REST API penetration testing is complex due to continuous changes in existing APIs and newly added APIs. Astra can be used by security engineers or developers as an integral part of their process, so they can detect and patch vulnerabilities early during development cycle.
It can automatically detect and test login & logout (Authentication API), so it’s easy for anyone to integrate this into CICD pipeline. It can take API collection as an input so this can also be used for testing apis in standalone mode.
Also Read – Pypykatz : Mimikatz Implementation In Pure Python
Requirement
Installation
$ git clone https://github.com/flipkart-incubator/Astra
$ cd Astra
$ sudo pip install -r requirements.txt
Docker Installation
$ docker pull mongo
$ docker run –name astra-mongo -d mongo
$ git clone https://github.com/flipkart-incubator/Astra.git
$ cd Astra
$ docker build -t astra .
$ docker run –rm -it –link astra-mongo:mongo -p 8094:8094 astra
$ git clone -b docker-cli https://github.com/flipkart-incubator/Astra.git
$ cd Astra
$ docker build -t astra-cli .
$ docker run –rm -it –link astra-mongo:mongo astra-cli
Dependencies
– requests
– logger
– pymongo
– ConfigParser
– pyjwt
– flask
– sqlmap
Documentation
https://www.astra-security.info
Usage: CLI
$ python astra.py –help
Usage: astra.py [-h] [-c {Postman,Swagger}] [-n COLLECTION_NAME] [-u URL]
[-headers HEADERS] [-method {GET,POST}] [-b BODY]
[-l LOGINURL] [-H LOGINHEADERS] [-d LOGINDATA]
REST API Security testing Framework
Optional arguments:
-h, –help show this help message and exit
-c {Postman,Swagger}, –collection_type {Postman,Swagger}
Type of API collection
-n COLLECTION_NAME, –collection_name COLLECTION_NAME
Type of API collection
-u URL, –url URL URL of target API
-headers HEADERS, –headers HEADERS
Custom headers.Example: {“token” : “123”}
-method {GET,POST}, –method {GET,POST}
HTTP request method
-b BODY, –body BODY Request body of API
-l LOGINURL, –loginurl LOGINURL
URL of login API
-H LOGINHEADERS, –loginheaders LOGINHEADERS
Headers should be in a dictionary format. Example:
{“accesstoken” : “axzvbqdadf”}
-d LOGINDATA, –logindata LOGINDATA
login data of API
Usage: Web interface
Run the api.py and access the web interface at http://127.0.0.1:8094
$ cd API
$ python api.py
Screenshots
Credits
Learning Without Walls Remote education has long been a lifeline for students in rural areas…
Have you ever come across a picture on the internet and wondered where it came…
Overview WhatsMyName is a free, community-driven OSINT tool designed to identify where a username exists…
Managing disk usage is a crucial task for Linux users and administrators alike. Understanding which…
Efficient disk space management is vital in Linux, especially for system administrators who manage servers…
Knowing how to check directory sizes in Linux is essential for managing disk space and…