Skip to main content

To regenerate pytest fixtures and test methods dynamically from OpenAPI spec and Cloudvector APIShark events

Project description

This README file helps to provide instructions on how to make use of the ImpACT tool.

ImpACT

Imperva API Continuous Testing (ImpACT) tool is designed to uncover the most common security issues such OWASP Top 10 vulnerabilities during early phases of application development. Users provide information on the APIs to be tested in the form of one or more OpenAPI Specification files and ImpACT parse this structured data to construct code that is factored to fuzz the API endpoints with a variety of input. The current version of ImpACT makes use of FuzzDB as the fuzzing pattern database.

ImpACT produces an easy to understand report of summary and detailed information on vulnerabilities found during the execution of tests. This may include findings such as authorization/authentication bypasses, SQL and OS command injections, path traversal issues and other OWASP Top 10 API vulnerabilities. The report also provides links to commands that can easily reproduce the issue.

Prerequisites

Python>=3.8 and pip on Windows/Mac/Linux based machines.
One or more OpenAPI Specification files (Currently supported v2 only) belonging to an application against which the tests can be run.

Root Directory of Tests

Create a root test directory where the necessary input OpenAPI spec files and config files can be placed. This is the place where all the output of ImpACT is going to be present. As an example assume the directory is named as "Test". Change to this directory.

$ cd Test

Create Virtual Environment

Create a new python >=3.8 virtual environment and activate it. Below example uses the name 'venv' for virtual environment name

$ python -m venv venv
$ source venv/bin/activate

Install/Upgrade ImpACT latest version

(venv) $ pip install -U impactrun

Create/Place the Input Files Under Root Directory

Under the root directory (in our example Test), create a subdirectory called "specs". Place the OpenAPI Spec files under this "specs" folder. Go to the root (Test folder). Move back to the Root (Test) folder.

Config

In Root folder (Test) create a file 'cv_config.yaml'. Create the following content in the file. Include all the fuzz attack list or few of them as per requirement.

execution_info:
  dhostname: ""  # This is the host target where the application can be accessed. Eg., https://example.com
  dcviast_max_value_to_fuzz: "1"  # Number of fuzz values to try from each attack category
  fuzzattacklist: json,'control-chars','string-expansion','server-side-include'  # This is the fuzz attacklist to choose from different attack categories

# Full Attack List is here
# fuzzattacklist = [
#    'control-chars', 'string-expansion', 'server-side-include', 'xpath', 'unicode', 'html_js_fuzz','disclosure-directory',
#    'xss', 'os-cmd-execution', 'disclosure-source', 'format-strings', 'xml', 'integer-overflow', 'path-traversal',
#    'json', 'mimetypes', 'redirect', 'os-dir-indexing', 'no-sql-injection', 'authentication', 'http-protocol',
#    'business-logic', 'disclosure-localpaths/unix', 'file-upload/malicious-images', 'sql-injection/detect',
#    'sql-injection/exploit', 'sql-injection/payloads-sql-blind']

Authentication Information

ImpACT needs to authenticate to the API endpoint to successfully fuzz the resource. The current version of ImpACT allows users to provide the authentication information in the form of a header that is accepted by the application in a file called "properties.yaml". Create the file "properties.yaml" and add the token/cookie information or any other needed headers as accepted by the application. Format of "properties.yaml" is like below:

headers:
  'Content-Type': 'application/json'
  'Authorization': 'Bearer xxxxxxxxxxxxxxxxxxxx'

Generate fuzzing test for all the specs

With a given ImpACT version and a set of specs, you need to only run this once to generate the test code.

(venv) $ impactrun --generate-tests or impactrun -g

Upon successful execution of above command, the test files are generated under the folder(s), <spec_filename_as_in_specs_folder>_tests.

Running Tests

To start the tests execute below command:

(venv) $ impactrun --execute-tests or impactrun -e

While the test execution is going on, user can check for the execution log by running the below command:

(venv) $ tail -f cviast_execution_log.txt

After the test is complete, the report is saved in a folder "new_report" with the name 'report_summary_.html'. In addition, a file called fordev-apis_<timestamp>.csv is generated. This is a highlevel summary for consumption of a dev team. It highlight just the API endpoints that seem to "fail" the test, ie. responding positively instead of rejecting the fuzz calls. Please feel free to import such CSV report to a spreadsheet.

The test results are stored in

results
results/perapi
results/perattack

Test can run for a long time, so one can adjust the spec and the collection of attacks in cv_config.yaml to stage each run. Test results of different test will not over-write each other.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

impactrun-2.0.1.tar.gz (7.7 MB view details)

Uploaded Source

Built Distribution

impactrun-2.0.1-py3-none-any.whl (7.8 MB view details)

Uploaded Python 3

File details

Details for the file impactrun-2.0.1.tar.gz.

File metadata

  • Download URL: impactrun-2.0.1.tar.gz
  • Upload date:
  • Size: 7.7 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.1 CPython/3.8.0

File hashes

Hashes for impactrun-2.0.1.tar.gz
Algorithm Hash digest
SHA256 da3a1019ec89639bdf007e3aa560236caa4c7286b545034bdfd6427a23f7b361
MD5 6f89d16b125b90ca449051221f87532e
BLAKE2b-256 82f026d928760fc58a4ae7697bd0e37a4a2c9aefccf0bb3d075255de01bd3345

See more details on using hashes here.

File details

Details for the file impactrun-2.0.1-py3-none-any.whl.

File metadata

  • Download URL: impactrun-2.0.1-py3-none-any.whl
  • Upload date:
  • Size: 7.8 MB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.1 CPython/3.8.0

File hashes

Hashes for impactrun-2.0.1-py3-none-any.whl
Algorithm Hash digest
SHA256 ff1b8eef1a75463968f32e7ed40739aebab87f97bb5c74084d69e59290ec0c49
MD5 75552b974c3fb9eb6ecd21f91b6c2e5a
BLAKE2b-256 4dfcc5d3c548c45bd6aa32dc7764297c9cef3e73bd9ccbf404da7f4c61be57e2

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page