Automatically Tests for vulnerabilities after generating tests from openapi specification file. Project is in Beta stage, so sometimes it might crash while running.
Note: The columns for 'data_leak' and 'result' in the table represent independent aspects. It's possible for there to be a data leak in the endpoint, yet the result for that endpoint may still be marked as 'Success'. This is because the 'result' column doesn't necessarily reflect the overall test result; it may indicate success even in the presence of a data leak.
url for your repo.github/workflows/offat.ymlname: OWASP OFFAT Sample Workflow
on:
push:
branches:
- dev
- main
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: "download swagger/OAS file"
run: curl ${url} -o /tmp/swagger.json
env:
url: ${{ secrets.url }}
- name: "OWASP OFFAT CICD Scanner"
uses: OWASP/OFFAT@main # OWASP/OFFAT@v0.17.3
with:
file: /tmp/swagger.json # or ${{ secrets.url }}
rate_limit: 120
artifact_retention_days: 1
Prefer locking action to specific version
OWASP/OFFAT@v0.17.3instead of usingOWASP/OFFAT@mainand bump OFFAT action version after testing.
| Period | Count |
|---|---|
| Weekly |  |
| Monthy |  |
| Total |  |
The disclaimer advises users to use the open-source project for ethical and legitimate purposes only and refrain from using it for any malicious activities. The creators and contributors of the project are not responsible for any illegal activities or damages that may arise from the misuse of the project. Users are solely responsible for their use of the project and should exercise caution and diligence when using it. Any unauthorized or malicious use of the project may result in legal action and other consequences.
Install main branch using pip
python3 -m pip install git+https://github.com/OWASP/OFFAT.git
Install Release from PyPi
python3 -m pip install offat # only cli tool
python3 -m pip install offat[api] # cli + api
Build Image
make local
CLI Tool
docker run --rm dmdhrumilmistry/offat
API
docker compose up -d
POST
openapidocumentation to/api/v1/scan/endpoint with its validtype(json/yaml);job_idwill be returned.
Open terminal
Install git package
sudo apt install git python3 -y
Install Poetry
clone the repository to your machine
git clone https://github.com/OWASP/OFFAT.git
Change directory
cd offat
install with poetry
# without options
poetry install
Start API Server
python -m offat.api
# OR
offat-api
API Documentation can be found at http://localhost:8000/docs
Run offat
offat -f swagger_file.json # using file
offat -f https://example.com/docs.json # using url
To get all the commands use help
offat -h
Save result in json, yaml or html formats.
offat -f swagger_file.json -o output.json -of html # json
offat -f swagger_file.json -o output.html -of html # html
offat -f swagger_file.json -o output.yaml -of yaml # yaml
jsonformat is default output format.yamlformat needs to be sanitized before usage since it dumps data as python objects.htmlformat needs more visualization.
Run tests only for endpoint paths matching regex pattern
offat -f swagger_file.json -pr '/user'
Add headers to requests
offat -f swagger_file.json -H 'Accept: application/json' -H 'Authorization: Bearer YourJWTToken'
Run Test with Requests Rate Limited
offat -f swagger_file.json -rl 1000
rl: requests rate limit per second
Use along with proxy
# without ssl check
offat -f swagger_file.json -p http://localhost:8080 -o output.json -of json # ssl checks are disabled by default to avoid certificate installations
# with ssl check enforced
offat -f swagger_file.json -p http://localhost:8080 -o output.json -of json --ssl
Make sure that proxy can handle multiple requests at the same time
Use user provided inputs for generating tests
offat -f swagger_file.json -tdc test_data_config.yaml
test_data_config.yaml
actors:
- actor1:
request_headers:
- name: Authorization
value: Bearer [Token1]
- name: User-Agent
value: offat-actor1
query:
- name: id
value: 145
type: int
- name: country
value: uk
type: str
- name: city
value: london
type: str
body:
- name: name
value: actorone
type: str
- name: email
value: actorone@example.com
type: str
- name: phone
value: +11233211230
type: str
unauthorized_endpoints: # For broken access control
- "/store/order/.*"
- actor2:
request_headers:
- name: Authorization
value: Bearer [Token2]
- name: User-Agent
value: offat-actor2
query:
- name: id
value: 199
type: int
- name: country
value: uk
type: str
- name: city
value: leeds
type: str
body:
- name: name
value: actortwo
type: str
- name: email
value: actortwo@example.com
type: str
- name: phone
value: +41912312311
type: str
If you're using Termux or windows, then use
pipinstead ofpip3. Few features are only for linux os, hence they might not work on windows and require admin priviliges.
Refer CONTRIBUTIONS.md for contributing to the project.
OWASP OFFAT is distributed under MIT License. Refer License for more information.
FAQs
Offensive API tester tool automates checks for common API vulnerabilities
We found that offat demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Fluent Assertions is facing backlash after dropping the Apache license for a commercial model, leaving users blindsided and questioning contributor rights.
Research
Security News
Socket researchers uncover the risks of a malicious Python package targeting Discord developers.
Security News
The UK is proposing a bold ban on ransomware payments by public entities to disrupt cybercrime, protect critical services, and lead global cybersecurity efforts.