Skip to content

Commit

Permalink
Merge pull request #139 from OWASP/missing-auth
Browse files Browse the repository at this point in the history
add missing auth implementation test
  • Loading branch information
dmdhrumilmistry authored Sep 7, 2024
2 parents 1bcd04e + 00fd0d8 commit b94fbda
Show file tree
Hide file tree
Showing 4 changed files with 89 additions and 16 deletions.
4 changes: 4 additions & 0 deletions src/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@ Automatically Tests for vulnerabilities after generating tests from openapi spec

![UnDocumented petstore API endpoint HTTP method results](/assets/images/tests/offat-v0.5.0.png)

> [!WARNING]
> At the moment HTTP 2/3 aren't supported since fasthttpclient is used under the hood to increase performance.
> Visit [FastHTTP README](https://github.com/valyala/fasthttp) for more details
## Security Checks

- [x] Restricted HTTP Method/Verb
Expand Down
17 changes: 9 additions & 8 deletions src/cmd/offat/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -153,14 +153,15 @@ func main() {
DefaultQueryParams: config.QueryParams.ToMap(),

// Tests
RunUnrestrictedHttpMethodTest: true,
RunBasicSQLiTest: true,
RunBasicSSRFTest: true,
RunOsCommandInjectionTest: true,
RunXssHtmlInjectionTest: true,
RunSstiInjectionTest: true,
RunBolaTest: true,
RunBolaTrailingPathTest: true,
RunUnrestrictedHttpMethodTest: true,
RunBasicSQLiTest: true,
RunBasicSSRFTest: true,
RunOsCommandInjectionTest: true,
RunXssHtmlInjectionTest: true,
RunSstiInjectionTest: true,
RunBolaTest: true,
RunBolaTrailingPathTest: true,
RunMissingAuthImplementationTest: true,

// SSRF Test
SsrfUrl: *config.SsrfUrl,
Expand Down
58 changes: 58 additions & 0 deletions src/pkg/tgen/missingAuth.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
package tgen

import (
"github.com/OWASP/OFFAT/src/pkg/parser"
"github.com/OWASP/OFFAT/src/pkg/utils"
c "github.com/dmdhrumilmistry/fasthttpclient/client"
"github.com/rs/zerolog/log"
)

func MissingAuthTest(baseUrl string, docParams []*parser.DocHttpParams, queryParams map[string]string, headers map[string]string) []*ApiTest {
var tests []*ApiTest
testName := "Missing Auth Implementation Test"
immuneResponseCode := []int{401, 403, 404, 405}
authKeys := []string{
"Authorization",
"authorization",
"X-API-Key",
"x-api-key",
"API_KEY",
"api_key",
}

for _, docParam := range docParams {
// skip test generation if there are no security schemes
if len(docParam.Security) < 1 {
continue
}

url, headersMap, queryMap, bodyData, pathWithParams, err := httpParamToRequest(baseUrl, docParam, queryParams, headers, utils.JSON)
if err != nil {
log.Error().Err(err).Msgf("failed to generate request params from DocHttpParams, skipping test for this case %v due to error %v", *docParam, err)
continue
}

// Delete auth data from header and query
DeleteAuthFromMap(headersMap, authKeys)
DeleteAuthFromMap(queryMap, authKeys)

request := c.NewRequest(url, docParam.HttpMethod, queryMap, headersMap, bodyData)

test := ApiTest{
TestName: testName,
Request: request,
Path: docParam.Path,
PathWithParams: pathWithParams,
ImmuneResponseCodes: immuneResponseCode,
}
tests = append(tests, &test)
}

return tests
}

func DeleteAuthFromMap(authMap map[string]string, keys []string) {
for _, key := range keys {
delete(authMap, key)
}
}
26 changes: 18 additions & 8 deletions src/pkg/tgen/tgen.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,14 +16,15 @@ type TGenHandler struct {
BaseUrl string

// Register all tests using bool values below
RunUnrestrictedHttpMethodTest bool
RunBasicSQLiTest bool
RunBasicSSRFTest bool
RunOsCommandInjectionTest bool
RunXssHtmlInjectionTest bool
RunSstiInjectionTest bool
RunBolaTest bool
RunBolaTrailingPathTest bool
RunUnrestrictedHttpMethodTest bool
RunBasicSQLiTest bool
RunBasicSSRFTest bool
RunOsCommandInjectionTest bool
RunXssHtmlInjectionTest bool
RunSstiInjectionTest bool
RunBolaTest bool
RunBolaTrailingPathTest bool
RunMissingAuthImplementationTest bool

// SSRF Test related data
SsrfUrl string
Expand Down Expand Up @@ -73,6 +74,14 @@ func (t *TGenHandler) GenerateTests() []*ApiTest {
log.Info().Msgf("%d tests generated for BOLA Trailing Path", len(newTests))
}

// Missing Auth Implementation Test
if t.RunMissingAuthImplementationTest {
newTests := MissingAuthTest(t.BaseUrl, t.Doc, t.DefaultQueryParams, t.DefaultHeaders)
tests = append(tests, newTests...)

log.Info().Msgf("%d tests generated for Missing Auth Implementation", len(newTests))
}

// Basic SQLI Test
if t.RunBasicSQLiTest {
injectionConfig := InjectionConfig{
Expand Down Expand Up @@ -133,6 +142,7 @@ func (t *TGenHandler) GenerateTests() []*ApiTest {
log.Info().Msgf("%d tests generated for Basic OS Command Injection", len(newTests))
}

// SSRF Test
if t.RunBasicSSRFTest && utils.ValidateURL(t.SsrfUrl) {
injectionConfig := InjectionConfig{
InBody: true,
Expand Down

0 comments on commit b94fbda

Please sign in to comment.