Automated Security Testing For REST API's

Overview

Github Release Version Github Release Version

BH 2018 USA

BH 2018 Europe

Astra

alt text

REST API penetration testing is complex due to continuous changes in existing APIs and newly added APIs. Astra can be used by security engineers or developers as an integral part of their process, so they can detect and patch vulnerabilities early during development cycle. Astra can automatically detect and test login & logout (Authentication API), so it's easy for anyone to integrate this into CICD pipeline. Astra can take API collection as an input so this can also be used for testing apis in standalone mode.

  • SQL injection
  • Cross site scripting
  • Information Leakage
  • Broken Authentication and session management
  • CSRF (including Blind CSRF)
  • Rate limit
  • CORS misconfiguration (including CORS bypass techniques)
  • JWT attack
  • CRLF detection
  • Blind XXE injection

Roadmap

https://www.astra-security.info/roadmap/

Requirement

  • Linux or MacOS
  • Python 2.7
  • mongoDB

Installation

$ git clone https://github.com/flipkart-incubator/Astra

$ cd Astra

$ sudo pip install -r requirements.txt

Docker Installation

Run Mongo Container:

$ docker pull mongo
$ docker run --name astra-mongo -d mongo

Installing GUI Docker:

$ git clone https://github.com/flipkart-incubator/Astra.git
$ cd Astra
$ docker build -t astra .
$ docker run --rm -it --link astra-mongo:mongo -p 8094:8094 astra

Installing CLI Docker :

$ git clone -b docker-cli https://github.com/flipkart-incubator/Astra.git
$ cd Astra
$ docker build -t astra-cli .
$ docker run --rm -it --link astra-mongo:mongo astra-cli 

Dependencies

- requests
- logger
- pymongo
- ConfigParser
- pyjwt
- flask
- sqlmap

Documentation

https://www.astra-security.info

Usage: CLI

$ python astra.py --help

                      _
        /\       | |
       /  \   ___| |_ _ __ __ _
      / /\ \ / __| __| '__/ _` |
     / ____ \__ \ |_| | | (_| |
    /_/    \_\___/\__|_|  \__,_|



usage: astra.py [-h] [-c {Postman,Swagger}] [-n COLLECTION_NAME] [-u URL]
                [-headers HEADERS] [-method {GET,POST}] [-b BODY]
                [-l LOGINURL] [-H LOGINHEADERS] [-d LOGINDATA]

REST API Security testing Framework

optional arguments:
  -h, --help            show this help message and exit
  -c {Postman,Swagger}, --collection_type {Postman,Swagger}
                        Type of API collection
  -n COLLECTION_NAME, --collection_name COLLECTION_NAME
                        Type of API collection
  -u URL, --url URL     URL of target API
  -headers HEADERS, --headers HEADERS
                        Custom headers.Example: {"token" : "123"}
  -method {GET,POST}, --method {GET,POST}
                        HTTP request method
  -b BODY, --body BODY  Request body of API
  -l LOGINURL, --loginurl LOGINURL
                        URL of login API
  -H LOGINHEADERS, --loginheaders LOGINHEADERS
                        Headers should be in a dictionary format. Example:
                        {"accesstoken" : "axzvbqdadf"}
  -d LOGINDATA, --logindata LOGINDATA
                        login data of API

Usage: Web interface

Run the api.py and access the web interface at http://127.0.0.1:8094

$ cd API
$ python api.py

Screenshots

New scan

alt text

Scan Reports

alt text

alt text

Detailed Report

alt text

Lead Developer

  • Sagar Popat (@popat_sagar)

Credits

  • Ankur Bhargava
  • Harsh Grover
  • Flipkart security team
  • Pardeep Battu
Comments
  • Local copy of JS and CSS

