP OFFAT is distributed under MIT License. Refer License for more information.