offat

module

v0.21.0-beta Latest Latest Go to latest Published: Sep 8, 2024 License: MIT

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/owasp-offat/offat

README ¶

OFFAT - OFFensive Api Tester

OffAT Logo

Automatically Tests for vulnerabilities after generating tests from openapi specification file. Project is in Beta stage, so sometimes it might crash while running.

UnDocumented petstore API endpoint HTTP method results

[!WARNING]
At the moment HTTP 2/3 aren't supported since fasthttpclient is used under the hood to increase performance. Visit FastHTTP README for more details

Security Checks

Restricted HTTP Method/Verb
BOLA
BOPLA/Mass Assignment
SQL Injection
Command Injection
XSS/HTML Injection
SSTI
SSRF
Data Exposure (Detects Common Data Exposures)
Broken Access Control
Broken Authentication

Features

Supports openAPI specification (OAS) Doc
Few Security Checks from OWASP API Top 10
Automated Testing
User Config Based Testing
API for Automating tests and Integrating Tool with other platforms/tools
CLI tool
Proxy Support
Hardened Docker Images
Open Source Tool with MIT License
Trigger scans in CI/CD using GitHub Action

Swagger files are not supported at the moment

Github Action

Create github action secret url for your repo
Setup github action workflow in your repo .github/workflows/offat.yml

name: OWASP OFFAT Sample Workflow

on:
  push:
    branches:
      - dev
      - main

jobs:
  test:
    runs-on: ubuntu-latest

    steps:
      - name: "download OAS file"
        run: curl ${url} -o /tmp/oas.json
        env:
          url: ${{ secrets.url }}

      - name: "OWASP OFFAT CICD Scanner"
        uses: OWASP/OFFAT@main # OWASP/OFFAT@v0.20.0
        with:
          file: /tmp/oas.json # or ${{ secrets.url }}
          rate_limit: 120
          artifact_retention_days: 1

Prefer locking action to specific version OWASP/OFFAT@v0.20.0 instead of using OWASP/OFFAT@main and bump OFFAT action version after testing.

Disclaimer

The disclaimer advises users to use the open-source project for ethical and legitimate purposes only and refrain from using it for any malicious activities. The creators and contributors of the project are not responsible for any illegal activities or damages that may arise from the misuse of the project. Users are solely responsible for their use of the project and should exercise caution and diligence when using it. Any unauthorized or malicious use of the project may result in legal action and other consequences.

Installation

Using Homebrew

homebrew install owasp-offat/tap/offat

Using Go

Github Hosted Method

Install latest release using below command

go install -v github.com/owasp-offat/offat/cmd/offat@latest

Install main/dev branch

go install -v github.com/owasp-offat/offat/cmd/offat@main # install main branch
go install -v github.com/owasp-offat/offat/cmd/offat@dev  # install dev branch

Clone Method

Clone repository

git clone https://github.com/OWASP/OFFAT

Go source code is stored in src directory
```
cd src
```
Run Go install command
```
go install ./...
```

Using Containers/Docker

CLI Tool

docker run --rm dmdhrumilmistry/offat -h

Start OffAT

CLI Tool

Run offat

offat -f oas.json              # using file
offat -f https://example.com/docs.json  # using url

JSON and YAML formats are supported

To get all the commands use help
```
offat -h
```
Save result in json
```
offat -f oas.json -o output.json
```
Get curl command for making requests
```
jq -r '.[].concurrent_response.response.curl_command' output.json
```
jq tool is required to run above command
Run tests only for endpoint paths matching regex pattern
```
offat -f oas.yml -pr '/user'
```

Add headers to requests

offat -f oas.json -H 'Accept: application/json' -H 'Authorization: Bearer YourJWTToken'

Run Test with Requests Rate Limited
```
offat -f oas.json -r 1000
```
r: requests rate limit per second

Use along with proxy

# without ssl check
offat -f oas.json -p http://localhost:8080 -o output.json

# without ssl check
offat -f oas.json -p http://localhost:8080 -o output.json -ns

Make sure that proxy can handle multiple requests at the same time

For Data Leak detection, create a new data leakage detection file from this sample file owasp-offat-data-leak-patterns.yml
```
offat -f oas.yaml -dl owasp-offat-data-leak-patterns.yml
```

[!WARNING]
Remember to include only patterns whose data can be probably found in your APIs, since detection process can lead to CPU spikes.

Open In Google Cloud Shell

Temporary Session
Perisitent Session

Have any Ideas 💡 or issue

Create an issue OR fork the repo, update script and create a Pull Request

Contributing

Refer CONTRIBUTIONS.md for contributing to the project.

LICENSE

OWASP OFFAT is distributed under MIT License. Refer License for more information.

Directories ¶

Path	Synopsis
cmd
offat
pkg
fuzzer
http
logging
parser
report
tgen Tests for unrestricted HTTP methods/verbs	Tests for unrestricted HTTP methods/verbs
trunner
trunner/postrunner
utils

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL