Automated Security Testing For REST API's

Step 6/10 : RUN pip install -r requirements.txt ---> Running in 52fe9a9b747f

Collecting requests (from -r requirements.txt (line 1)) Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.VerifiedHTTPSConnection object at 0x7f5a45703350>: Failed to establish a new connection: [Errno 101] Network unreachable',)': /simple/requests/ Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.VerifiedHTTPSConnection object at 0x7f5a45703650>: Failed to establish a new connection: [Errno 101] Network unreachable',)': /simple/requests/ Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.VerifiedHTTPSConnection object at 0x7f5a45703810>: Failed to establish a new connection: [Errno 101] Network unreachable',)': /simple/requests/ Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.VerifiedHTTPSConnection object at 0x7f5a45703950>: Failed to establish a new connection: [Errno 101] Network unreachable',)': /simple/requests/ Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.VerifiedHTTPSConnection object at 0x7f5a45703a90>: Failed to establish a new connection: [Errno 101] Network unreachable',)': /simple/requests/ Could not find a version that satisfies the requirement requests (from -r requirements.txt (line 1)) (from versions: ) No matching distribution found for requests (from -r requirements.txt (line 1)) The command '/bin/sh -c pip install -r requirements.txt' returned a non-zero code: 1

I installed Astra on Kali Linux 2018.4, and after the scan is finished on CLI (the message "Scan has been completed" shows up), a tab opens on Firefox and I believe it should show the report and the results. However, it shows the message "NoProduct NameurlStatus", and no report. What am I doing wrong? The images with this process follow.

This is the scan.log file:

I just copied the URL, headers (without any body information) from POSTMAN, and it is in JSON format, but I get {"status":"Failed"}. Why does this happen?

Hello, can I use this software to test the facebook APIs and how can I do that. From the screenshot, I see the URL is http://localhost/checkout.php, so do I need to use the API that I want to test to connect to the localhost website through a software like POSTMAN? Because I am just a beginner with APIs, so I don't know how to use this testing software.

3 Issues found in the scan, but Status still showing as In Progress. How do I know that Scanning is completed or not?

1. CORS Misconfiguration
2. Broken Authentication and session management
3. Cross Site Scripting

I'm trying to follow the instructions to get started, but I'm not getting very far. I have pulled the Mongo image and built the CLI Docker image. I'm running the service I want to test locally, and now I'm trying to run the following command, replacing <token> with a valid token I obtain ahead of time:

docker run --rm -it --link astra-mongo:mongo astra-cli -u http://docker.for.mac.localhost:8080/v1/users/me --headers '{"Authorization": "Bearer <token>"}'

I get the following stack trace:

Traceback (most recent call last):
  File "/usr/local/lib/python2.7/multiprocessing/process.py", line 267, in _bootstrap
    self.run()
  File "/usr/local/lib/python2.7/multiprocessing/process.py", line 114, in run
    self._target(*self._args, **self._kwargs)
  File "./astra.py", line 121, in modules_scan
    sqli_check(url,method,headers,body,scanid)
  File "/app/modules/sqli.py", line 116, in sqli_check
    set_option_status = set_options_list(url,method,headers,body,taskid)
  File "/app/modules/sqli.py", line 34, in set_options_list
    if options_list.status_code == 200:
AttributeError: 'NoneType' object has no attribute 'status_code'

I've also tried the same call in the Astra GUI, but I get "Broken Authentication and session management" and the API returning a 401. It's almost as if Astra is not properly sending the Authorization header.

Is there something I'm missing from the command? Am I supposed to pass the command a valid token?

I got the following error when trying to submit an URL to my local REST server:

  File "../astra.py", line 110, in modules_scan
    cors_main(url,method,headers,body,scanid)
  File "../modules/cors.py", line 69, in cors_main
    origin_headers = generate_origin(url)
  File "../modules/cors.py", line 60, in generate_origin
    postfixurl = domain_name+'.attackersite.com'
TypeError: unsupported operand type(s) for +: 'NoneType' and 'str'

As I see, in modules.cors.generate_origin, from line 59, this caused the error:

domain_name = urlparse(url).hostname
postfixurl = domain_name+'.attackersite.com'

From the urlparse's docs, the hostname return a None object if no hostname is found. I think we need to add a validator here to check domain_name is not None.

hello I just start learning " Automated Security Testing For REST API's" so I choose ASTRA to use it and after following Installing Step's , I try to run this command in order to start a scan for GET api, $ python astra.py -u https://jsonplaceholder.typicode.com/ But their is no test running !! and I have this console message : "MongoClient opened before fork. Create MongoClient only " Failed to test Broken authentication and session management ----------------------------------------------------------------------------------------- Any help please ?? Steps which I followed : Docker Installation Run Mongo Container: $ docker pull mongo $ docker run --name astra-mongo -d mongo Installing CLI Docker : $ git clone -b docker-cli https://github.com/flipkart-incubator/Astra.git $ cd Astra $ docker build -t astra-cli . $ docker run --rm -it --link astra-mongo:mongo astra-cli and I use Docker version 18.06.1-ce, build e68fc7a But the problem

While running setup.py on my mac it asks me to run it with sudo for the pip install but later while running the brew install command it fails since brew doesn't like sudo.

I would suggest moving the installation of external dependencies to the user and you should concentrate on installing the python dependencies only.

Also, setting up the tool is little painful right now. Installing the tool should be as simple as running a pip install astra or apt-get install astra command. Running the tool should be as simple as running a command astra.

When content type is 'application/json', sqlmap can't find any injections. So we should change the body type from dict to jsonstring. See modules/sqli.py for more details.

