Offensive API tester tool automates checks for common API vulnerabilities
Project description
OFFAT - OFFensive Api Tester
Automatically Tests for vulnerabilities after generating tests from openapi specification file. Project is in Beta stage, so sometimes it might crash while running.
Features
- Restricted HTTP Methods
- SQLi
- BOLA (Might need few bug fixes)
- Data Exposure (Detects Common Data Exposures)
- BOPLA / Mass Assignment
- Broken Access Control
- Basic Command Injection
- Basic XSS/HTML Injection test
- Broken Authentication
Demo
PyPi Downloads
| Period | Count |
|---|---|
| Weekly |  |
| Monthy |  |
| Total |  |
Disclaimer
The disclaimer advises users to use the open-source project for ethical and legitimate purposes only and refrain from using it for any malicious activities. The creators and contributors of the project are not responsible for any illegal activities or damages that may arise from the misuse of the project. Users are solely responsible for their use of the project and should exercise caution and diligence when using it. Any unauthorized or malicious use of the project may result in legal action and other consequences.
Join Our Discord Community
Installation
Using pip
-
Install main branch using pip
python3 -m pip install git+https://github.com/dmdhrumilmistry/offat.git
-
Install Release from PyPi
python3 -m pip install offat
Using Containers
Docker
-
Build Image
docker build -t offat .
Manual Method
-
Open terminal
-
Install git package
sudo apt install git python3 -y
-
Install Poetry
-
clone the repository to your machine
git clone https://github.com/dmdhrumilmistry/offat.git
-
Change directory
cd offat
-
install with poetry
# without options poetry install
Start OffAT
-
Run offat
offat -f swagger_file.json
-
To get all the commands use
helpoffat -h -
Run tests only for endpoint paths matching regex pattern
offat -f swagger_file.json -pr '/user'
-
Add headers to requests
offat -f swagger_file.json -H 'Accept: application/json' -H 'Authorization: Bearer YourJWTToken'
-
Run Test with Requests Rate Limited
offat -f swagger_file.json -rl 1000 -dr 0.001
rl: requests rate limit,dr: delay between requests -
Use user provided inputs for generating tests
offat -f swagger_file.json -tdc test_data_config.yaml
test_data_config.yamlactors: - actor1: request_headers: - name: Authorization value: Bearer [Token1] - name: User-Agent value: offat-actor1 query: - name: id value: 145 type: int - name: country value: uk type: str - name: city value: london type: str body: - name: name value: actorone type: str - name: email value: actorone@example.com type: str - name: phone value: +11233211230 type: str unauthorized_endpoints: # For broken access control - '/store/order/.*' - actor2: request_headers: - name: Authorization value: Bearer [Token2] - name: User-Agent value: offat-actor2 query: - name: id value: 199 type: int - name: country value: uk type: str - name: city value: leeds type: str body: - name: name value: actortwo type: str - name: email value: actortwo@example.com type: str - name: phone value: +41912312311 type: str
If you're using Termux or windows, then use
pipinstead ofpip3.
Few features are only for linux os, hence they might not work on windows and require admin priviliges.
Open In Google Cloud Shell
- Temporary Session
- Perisitent Session
Have any Ideas 💡 or issue
- Create an issue
- Fork the repo, update script and create a Pull Request
Contributing
Refer CONTRIBUTIONS.md for contributing to the project.
LICENSE
Offat is distributed under MIT License. Refer License for more information.
Connect With Me
| Platforms | ||
|---|---|---|
 |
 |
 |
 |
 |
 |
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
