Automatically Tests for vulnerabilities after generating tests from openapi specification file. Project is in Beta stage, so sometimes it might crash while running.
Warning
At the moment HTTP 2/3 aren't supported since fasthttpclient is used under the hood to increase performance. Visit FastHTTP README for more details
- Restricted HTTP Method/Verb
- BOLA
- BOPLA/Mass Assignment
- SQL Injection
- Command Injection
- XSS/HTML Injection
- SSTI
- SSRF
- Data Exposure (Detects Common Data Exposures)
- Broken Access Control
- Broken Authentication
- Supports openAPI specification (OAS) Doc
- Few Security Checks from OWASP API Top 10
- Automated Testing
- User Config Based Testing
- API for Automating tests and Integrating Tool with other platforms/tools
- CLI tool
- Proxy Support
- Hardened Docker Images
- Open Source Tool with MIT License
- Trigger scans in CI/CD using GitHub Action
Swagger files are not supported at the moment
- Create github action secret
url
for your repo - Setup github action workflow in your repo
.github/workflows/offat.yml
name: OWASP OFFAT Sample Workflow
on:
push:
branches:
- dev
- main
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: "download OAS file"
run: curl ${url} -o /tmp/oas.json
env:
url: ${{ secrets.url }}
- name: "OWASP OFFAT CICD Scanner"
uses: OWASP/OFFAT@main # OWASP/[email protected]
with:
file: /tmp/oas.json # or ${{ secrets.url }}
rate_limit: 120
artifact_retention_days: 1
Prefer locking action to specific version
OWASP/[email protected]
instead of usingOWASP/OFFAT@main
and bump OFFAT action version after testing.
The disclaimer advises users to use the open-source project for ethical and legitimate purposes only and refrain from using it for any malicious activities. The creators and contributors of the project are not responsible for any illegal activities or damages that may arise from the misuse of the project. Users are solely responsible for their use of the project and should exercise caution and diligence when using it. Any unauthorized or malicious use of the project may result in legal action and other consequences.
homebrew install owasp-offat/tap/offat
-
Install latest release using below command
go install -v github.com/owasp-offat/offat/cmd/offat@latest
-
Install main/dev branch
go install -v github.com/owasp-offat/offat/cmd/offat@main # install main branch go install -v github.com/owasp-offat/offat/cmd/offat@dev # install dev branch
-
Clone repository
git clone https://github.com/OWASP/OFFAT
-
Go source code is stored in src directory
cd src
-
Run Go install command
go install ./...
-
CLI Tool
docker run --rm dmdhrumilmistry/offat -h
-
Run offat
offat -f oas.json # using file offat -f https://example.com/docs.json # using url
JSON and YAML formats are supported
-
To get all the commands use
help
offat -h
-
Save result in
json
offat -f oas.json -o output.json
-
Get curl command for making requests
jq -r '.[].concurrent_response.response.curl_command' output.json
jq
tool is required to run above command -
Run tests only for endpoint paths matching regex pattern
offat -f oas.yml -pr '/user'
-
Add headers to requests
offat -f oas.json -H 'Accept: application/json' -H 'Authorization: Bearer YourJWTToken'
-
Run Test with Requests Rate Limited
offat -f oas.json -r 1000
r
: requests rate limit per second -
Use along with proxy
# without ssl check offat -f oas.json -p http://localhost:8080 -o output.json # without ssl check offat -f oas.json -p http://localhost:8080 -o output.json -ns
Make sure that proxy can handle multiple requests at the same time
-
For Data Leak detection, create a new data leakage detection file from this sample file owasp-offat-data-leak-patterns.yml
offat -f oas.yaml -dl owasp-offat-data-leak-patterns.yml
Warning
Remember to include only patterns whose data can be probably found in your APIs, since detection process can lead to CPU spikes.
Create an issue OR fork the repo, update script and create a Pull Request
Refer CONTRIBUTIONS.md for contributing to the project.
OWASP OFFAT is distributed under MIT
License. Refer License for more information.