Automatically Tests for vulnerabilities after generating tests from openapi specification file. Project is in Beta stage, so sometimes it might crash while running.
[!WARNING]
At the moment HTTP 2/3 aren't supported since fasthttpclient is used under the hood to increase performance. Visit FastHTTP README for more details
Swagger files are not supported at the moment
url
for your repo.github/workflows/offat.yml
name: OWASP OFFAT Sample Workflow
on:
push:
branches:
- dev
- main
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: "download OAS file"
run: curl ${url} -o /tmp/oas.json
env:
url: ${{ secrets.url }}
- name: "OWASP OFFAT CICD Scanner"
uses: OWASP/OFFAT@main # OWASP/OFFAT@v0.20.0
with:
file: /tmp/oas.json # or ${{ secrets.url }}
rate_limit: 120
artifact_retention_days: 1
Prefer locking action to specific version
OWASP/OFFAT@v0.20.0
instead of usingOWASP/OFFAT@main
and bump OFFAT action version after testing.
The disclaimer advises users to use the open-source project for ethical and legitimate purposes only and refrain from using it for any malicious activities. The creators and contributors of the project are not responsible for any illegal activities or damages that may arise from the misuse of the project. Users are solely responsible for their use of the project and should exercise caution and diligence when using it. Any unauthorized or malicious use of the project may result in legal action and other consequences.
homebrew install owasp-offat/tap/offat
Install latest release using below command
go install -v github.com/owasp-offat/offat/cmd/offat@latest
Install main/dev branch
go install -v github.com/owasp-offat/offat/cmd/offat@main # install main branch
go install -v github.com/owasp-offat/offat/cmd/offat@dev # install dev branch
Clone repository
git clone https://github.com/OWASP/OFFAT
Go source code is stored in src directory
cd src
Run Go install command
go install ./...
CLI Tool
docker run --rm dmdhrumilmistry/offat -h
Run offat
offat -f oas.json # using file
offat -f https://example.com/docs.json # using url
JSON and YAML formats are supported
To get all the commands use help
offat -h
Save result in json
offat -f oas.json -o output.json
Get curl command for making requests
jq -r '.[].concurrent_response.response.curl_command' output.json
jq
tool is required to run above command
Run tests only for endpoint paths matching regex pattern
offat -f oas.yml -pr '/user'
Add headers to requests
offat -f oas.json -H 'Accept: application/json' -H 'Authorization: Bearer YourJWTToken'
Run Test with Requests Rate Limited
offat -f oas.json -r 1000
r
: requests rate limit per second
Use along with proxy
# without ssl check
offat -f oas.json -p http://localhost:8080 -o output.json
# without ssl check
offat -f oas.json -p http://localhost:8080 -o output.json -ns
Make sure that proxy can handle multiple requests at the same time
For Data Leak detection, create a new data leakage detection file from this sample file owasp-offat-data-leak-patterns.yml
offat -f oas.yaml -dl owasp-offat-data-leak-patterns.yml
[!WARNING]
Remember to include only patterns whose data can be probably found in your APIs, since detection process can lead to CPU spikes.
Create an issue OR fork the repo, update script and create a Pull Request
Refer CONTRIBUTIONS.md for contributing to the project.
OWASP OFFAT is distributed under MIT
License. Refer License for more information.