offat 0.14.0

Offensive API tester tool automates checks for common API vulnerabilities

OFFAT - OFFensive Api Tester

Automatically Tests for vulnerabilities after generating tests from openapi specification file. Project is in Beta stage, so sometimes it might crash while running.

Security Checks

• Restricted HTTP Methods
• SQLi
• BOLA (Might need few bug fixes)
• Data Exposure (Detects Common Data Exposures)
• BOPLA / Mass Assignment
• Broken Access Control
• Basic Command Injection
• Basic XSS/HTML Injection test
• Broken Authentication

Features

• Few Security Checks from OWASP API Top 10
• Automated Testing
• User Config Based Testing
• API for Automating tests and Integrating Tool with other platforms/tools
• CLI tool
• Proxy Support
• Dockerized Project for Easy Usage
• Open Source Tool with MIT License

Demo

PyPi Downloads

Period	Count
Weekly
Monthy
Total

Disclaimer

The disclaimer advises users to use the open-source project for ethical and legitimate purposes only and refrain from using it for any malicious activities. The creators and contributors of the project are not responsible for any illegal activities or damages that may arise from the misuse of the project. Users are solely responsible for their use of the project and should exercise caution and diligence when using it. Any unauthorized or malicious use of the project may result in legal action and other consequences.

Read More

Installation

Using pip

• Install main branch using pip

  python3 -m pip install git+https://github.com/OWASP/OFFAT.git
  

• Install Release from PyPi

  python3 -m pip install offat        # only cli tool
  python3 -m pip install offat[api]   # cli + api
  

Using Containers

Docker

• Build Image

  make build-local-images
  

• CLI Tool

  docker run --rm dmdhrumilmistry/offat
  

• API

  docker compose up -d
  

  POST openapi documentation to /api/v1/scan/ endpoint with its valid type (json/yaml); job_id will be returned.

Manual Method

• Open terminal

• Install git package

  sudo apt install git python3 -y
  

• Install Poetry

• clone the repository to your machine

  git clone https://github.com/OWASP/OFFAT.git
  

• Change directory

  cd offat
  

• install with poetry

  # without options
  poetry install
  

Start OffAT

API

• Start API Server

  python -m offat.api
  
  # OR
  
  offat-api
  

• API Documentation can be found at http://localhost:8000/docs

CLI Tool

• Run offat

  offat -f swagger_file.json              # using file
  offat -f https://example.com/docs.json  # using url
  

• To get all the commands use help

  offat -h
  

• Save result in json, yaml or html formats.

  offat -f swagger_file.json -o output.json           # json
  offat -f swagger_file.json -o output.html -of html  # html
  offat -f swagger_file.json -o output.yaml -of yaml  # yaml
  

json format is default output format. yaml format needs to be sanitized before usage since it dumps data as python objects. html format needs more visualization.

• Run tests only for endpoint paths matching regex pattern

  offat -f swagger_file.json -pr '/user'
  

• Add headers to requests

  offat -f swagger_file.json -H 'Accept: application/json' -H 'Authorization: Bearer YourJWTToken'
  

• Run Test with Requests Rate Limited

  offat -f swagger_file.json -rl 1000 -dr 0.001
  

  rl: requests rate limit, dr: delay between requests

• Use along with proxy

offat -f swagger_file.json -p http://localhost:8080 --no-ssl -o output.json

Make sure that proxy can handle multiple requests at the same time

• Use user provided inputs for generating tests

  offat -f swagger_file.json -tdc test_data_config.yaml
  

  test_data_config.yaml

  actors:
      - actor1:
            request_headers:
                - name: Authorization
                  value: Bearer [Token1]
                - name: User-Agent
                  value: offat-actor1
  
            query:
                - name: id
                  value: 145
                  type: int
                - name: country
                  value: uk
                  type: str
                - name: city
                  value: london
                  type: str
  
            body:
                - name: name
                  value: actorone
                  type: str
                - name: email
                  value: actorone@example.com
                  type: str
                - name: phone
                  value: +11233211230
                  type: str
  
            unauthorized_endpoints: # For broken access control
                - "/store/order/.*"
  
      - actor2:
            request_headers:
                - name: Authorization
                  value: Bearer [Token2]
                - name: User-Agent
                  value: offat-actor2
  
            query:
                - name: id
                  value: 199
                  type: int
                - name: country
                  value: uk
                  type: str
                - name: city
                  value: leeds
                  type: str
  
            body:
                - name: name
                  value: actortwo
                  type: str
                - name: email
                  value: actortwo@example.com
                  type: str
                - name: phone
                  value: +41912312311
                  type: str
  

If you're using Termux or windows, then use pip instead of pip3.
Few features are only for linux os, hence they might not work on windows and require admin priviliges.

Open In Google Cloud Shell

• Temporary Session
  
• Perisitent Session
  

Have any Ideas 💡 or issue

• Create an issue
• Fork the repo, update script and create a Pull Request

Contributing

Refer CONTRIBUTIONS.md for contributing to the project.

LICENSE

Offat is distributed under MIT License. Refer License for more information.