Hi A simple webscan keeps crashing. Here is the trace. Is there a specific version of python i should be using?

Process: Python [35505] Path: /usr/local/Cellar/python@2/2.7.15_1/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python Identifier: Python Version: 2.7.15 (2.7.15) Code Type: X86-64 (Native) Parent Process: Python [34775] Responsible: Python [35505] User ID: 522130245

Date/Time: 2018-11-20 20:23:57.333 -0800 OS Version: Mac OS X 10.13.6 (17G65) Report Version: 12 Anonymous UUID: 0DB45F5A-C18B-C0F5-5D43-DFB6BEDCBC7B

Time Awake Since Boot: 1200 seconds

System Integrity Protection: enabled

Crashed Thread: 0

Exception Type: EXC_CRASH (SIGABRT) Exception Codes: 0x0000000000000000, 0x0000000000000000 Exception Note: EXC_CORPSE_NOTIFY

Termination Reason: Namespace OBJC, Code 0x1

Application Specific Information: crashed on child side of fork pre-exec objc[35505]: +[__NSPlaceholderDate initialize] may have been in progress in another thread when fork() was called.

it does not work and keep giving error : Failed to connect to MongoDB. ive tried to execute all the python files and all of them had the same error kindly please help me to know if the issue is with my ignorance or your program thank you

[{"resource":"/home/sajeesh/Astra/astra.py","owner":"generated_diagnostic_collection_name#0","severity":8,"message":"Statements must be separated by newlines or semicolons","source":"Pylance","startLineNumber":47,"startColumn":15,"endLineNumber":47,"endColumn":46},{"resource":"/home/sajeesh/Astra/astra.py","owner":"generated_diagnostic_collection_name#0","severity":8,"message":"Statements must be separated by newlines or semicolons","source":"Pylance","startLineNumber":88,"startColumn":11,"endLineNumber":88,"endColumn":39},{"resource":"/home/sajeesh/Astra/astra.py","owner":"generated_diagnostic_collection_name#0","severity":8,"message":"Statements must be separated by newlines or semicolons","source":"Pylance","startLineNumber":131,"startColumn":15,"endLineNumber":131,"endColumn":16},{"resource":"/home/sajeesh/Astra/astra.py","owner":"generated_diagnostic_collection_name#0","severity":8,"message":"Statements must be separated by newlines or semicolons","source":"Pylance","startLineNumber":148,"startColumn":15,"endLineNumber":148,"endColumn":38},{"resource":"/home/sajeesh/Astra/astra.py","owner":"generated_diagnostic_collection_name#0","severity":8,"message":"Statements must be separated by newlines or semicolons","source":"Pylance","startLineNumber":209,"startColumn":15,"endLineNumber":209,"endColumn":29},{"resource":"/home/sajeesh/Astra/astra.py","owner":"generated_diagnostic_collection_name#0","severity":8,"message":"Statements must be separated by newlines or semicolons","source":"Pylance","startLineNumber":243,"startColumn":15,"endLineNumber":243,"endColumn":37},{"resource":"/home/sajeesh/Astra/astra.py","owner":"generated_diagnostic_collection_name#0","severity":8,"message":"Statements must be separated by newlines or semicolons","source":"Pylance","startLineNumber":281,"startColumn":15,"endLineNumber":281,"endColumn":81},{"resource":"/home/sajeesh/Astra/astra.py","owner":"generated_diagnostic_collection_name#0","severity":8,"message":"Statements must be separated by newlines or semicolons","source":"Pylance","startLineNumber":309,"startColumn":19,"endLineNumber":309,"endColumn":130},{"resource":"/home/sajeesh/Astra/astra.py","owner":"generated_diagnostic_collection_name#0","severity":8,"message":"Statements must be separated by newlines or semicolons","source":"Pylance","startLineNumber":337,"startColumn":18,"endLineNumber":337,"endColumn":72},{"resource":"/home/sajeesh/Astra/astra.py","owner":"generated_diagnostic_collection_name#0","code":{"value":"reportMissingImports","target":{"$mid":1,"external":"https://github.com/microsoft/pylance-release/blob/main/DIAGNOSTIC_SEVERITY_RULES.md#diagnostic-severity-rules","path":"/microsoft/pylance-release/blob/main/DIAGNOSTIC_SEVERITY_RULES.md","scheme":"https","authority":"github.com","fragment":"diagnostic-severity-rules"}},"severity":4,"message":"Import "urlparse" could not be resolved","source":"Pylance","startLineNumber":10,"startColumn":8,"endLineNumber":10,"endColumn":16},{"resource":"/home/sajeesh/Astra/astra.py","owner":"generated_diagnostic_collection_name#0","code":{"value":"reportUndefinedVariable","target":{"$mid":1,"external":"https://github.com/microsoft/pylance-release/blob/main/DIAGNOSTIC_SEVERITY_RULES.md#diagnostic-severity-rules","path":"/microsoft/pylance-release/blob/main/DIAGNOSTIC_SEVERITY_RULES.md","scheme":"https","authority":"github.com","fragment":"diagnostic-severity-rules"}},"severity":4,"message":""os" is not defined","source":"Pylance","startLineNumber":38,"startColumn":4,"endLineNumber":38,"endColumn":6}]

Hello. Today tried to install and start using Astra Followed all instructions on installation After running python astra.py --help I get: Can you please help ?

• This comma has been most probably been left out unintentionally, leading to string concatenation between the two consecutive lines. This issue has been found automatically using a regular expression.