Merge pull request #15 from OWASP/dev

Dev Merge: Release 0.10.1

README.md

@@ -2,7 +2,7 @@
 
 OWASP OFFAT (OFFensive Api Tester) is created to automatically test API for common vulnerabilities after generating tests from openapi specification file. It provides feature to automatically fuzz inputs and use user provided inputs during tests specified via YAML config file.
 
-![UnDocumented petstore API endpoint HTTP method results](/assets/images/tests/offat-v0.5.0.png)
+![UnDocumented petstore API endpoint HTTP method results](./assets/images/tests/offat-v0.5.0.png)
 
 ## Demo
 

src/README.md

@@ -171,6 +171,8 @@ The disclaimer advises users to use the open-source project for ethical and legi
 offat -f swagger_file.json -p http://localhost:8080 --no-ssl -o output.json
 ```
 
+> Make sure that proxy can handle multiple requests at the same time
+
 - Use user provided inputs for generating tests
 
   ```bash

src/offat/openapi.py

@@ -17,12 +17,32 @@ def __init__(self, fpath:str, spec:dict=None) -> None:
             self._spec = self._parser.specification
         else:
             self._spec = spec
-
-        self.host = self._spec.get('host')
-        self.http_scheme = 'https' if 'https' in self._spec.get('schemes') else 'http'
+
+        self.hosts = []
+        self._populate_hosts()
+        self.host = self.hosts[0]
+
+        self.http_scheme = 'https' if 'https' in self._spec.get('schemes',[]) else 'http'
         self.base_url = f"{self.http_scheme}://{self.host}{self._spec.get('basePath','')}"
         self.request_response_params = self._get_request_response_params()
 
+    def _populate_hosts(self):
+        if self._spec.get('openapi'): # for openapi v3
+            servers = self._spec.get('servers',[])
+            hosts = []
+            for server in servers:
+                host = server.get('url','').removeprefix('http://').removeprefix('http://').removesuffix('/')
+                host = None if host == '' else host
+                hosts.append(host)
+        else:
+            host = self._spec.get('host') # for swagger files
+            if not host:
+                logger.error('Invalid Host: Host is missing')
+                raise ValueError(f'Host Not Found in spec file')
+            hosts = [host]
+
+        self.hosts = hosts
+
 
     def _get_endpoints(self):
         '''Returns list of endpoint paths along with HTTP methods allowed'''

src/offat/tester/regexs.py

@@ -6,6 +6,7 @@
     'ip': r'(?:\d{1,3}\.){3}\d{1,3}\b|\b(?:[A-Fa-f0-9]{1,4}:){7}[A-Fa-f0-9]{1,4}\b',
     'ccn': r'\b\d{4}-\d{4}-\d{4}-\d{4}\b',
     'jwtToken':r'(^|\s|")[A-Za-z0-9_-]{2,}(?:\.[A-Za-z0-9_-]{2,}){2}($|\s|")',
+    'ato_data':r'\b(auth_code|otp|password|password_hash|auth_token|access_token|refresh_token|secret|session_id|key|pin|accessToken|refreshToken|authenticationCode|authentication_code|jwt|api_secret|apiSecret)\b',
 
     # BRAZIL
     'BrazilCPF':r'\b(\d{3}\.){2}\d{3}\-\d{2}\b',

src/offat/tester/test_runner.py

@@ -1,6 +1,7 @@
 from asyncio import ensure_future, gather
 from aiohttp.client_exceptions import ClientProxyConnectionError
 from enum import Enum
+from traceback import print_exc
 from ..http import AsyncRequests
 from ..logger import create_logger
 
@@ -115,4 +116,10 @@ async def run_tests(self, test_tasks:list):
                 )
             )
 
-        return await gather(*tasks)
+        try:
+            results = await gather(*tasks)
+            return results
+        except Exception as e:
+            print(f'[*] Exception occurred while gathering results: {e}')
+            print_exc()
+            return []

src/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "offat"
-version = "0.10.0"
+version = "0.10.1"
 description = "Offensive API tester tool automates checks for common API vulnerabilities"
 authors = ["Dhrumil Mistry <dhrumil.mistry@owasp.org>"]
 license = "MIT"