Skip to content

The OWASP OFFAT tool autonomously assesses your API for prevalent vulnerabilities, though full compatibility with OAS v3 is pending. The project remains a work in progress, continuously evolving towards completion.

License

Notifications You must be signed in to change notification settings

owasp-offat/offat

Repository files navigation

OFFAT - OFFensive Api Tester

OffAT Logo

Automatically Tests for vulnerabilities after generating tests from openapi specification file. Project is in Beta stage, so sometimes it might crash while running.

UnDocumented petstore API endpoint HTTP method results

Warning

At the moment HTTP 2/3 aren't supported since fasthttpclient is used under the hood to increase performance. Visit FastHTTP README for more details

Security Checks

  • Restricted HTTP Method/Verb
  • BOLA
  • BOPLA/Mass Assignment
  • SQL Injection
  • Command Injection
  • XSS/HTML Injection
  • SSTI
  • SSRF
  • Data Exposure (Detects Common Data Exposures)
  • Broken Access Control
  • Broken Authentication

Features

  • Supports openAPI specification (OAS) Doc
  • Few Security Checks from OWASP API Top 10
  • Automated Testing
  • User Config Based Testing
  • API for Automating tests and Integrating Tool with other platforms/tools
  • CLI tool
  • Proxy Support
  • Hardened Docker Images
  • Open Source Tool with MIT License
  • Trigger scans in CI/CD using GitHub Action

Swagger files are not supported at the moment

Github Action

  • Create github action secret url for your repo
  • Setup github action workflow in your repo .github/workflows/offat.yml
name: OWASP OFFAT Sample Workflow

on:
  push:
    branches:
      - dev
      - main

jobs:
  test:
    runs-on: ubuntu-latest

    steps:
      - name: "download OAS file"
        run: curl ${url} -o /tmp/oas.json
        env:
          url: ${{ secrets.url }}

      - name: "OWASP OFFAT CICD Scanner"
        uses: OWASP/OFFAT@main # OWASP/OFFAT@v0.20.0
        with:
          file: /tmp/oas.json # or ${{ secrets.url }}
          rate_limit: 120
          artifact_retention_days: 1

Prefer locking action to specific version OWASP/OFFAT@v0.20.0 instead of using OWASP/OFFAT@main and bump OFFAT action version after testing.

Disclaimer

The disclaimer advises users to use the open-source project for ethical and legitimate purposes only and refrain from using it for any malicious activities. The creators and contributors of the project are not responsible for any illegal activities or damages that may arise from the misuse of the project. Users are solely responsible for their use of the project and should exercise caution and diligence when using it. Any unauthorized or malicious use of the project may result in legal action and other consequences.

Read More

Installation

Using Homebrew

homebrew install owasp-offat/tap/offat

Using Go

Github Hosted Method

  • Install latest release using below command

    go install -v github.com/owasp-offat/offat/cmd/offat@latest
  • Install main/dev branch

    go install -v github.com/owasp-offat/offat/cmd/offat@main # install main branch
    go install -v github.com/owasp-offat/offat/cmd/offat@dev  # install dev branch

Clone Method

  • Clone repository

    git clone https://github.com/OWASP/OFFAT
  • Go source code is stored in src directory

    cd src
  • Run Go install command

    go install ./...

Using Containers/Docker

  • CLI Tool

    docker run --rm dmdhrumilmistry/offat -h

Start OffAT

CLI Tool

  • Run offat

    offat -f oas.json              # using file
    offat -f https://example.com/docs.json  # using url

    JSON and YAML formats are supported

  • To get all the commands use help

    offat -h
  • Save result in json

    offat -f oas.json -o output.json
  • Get curl command for making requests

    jq -r '.[].concurrent_response.response.curl_command' output.json

    jq tool is required to run above command

  • Run tests only for endpoint paths matching regex pattern

    offat -f oas.yml -pr '/user'
  • Add headers to requests

    offat -f oas.json -H 'Accept: application/json' -H 'Authorization: Bearer YourJWTToken'
  • Run Test with Requests Rate Limited

    offat -f oas.json -r 1000

    r: requests rate limit per second

  • Use along with proxy

    # without ssl check
    offat -f oas.json -p http://localhost:8080 -o output.json
    
    # without ssl check
    offat -f oas.json -p http://localhost:8080 -o output.json -ns

    Make sure that proxy can handle multiple requests at the same time

  • For Data Leak detection, create a new data leakage detection file from this sample file owasp-offat-data-leak-patterns.yml

    offat -f oas.yaml -dl owasp-offat-data-leak-patterns.yml

Warning

Remember to include only patterns whose data can be probably found in your APIs, since detection process can lead to CPU spikes.

Open In Google Cloud Shell

  • Temporary Session

    Open in Cloud Shell

  • Perisitent Session

    Open in Cloud Shell

Have any Ideas 💡 or issue

Create an issue OR fork the repo, update script and create a Pull Request

Contributing

Refer CONTRIBUTIONS.md for contributing to the project.

LICENSE

OWASP OFFAT is distributed under MIT License. Refer License for more information.

About

The OWASP OFFAT tool autonomously assesses your API for prevalent vulnerabilities, though full compatibility with OAS v3 is pending. The project remains a work in progress, continuously evolving towards completion.

Topics

Resources

License

Code of conduct

Stars

Watchers

Forks

Languages