Automatically Tests for vulnerabilities after generating tests from openapi specification file. Project is in Beta stage, so sometimes it might crash while running.
- Restricted HTTP Methods
- SQLi
- BOLA (Might need few bug fixes)
- Data Exposure (Detects Common Data Exposures)
- BOPLA / Mass Assignment
- Broken Access Control
- Basic Command Injection
- Basic XSS/HTML Injection test
- Basic SSTI test
- Broken Authentication
- Few Security Checks from OWASP API Top 10
- Automated Testing
- User Config Based Testing
- API for Automating tests and Integrating Tool with other platforms/tools
- CLI tool
- Proxy Support
- Secure Dockerized Project for Easy Usage
- Open Source Tool with MIT License
- Github Action
Note: The columns for 'data_leak' and 'result' in the table represent independent aspects. It's possible for there to be a data leak in the endpoint, yet the result for that endpoint may still be marked as 'Success'. This is because the 'result' column doesn't necessarily reflect the overall test result; it may indicate success even in the presence of a data leak.
- Create github action secret
url
for your repo - Setup github action workflow in your repo
.github/workflows/offat.yml
name: OWASP OFFAT Sample Workflow
on:
push:
branches:
- dev
- main
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: "download swagger/OAS file"
run: curl ${url} -o /tmp/swagger.json
env:
url: ${{ secrets.url }}
- name: "OWASP OFFAT CICD Scanner"
uses: OWASP/OFFAT@main # OWASP/OFFAT@v0.17.3
with:
file: /tmp/swagger.json # or ${{ secrets.url }}
rate_limit: 120
artifact_retention_days: 1
Prefer locking action to specific version
OWASP/OFFAT@v0.17.3
instead of usingOWASP/OFFAT@main
and bump OFFAT action version after testing.
Period | Count |
---|---|
Weekly | |
Monthy | |
Total |
The disclaimer advises users to use the open-source project for ethical and legitimate purposes only and refrain from using it for any malicious activities. The creators and contributors of the project are not responsible for any illegal activities or damages that may arise from the misuse of the project. Users are solely responsible for their use of the project and should exercise caution and diligence when using it. Any unauthorized or malicious use of the project may result in legal action and other consequences.
-
Install main branch using pip
python3 -m pip install git+https://github.com/OWASP/OFFAT.git
-
Install Release from PyPi
python3 -m pip install offat # only cli tool python3 -m pip install offat[api] # cli + api
-
Build Image
make local
-
CLI Tool
docker run --rm dmdhrumilmistry/offat
-
API
docker compose up -d
POST
openapi
documentation to/api/v1/scan/
endpoint with its validtype
(json/yaml);job_id
will be returned.
-
Open terminal
-
Install git package
sudo apt install git python3 -y
-
Install Poetry
-
clone the repository to your machine
git clone https://github.com/OWASP/OFFAT.git
-
Change directory
cd offat
-
install with poetry
# without options poetry install
-
Start API Server
python -m offat.api # OR offat-api
-
API Documentation can be found at http://localhost:8000/docs
-
Run offat
offat -f swagger_file.json # using file offat -f https://example.com/docs.json # using url
-
To get all the commands use
help
offat -h
-
Save result in
json
,yaml
orhtml
formats.offat -f swagger_file.json -o output.json -of html # json offat -f swagger_file.json -o output.html -of html # html offat -f swagger_file.json -o output.yaml -of yaml # yaml
json
format is default output format.yaml
format needs to be sanitized before usage since it dumps data as python objects.html
format needs more visualization.
-
Run tests only for endpoint paths matching regex pattern
offat -f swagger_file.json -pr '/user'
-
Add headers to requests
offat -f swagger_file.json -H 'Accept: application/json' -H 'Authorization: Bearer YourJWTToken'
-
Run Test with Requests Rate Limited
offat -f swagger_file.json -rl 1000
rl
: requests rate limit per second -
Use along with proxy
# without ssl check offat -f swagger_file.json -p http://localhost:8080 -o output.json -of json # ssl checks are disabled by default to avoid certificate installations # with ssl check enforced offat -f swagger_file.json -p http://localhost:8080 -o output.json -of json --ssl
Make sure that proxy can handle multiple requests at the same time
-
Use user provided inputs for generating tests
offat -f swagger_file.json -tdc test_data_config.yaml
test_data_config.yaml
actors: - actor1: request_headers: - name: Authorization value: Bearer [Token1] - name: User-Agent value: offat-actor1 query: - name: id value: 145 type: int - name: country value: uk type: str - name: city value: london type: str body: - name: name value: actorone type: str - name: email value: actorone@example.com type: str - name: phone value: +11233211230 type: str unauthorized_endpoints: # For broken access control - "/store/order/.*" - actor2: request_headers: - name: Authorization value: Bearer [Token2] - name: User-Agent value: offat-actor2 query: - name: id value: 199 type: int - name: country value: uk type: str - name: city value: leeds type: str body: - name: name value: actortwo type: str - name: email value: actortwo@example.com type: str - name: phone value: +41912312311 type: str
If you're using Termux or windows, then use
pip
instead ofpip3
. Few features are only for linux os, hence they might not work on windows and require admin priviliges.
- Create an issue
- Fork the repo, update script and create a Pull Request
Refer CONTRIBUTIONS.md for contributing to the project.
OWASP OFFAT is distributed under MIT
License. Refer License for more information.