    Local copy of JS and CSS

    Step 6/10 : RUN pip install -r requirements.txt ---> Running in 52fe9a9b747f

    Collecting requests (from -r requirements.txt (line 1)) Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.VerifiedHTTPSConnection object at 0x7f5a45703350>: Failed to establish a new connection: [Errno 101] Network unreachable',)': /simple/requests/ Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.VerifiedHTTPSConnection object at 0x7f5a45703650>: Failed to establish a new connection: [Errno 101] Network unreachable',)': /simple/requests/ Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.VerifiedHTTPSConnection object at 0x7f5a45703810>: Failed to establish a new connection: [Errno 101] Network unreachable',)': /simple/requests/ Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.VerifiedHTTPSConnection object at 0x7f5a45703950>: Failed to establish a new connection: [Errno 101] Network unreachable',)': /simple/requests/ Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.VerifiedHTTPSConnection object at 0x7f5a45703a90>: Failed to establish a new connection: [Errno 101] Network unreachable',)': /simple/requests/ Could not find a version that satisfies the requirement requests (from -r requirements.txt (line 1)) (from versions: ) No matching distribution found for requests (from -r requirements.txt (line 1)) The command '/bin/sh -c pip install -r requirements.txt' returned a non-zero code: 1

    enhancement 
    opened by zhuzhibin123 28
  • Report isn't generated

    Report isn't generated

    I installed Astra on Kali Linux 2018.4, and after the scan is finished on CLI (the message "Scan has been completed" shows up), a tab opens on Firefox and I believe it should show the report and the results. However, it shows the message "NoProduct NameurlStatus", and no report. What am I doing wrong? The images with this process follow.

    astra-1

    astra-2

    This is the scan.log file:

    astra-3

    opened by AmandaBSobrinho 12
  • {

    {"status":"Failed"}

    I just copied the URL, headers (without any body information) from POSTMAN, and it is in JSON format, but I get {"status":"Failed"}. Why does this happen?

    opened by Jennifer0099 12
  • how to use the web based interface

    how to use the web based interface

    Hello, can I use this software to test the facebook APIs and how can I do that. From the screenshot, I see the URL is http://localhost/checkout.php, so do I need to use the API that I want to test to connect to the localhost website through a software like POSTMAN? Because I am just a beginner with APIs, so I don't know how to use this testing software.

    opened by Jennifer0099 7
  • API Status - Status of the API is in In Progress for more than 2 days

    API Status - Status of the API is in In Progress for more than 2 days

    3 Issues found in the scan, but Status still showing as In Progress. How do I know that Scanning is completed or not?

    1. CORS Misconfiguration
    2. Broken Authentication and session management
    3. Cross Site Scripting
    opened by ArjunReddyD 6
  • Testing GET request returns error

    Testing GET request returns error

    I'm trying to follow the instructions to get started, but I'm not getting very far. I have pulled the Mongo image and built the CLI Docker image. I'm running the service I want to test locally, and now I'm trying to run the following command, replacing <token> with a valid token I obtain ahead of time:

    docker run --rm -it --link astra-mongo:mongo astra-cli -u http://docker.for.mac.localhost:8080/v1/users/me --headers '{"Authorization": "Bearer <token>"}'
    

    I get the following stack trace:

    Traceback (most recent call last):
      File "/usr/local/lib/python2.7/multiprocessing/process.py", line 267, in _bootstrap
        self.run()
      File "/usr/local/lib/python2.7/multiprocessing/process.py", line 114, in run
        self._target(*self._args, **self._kwargs)
      File "./astra.py", line 121, in modules_scan
        sqli_check(url,method,headers,body,scanid)
      File "/app/modules/sqli.py", line 116, in sqli_check
        set_option_status = set_options_list(url,method,headers,body,taskid)
      File "/app/modules/sqli.py", line 34, in set_options_list
        if options_list.status_code == 200:
    AttributeError: 'NoneType' object has no attribute 'status_code'
    

    I've also tried the same call in the Astra GUI, but I get "Broken Authentication and session management" and the API returning a 401. It's almost as if Astra is not properly sending the Authorization header.

    Is there something I'm missing from the command? Am I supposed to pass the command a valid token?

    opened by sugarjig 5
  • Uncaught Exception in in `modules/cors.py`

    Uncaught Exception in in `modules/cors.py`

    I got the following error when trying to submit an URL to my local REST server:

      File "../astra.py", line 110, in modules_scan
        cors_main(url,method,headers,body,scanid)
      File "../modules/cors.py", line 69, in cors_main
        origin_headers = generate_origin(url)
      File "../modules/cors.py", line 60, in generate_origin
        postfixurl = domain_name+'.attackersite.com'
    TypeError: unsupported operand type(s) for +: 'NoneType' and 'str'
    

