security testing tools,astra Automated Security Testing For REST API's.

astra Automated Security Testing For REST API's.

astra Automated Security Testing

REST API penetration testing is advanced because of continuous changes in existing Apis and recently more Apis. Astra will be utilized by security engineers or developers as AN integral a part of their process, so that they will discover and patch vulnerabilities early throughout development cycle. Astra will automatically discover and check login & logout (Authentication API), therefore it is easy for anyone to integrate this into CICD pipeline. Astra will take API collection as AN input thus this may even be used for testing Apis in standalone mode.

  • SQL injection
  • Cross site scripting
  • Information Leakage
  • Broken Authentication and session management
  • CSRF (including Blind CSRF)
  • Rate limit
  • CORS misconfiguration (including CORS bypass techniques)
  • JWT attack
  • CRLF detection
  • Blind XXE injection

Requirement

  • Linux or MacOS
  • Python 2.7
  • mongoDB

Installation

$ git clone https://github.com/flipkart-incubator/Astra

$ cd Astra

$ sudo pip install -r requirements.txt

Docker Installation

Run Mongo Container:

$ docker pull mongo
$ docker run --name astra-mongo -d mongo

Installing GUI Docker:

$ git clone https://github.com/flipkart-incubator/Astra.git
$ cd Astra
$ docker build -t astra .
$ docker run --rm -it --link astra-mongo:mongo -p 8094:8094 astra

Installing CLI Docker :

$ git clone -b docker-cli https://github.com/flipkart-incubator/Astra.git
$ cd Astra
$ docker build -t astra-cli .
$ docker run --rm -it --link astra-mongo:mongo astra-cli 

Dependencies

- requests
- logger
- pymongo
- ConfigParser
- pyjwt
- flask
- sqlmap

Documentation

Usage: CLI

$ python astra.py --help _ /\ | | / \ ___| |_ _ __ __ _ / /\ \ / __| __| '__/ _` | / ____ \__ \ |_| | | (_| | /_/ \_\___/\__|_| \__,_| usage: astra.py [-h] [-c {Postman,Swagger}] [-n COLLECTION_NAME] [-u URL] [-headers HEADERS] [-method {GET,POST}] [-b BODY] [-l LOGINURL] [-H LOGINHEADERS] [-d LOGINDATA] REST API Security testing Framework optional arguments: -h, --help show this help message and exit -c {Postman,Swagger}, --collection_type {Postman,Swagger} Type of API collection -n COLLECTION_NAME, --collection_name COLLECTION_NAME Type of API collection -u URL, --url URL URL of target API -headers HEADERS, --headers HEADERS Custom headers.Example: {"token" : "123"} -method {GET,POST}, --method {GET,POST} HTTP request method -b BODY, --body BODY Request body of API -l LOGINURL, --loginurl LOGINURL URL of login API -H LOGINHEADERS, --loginheaders LOGINHEADERS Headers should be in a dictionary format. Example: {"accesstoken" : "axzvbqdadf"} -d LOGINDATA, --logindata LOGINDATA login data of API

Usage: Web interface

Run the api.py and access the web interface at http://127.0.0.1:8094
$ cd API
$ python api.py

Screenshots


New scan


Astra

Scan Reports

Scan Reports

Detailed Report

Detailed Report

Lead Developer

  • Sagar Popat (@popat_sagar)

Credits

  • Ankur Bhargava
  • Harsh Grover
  • Flipkart security team
  • Pardeep Battu
Share To:

Hackerbrother

Post A Comment:

0 comments so far,add yours