Astra : Automated Security Testing For REST API’s

REST API penetration testing is complex due to continuous changes in existing APIs and newly added APIs. Astra can be used by security engineers or developers as an integral part of their process, so they can detect and patch vulnerabilities early during development cycle.

It can automatically detect and test login & logout (Authentication API), so it’s easy for anyone to integrate this into CICD pipeline. It can take API collection as an input so this can also be used for testing apis in standalone mode.

  • SQL injection
  • Cross site scripting
  • Information Leakage
  • Broken Authentication and session management
  • CSRF (including Blind CSRF)
  • Rate limit
  • CORS misconfiguration (including CORS bypass techniques)
  • JWT attack
  • CRLF detection
  • Blind XXE injection

Also Read – Pypykatz : Mimikatz Implementation In Pure Python

Requirement

  • Linux or MacOS
  • Python 2.7
  • mongoDB

Installation

$ git clone https://github.com/flipkart-incubator/Astra
$ cd Astra
$ sudo pip install -r requirements.txt

Docker Installation

  • Run Mongo Container:

$ docker pull mongo
$ docker run –name astra-mongo -d mongo

  • Installing GUI Docker:

$ git clone https://github.com/flipkart-incubator/Astra.git
$ cd Astra
$ docker build -t astra .
$ docker run –rm -it –link astra-mongo:mongo -p 8094:8094 astra

  • Installing CLI Docker :

$ git clone -b docker-cli https://github.com/flipkart-incubator/Astra.git
$ cd Astra
$ docker build -t astra-cli .
$ docker run –rm -it –link astra-mongo:mongo astra-cli

Dependencies

– requests
– logger
– pymongo
– ConfigParser
– pyjwt
– flask
– sqlmap

Documentation

https://www.astra-security.info

Usage: CLI

$ python astra.py –help

Usage: astra.py [-h] [-c {Postman,Swagger}] [-n COLLECTION_NAME] [-u URL]
[-headers HEADERS] [-method {GET,POST}] [-b BODY]
[-l LOGINURL] [-H LOGINHEADERS] [-d LOGINDATA]

REST API Security testing Framework

Optional arguments:
-h, –help show this help message and exit
-c {Postman,Swagger}, –collection_type {Postman,Swagger}
Type of API collection
-n COLLECTION_NAME, –collection_name COLLECTION_NAME
Type of API collection
-u URL, –url URL URL of target API
-headers HEADERS, –headers HEADERS
Custom headers.Example: {“token” : “123”}
-method {GET,POST}, –method {GET,POST}
HTTP request method
-b BODY, –body BODY Request body of API
-l LOGINURL, –loginurl LOGINURL
URL of login API
-H LOGINHEADERS, –loginheaders LOGINHEADERS
Headers should be in a dictionary format. Example:
{“accesstoken” : “axzvbqdadf”}
-d LOGINDATA, –logindata LOGINDATA
login data of API

Usage: Web interface

Run the api.py and access the web interface at http://127.0.0.1:8094

$ cd API
$ python api.py

Screenshots

  • New scan
  • Scan Reports
  • Detailed Report

Credits

  • Ankur Bhargava
  • Harsh Grover
  • Flipkart security team
  • Pardeep Battu
R K

Recent Posts

Starship : Revolutionizing Terminal Experiences Across Shells

Starship is a powerful, minimal, and highly customizable cross-shell prompt designed to enhance the terminal…

2 hours ago

Lemmy : A Decentralized Link Aggregator And Forum For The Fediverse

Lemmy is an innovative, open-source platform designed for link aggregation and discussion, providing a decentralized…

2 hours ago

Massive UX Improvements, Custom Disassemblers, And MSVC Support In ImHex v1.37.0

The latest release of ImHex v1.37.0 introduces a host of exciting features and improvements, enhancing…

4 hours ago

Ghauri : A Powerful SQL Injection Detection And Exploitation Tool

Ghauri is a cutting-edge, cross-platform tool designed to automate the detection and exploitation of SQL…

7 hours ago

Writing Tools : Revolutionizing The Art Of Writing

Writing tools have become indispensable for individuals looking to enhance their writing efficiency, accuracy, and…

7 hours ago

PatchWerk : A Tool For Cleaning NTDLL Syscall Stubs

PatchWerk is a proof-of-concept (PoC) tool designed to clean NTDLL syscall stubs by patching syscall…

1 day ago