    As I see, in modules.cors.generate_origin, from line 59, this caused the error:

    domain_name = urlparse(url).hostname
    postfixurl = domain_name+'.attackersite.com'
    

    From the urlparse's docs, the hostname return a None object if no hostname is found. I think we need to add a validator here to check domain_name is not None.

    opened by snguyenthanh 5
  • Failed to test Broken authentication and session management

    Failed to test Broken authentication and session management

    hello I just start learning " Automated Security Testing For REST API's" so I choose ASTRA to use it and after following Installing Step's , I try to run this command in order to start a scan for GET api, $ python astra.py -u https://jsonplaceholder.typicode.com/ But their is no test running !! and I have this console message : "MongoClient opened before fork. Create MongoClient only " Failed to test Broken authentication and session management ----------------------------------------------------------------------------------------- Any help please ?? Steps which I followed : Docker Installation Run Mongo Container: $ docker pull mongo $ docker run --name astra-mongo -d mongo Installing CLI Docker : $ git clone -b docker-cli https://github.com/flipkart-incubator/Astra.git $ cd Astra $ docker build -t astra-cli . $ docker run --rm -it --link astra-mongo:mongo astra-cli and I use Docker version 18.06.1-ce, build e68fc7a But the problem

    opened by yasserEnisoo 4
  • setup.py fails on mac

    setup.py fails on mac

    While running setup.py on my mac it asks me to run it with sudo for the pip install but later while running the brew install command it fails since brew doesn't like sudo.

    I would suggest moving the installation of external dependencies to the user and you should concentrate on installing the python dependencies only.

    Also, setting up the tool is little painful right now. Installing the tool should be as simple as running a pip install astra or apt-get install astra command. Running the tool should be as simple as running a command astra.

    bug 
    opened by rameshraithatha 3
  • fix sqlmap bug

    fix sqlmap bug

    When content type is 'application/json', sqlmap can't find any injections. So we should change the body type from dict to jsonstring. See modules/sqli.py for more details.

    opened by Anemone95 2
  • Webscans keep crashing on Mac

    Webscans keep crashing on Mac

    Hi A simple webscan keeps crashing. Here is the trace. Is there a specific version of python i should be using?

    Process: Python [35505] Path: /usr/local/Cellar/python@2/2.7.15_1/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python Identifier: Python Version: 2.7.15 (2.7.15) Code Type: X86-64 (Native) Parent Process: Python [34775] Responsible: Python [35505] User ID: 522130245

    Date/Time: 2018-11-20 20:23:57.333 -0800 OS Version: Mac OS X 10.13.6 (17G65) Report Version: 12 Anonymous UUID: 0DB45F5A-C18B-C0F5-5D43-DFB6BEDCBC7B

    Time Awake Since Boot: 1200 seconds

    System Integrity Protection: enabled

    Crashed Thread: 0

    Exception Type: EXC_CRASH (SIGABRT) Exception Codes: 0x0000000000000000, 0x0000000000000000 Exception Note: EXC_CORPSE_NOTIFY

    Termination Reason: Namespace OBJC, Code 0x1

    Application Specific Information: crashed on child side of fork pre-exec objc[35505]: +[__NSPlaceholderDate initialize] may have been in progress in another thread when fork() was called.

    opened by madheshr 2
  • Failed to connect to MongoDB.

    Failed to connect to MongoDB.

    it does not work and keep giving error : Failed to connect to MongoDB. ive tried to execute all the python files and all of them had the same error kindly please help me to know if the issue is with my ignorance or your program thank you

