To regenerate pytest fixtures and test methods dynamically from OpenAPI spec and Cloudvector APIShark events
Project description
This README file helps to provide instructions on how to make use of the ImpACT tool.
ImpACT
Imperva API Continuous Testing (ImpACT) tool is designed to uncover the most common security issues such OWASP Top 10 vulnerabilities during early phases of application development. Users provide information on the APIs to be tested in the form of one or more OpenAPI Specification files and ImpACT parse this structured data to construct code that is factored to fuzz the API endpoints with a variety of input. The current version of ImpACT makes use of FuzzDB as the fuzzing pattern database.
ImpACT produces an easy to understand report of summary and detailed information on vulnerabilities found during the execution of tests. This may include findings such as authorization/authentication bypasses, SQL and OS command injections, path traversal issues and other OWASP Top 10 API vulnerabilities. The report also provides links to commands that can easily reproduce the issue.
Prerequisites
Python>=3.8 and pip on Windows/Mac/Linux based machines.
One or more OpenAPI Specification files (Currently supported v2 only) belonging to an application against which the tests can be run.
Root Directory of Tests
Create a root test directory where the necessary input OpenAPI spec files and config files can be placed. This is the place where all the output of ImpACT is going to be present. As an example assume the directory is named as "Test". Change to this directory.
$ cd Test
Create Virtual Environment
Create a new python >=3.8 virtual environment and activate it. Below example uses the name 'venv' for virtual environment name
$ python -m venv venv
$ source venv/bin/activate
Install/Upgrade ImpACT latest version
(venv) $ pip install -U impactrun
Create/Place the Input Files Under Root Directory
Under the root directory (in our example Test), create a subdirectory called "specs". Place the OpenAPI Spec files under this "specs" folder. Go to the root (Test folder). Move back to the Root (Test) folder.
Config
In Root folder (Test) create a file 'cv_config.yaml'. Create the following content in the file. Include all the fuzz attack list or few of them as per requirement.
execution_info:
dhostname: "" # This is the host target where the application can be accessed. Eg., https://example.com
dcviast_max_value_to_fuzz: "1" # Number of fuzz values to try from each attack category
fuzzattacklist: json,'control-chars','string-expansion','server-side-include' # This is the fuzz attacklist to choose from different attack categories
# Full Attack List is here
# fuzzattacklist = [
# 'control-chars', 'string-expansion', 'server-side-include', 'xpath', 'unicode', 'html_js_fuzz','disclosure-directory',
# 'xss', 'os-cmd-execution', 'disclosure-source', 'format-strings', 'xml', 'integer-overflow', 'path-traversal',
# 'json', 'mimetypes', 'redirect', 'os-dir-indexing', 'no-sql-injection', 'authentication', 'http-protocol',
# 'business-logic', 'disclosure-localpaths/unix', 'file-upload/malicious-images', 'sql-injection/detect',
# 'sql-injection/exploit', 'sql-injection/payloads-sql-blind']
Authentication Information
ImpACT needs to authenticate to the API endpoint to successfully fuzz the resource. The current version of ImpACT allows users to provide the authentication information in the form of a header that is accepted by the application in a file called "properties.yaml". Create the file "properties.yaml" and add the token/cookie information or any other needed headers as accepted by the application. Format of "properties.yaml" is like below:
headers:
'Content-Type': 'application/json'
'Authorization': 'Bearer xxxxxxxxxxxxxxxxxxxx'
Generate fuzzing test for all the specs
With a given ImpACT version and a set of specs, you need to only run this once to generate the test code.
(venv) $ impactrun --generate-tests or impactrun -g
Upon successful execution of above command, the test files are generated under the folder(s), <spec_filename_as_in_specs_folder>_tests.
Running Tests
To start the tests execute below command:
(venv) $ impactrun --execute-tests or impactrun -e
While the test execution is going on, user can check for the execution log by running the below command:
(venv) $ tail -f cviast_execution_log.txt
After the test is complete, the report is saved in a folder "new_report" with the name 'report_summary_.html'. In addition, a file called
fordev-apis_<timestamp>.csv
is generated. This is a highlevel summary for consumption of a dev team. It highlight just the API endpoints that seem to "fail" the test, ie.
responding positively instead of rejecting the fuzz calls. Please feel free to import such CSV report to a spreadsheet.
The test results are stored in
results
results/perapi
results/perattack
Test can run for a long time, so one can adjust the spec and the collection of attacks in cv_config.yaml
to stage each run. Test results of different test will not over-write each other.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file impactrun-2.0.0.tar.gz
.
File metadata
- Download URL: impactrun-2.0.0.tar.gz
- Upload date:
- Size: 7.7 MB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.1 CPython/3.8.0
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 411d14ea6cf97088e6f90c92a75d804b7f95d9711f189ec41cd7c0e7e1c3f049 |
|
MD5 | 97de3b29ac12a144330c8e95da23ab83 |
|
BLAKE2b-256 | 7f37ad4bc02bd34b6a1d6a4c014b13d70101439c0648c2f1174d7fa8457b40ec |
File details
Details for the file impactrun-2.0.0-py3-none-any.whl
.
File metadata
- Download URL: impactrun-2.0.0-py3-none-any.whl
- Upload date:
- Size: 7.8 MB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.1 CPython/3.8.0
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 876cea7b1bc0107a46d4c38d8678a1670d26687ea1a038381448927c457c1395 |
|
MD5 | 71db2fe6824d29156a419242d57f8eb2 |
|
BLAKE2b-256 | 9861a6bef39c40a660ef0da8a9c1ea76dcfeaf2462f619ac5329d8d4a79d0660 |