    opened by danthe13th 1
  • kindly Fix Some Errors

    kindly Fix Some Errors

    [{"resource":"/home/sajeesh/Astra/astra.py","owner":"generated_diagnostic_collection_name#0","severity":8,"message":"Statements must be separated by newlines or semicolons","source":"Pylance","startLineNumber":47,"startColumn":15,"endLineNumber":47,"endColumn":46},{"resource":"/home/sajeesh/Astra/astra.py","owner":"generated_diagnostic_collection_name#0","severity":8,"message":"Statements must be separated by newlines or semicolons","source":"Pylance","startLineNumber":88,"startColumn":11,"endLineNumber":88,"endColumn":39},{"resource":"/home/sajeesh/Astra/astra.py","owner":"generated_diagnostic_collection_name#0","severity":8,"message":"Statements must be separated by newlines or semicolons","source":"Pylance","startLineNumber":131,"startColumn":15,"endLineNumber":131,"endColumn":16},{"resource":"/home/sajeesh/Astra/astra.py","owner":"generated_diagnostic_collection_name#0","severity":8,"message":"Statements must be separated by newlines or semicolons","source":"Pylance","startLineNumber":148,"startColumn":15,"endLineNumber":148,"endColumn":38},{"resource":"/home/sajeesh/Astra/astra.py","owner":"generated_diagnostic_collection_name#0","severity":8,"message":"Statements must be separated by newlines or semicolons","source":"Pylance","startLineNumber":209,"startColumn":15,"endLineNumber":209,"endColumn":29},{"resource":"/home/sajeesh/Astra/astra.py","owner":"generated_diagnostic_collection_name#0","severity":8,"message":"Statements must be separated by newlines or semicolons","source":"Pylance","startLineNumber":243,"startColumn":15,"endLineNumber":243,"endColumn":37},{"resource":"/home/sajeesh/Astra/astra.py","owner":"generated_diagnostic_collection_name#0","severity":8,"message":"Statements must be separated by newlines or semicolons","source":"Pylance","startLineNumber":281,"startColumn":15,"endLineNumber":281,"endColumn":81},{"resource":"/home/sajeesh/Astra/astra.py","owner":"generated_diagnostic_collection_name#0","severity":8,"message":"Statements must be separated by newlines or semicolons","source":"Pylance","startLineNumber":309,"startColumn":19,"endLineNumber":309,"endColumn":130},{"resource":"/home/sajeesh/Astra/astra.py","owner":"generated_diagnostic_collection_name#0","severity":8,"message":"Statements must be separated by newlines or semicolons","source":"Pylance","startLineNumber":337,"startColumn":18,"endLineNumber":337,"endColumn":72},{"resource":"/home/sajeesh/Astra/astra.py","owner":"generated_diagnostic_collection_name#0","code":{"value":"reportMissingImports","target":{"$mid":1,"external":"https://github.com/microsoft/pylance-release/blob/main/DIAGNOSTIC_SEVERITY_RULES.md#diagnostic-severity-rules","path":"/microsoft/pylance-release/blob/main/DIAGNOSTIC_SEVERITY_RULES.md","scheme":"https","authority":"github.com","fragment":"diagnostic-severity-rules"}},"severity":4,"message":"Import "urlparse" could not be resolved","source":"Pylance","startLineNumber":10,"startColumn":8,"endLineNumber":10,"endColumn":16},{"resource":"/home/sajeesh/Astra/astra.py","owner":"generated_diagnostic_collection_name#0","code":{"value":"reportUndefinedVariable","target":{"$mid":1,"external":"https://github.com/microsoft/pylance-release/blob/main/DIAGNOSTIC_SEVERITY_RULES.md#diagnostic-severity-rules","path":"/microsoft/pylance-release/blob/main/DIAGNOSTIC_SEVERITY_RULES.md","scheme":"https","authority":"github.com","fragment":"diagnostic-severity-rules"}},"severity":4,"message":""os" is not defined","source":"Pylance","startLineNumber":38,"startColumn":4,"endLineNumber":38,"endColumn":6}]

    opened by Sajeeshab 0
  • ImportError: cannot import name main

    ImportError: cannot import name main

    Hello. Today tried to install and start using Astra Followed all instructions on installation After running python astra.py --help I get: image Can you please help ?

    opened by Pro100Ickpa 2
  • fix: Add missing comma to `headers.py`

    fix: Add missing comma to `headers.py`

    • This comma has been most probably been left out unintentionally, leading to string concatenation between the two consecutive lines. This issue has been found automatically using a regular expression.
    opened by mrshu 1
Owner
Flipkart Incubator
Flipkart Incubator
AutoExploitSwagger is an automated API security testing exploit tool that can be combined with xray, BurpSuite and other scanners.

AutoExploitSwagger is an automated API security testing exploit tool that can be combined with xray, BurpSuite and other scanners.

null 6 Jan 28, 2022
PENBUD is penetration testing buddy which helps you in penetration testing by making various important tools interactive.

penbud - Penetration Tester Buddy PENBUD is penetration testing buddy which helps you in penetration testing by making various important tools interac

Himanshu Shukla 15 Feb 1, 2022
pytest plugin for distributed testing and loop-on-failures testing modes.

xdist: pytest distributed testing plugin The pytest-xdist plugin extends pytest with some unique test execution modes: test run parallelization: if yo

pytest-dev 1.1k Dec 30, 2022
PacketPy is an open-source solution for stress testing network devices using different testing methods

PacketPy About PacketPy is an open-source solution for stress testing network devices using different testing methods. Currently, there are only two c

null 4 Sep 22, 2022
Automated Penetration Testing Framework

Automated Penetration Testing Framework

OWASP 2.1k Jan 1, 2023
Automated testing tool developed in python for Advanced mathematical operations.

Advanced-Maths-Operations-Validations Automated testing tool developed in python for Advanced mathematical operations. Requirements Python 3.5 or late

Nikhil Repale 1 Nov 16, 2021
Avocado is a set of tools and libraries to help with automated testing.

Welcome to Avocado Avocado is a set of tools and libraries to help with automated testing. One can call it a test framework with benefits. Native test

Ana Guerrero Lopez 1 Nov 19, 2021
Python Rest Testing

pyresttest Table of Contents What Is It? Status Installation Sample Test Examples Installation How Do I Use It? Running A Simple Test Using JSON Valid

Sam Van Oort 1.1k Dec 28, 2022
Minimal example of how to use pytest with automated 'devops' style automated test runs

Pytest python example with automated testing This is a minimal viable example of pytest with an automated run of tests for every push/merge into the m

Karma Computing 2 Jan 2, 2022
Mockoon is the easiest and quickest way to run mock APIs locally. No remote deployment, no account required, open source.

Mockoon Mockoon is the easiest and quickest way to run mock APIs locally. No remote deployment, no account required, open source. It has been built wi

mockoon 4.4k Dec 30, 2022
Hypothesis is a powerful, flexible, and easy to use library for property-based testing.

Hypothesis Hypothesis is a family of testing libraries which let you write tests parametrized by a source of examples. A Hypothesis implementation the

Hypothesis 6.4k Jan 5, 2023
Generic automation framework for acceptance testing and RPA

Robot Framework Introduction Installation Example Usage Documentation Support and contact Contributing License Introduction Robot Framework is a gener

Robot Framework 7.7k Jan 7, 2023
Scalable user load testing tool written in Python

Locust Locust is an easy to use, scriptable and scalable performance testing tool. You define the behaviour of your users in regular Python code, inst

Locust.io 20.4k Jan 4, 2023
A modern API testing tool for web applications built with Open API and GraphQL specifications.

Schemathesis Schemathesis is a modern API testing tool for web applications built with Open API and GraphQL specifications. It reads the application s

Schemathesis.io 1.6k Jan 6, 2023
Sixpack is a language-agnostic a/b-testing framework

Sixpack Sixpack is a framework to enable A/B testing across multiple programming languages. It does this by exposing a simple API for client libraries

null 1.7k Dec 24, 2022
Automatically mock your HTTP interactions to simplify and speed up testing

VCR.py ?? This is a Python version of Ruby's VCR library. Source code https://github.com/kevin1024/vcrpy Documentation https://vcrpy.readthedocs.io/ R

Kevin McCarthy 2.3k Jan 1, 2023
fsociety Hacking Tools Pack – A Penetration Testing Framework

Fsociety Hacking Tools Pack A Penetration Testing Framework, you will have every script that a hacker needs. Works with Python 2. For a Python 3 versi

Manisso 8.2k Jan 3, 2023
Scalable user load testing tool written in Python

Locust Locust is an easy to use, scriptable and scalable performance testing tool. You define the behaviour of your users in regular Python code, inst

Locust.io 15.3k Feb 8, 2021
Automatically mock your HTTP interactions to simplify and speed up testing

VCR.py ?? This is a Python version of Ruby's VCR library. Source code https://github.com/kevin1024/vcrpy Documentation https://vcrpy.readthedocs.io/ R

Kevin McCarthy 1.8k Feb 7, 2021