https://github.com/OWASP/OFFAT

The OWASP OFFAT tool autonomously assesses your API for prevalent vulnerabilities, though full compatibility with OAS v3 is pending. The project remains a work in progress, continuously evolving towards completion.
https://github.com/OWASP/OFFAT

api-hacking api-rest api-security api-security-testing offat owasp

Last synced: about 1 month ago
JSON representation

The OWASP OFFAT tool autonomously assesses your API for prevalent vulnerabilities, though full compatibility with OAS v3 is pending. The project remains a work in progress, continuously evolving towards completion.

• Host: GitHub
• URL: https://github.com/OWASP/OFFAT
• Owner: OWASP
• License: mit
• Created: 2023-09-25T19:32:21.000Z (12 months ago)
• Default Branch: dev
• Last Pushed: 2024-07-30T09:12:39.000Z (about 2 months ago)
• Last Synced: 2024-07-30T14:11:34.364Z (about 2 months ago)
• Topics: api-hacking, api-rest, api-security, api-security-testing, offat, owasp
• Language: Python
• Homepage: http://owasp.org/OFFAT/
• Size: 6.36 MB
• Stars: 432
• Watchers: 14
• Forks: 64
• Open Issues: 3
• Metadata Files:
  • Readme: README.md
  • Contributing: CONTRIBUTING.md
  • License: LICENSE.md
  • Codeowners: .github/CODEOWNERS
  • Security: SECURITY.md

Awesome Lists containing this project

• awesome-api-security - OFFAT

README

        
# OWASP OFFAT

OWASP OFFAT (OFFensive Api Tester) is created to automatically test API for common vulnerabilities after generating tests from openapi specification file. It provides feature to automatically fuzz inputs and use user provided inputs during tests specified via YAML config file.

![UnDocumented petstore API endpoint HTTP method results](https://owasp.org/OFFAT/assets/images/tests/offat-v0.5.0.png)

## Demo

[![asciicast](https://asciinema.org/a/9MSwl7UafIVT3iJn13OcvWXeF.svg)](https://asciinema.org/a/9MSwl7UafIVT3iJn13OcvWXeF)

> Note: The columns for 'data_leak' and 'result' in the table represent independent aspects. It's possible for there to be a data leak in the endpoint, yet the result for that endpoint may still be marked as 'Success'. This is because the 'result' column doesn't necessarily reflect the overall test result; it may indicate success even in the presence of a data leak.

## Security Checks

-   Restricted HTTP Methods

-   SQLi

-   BOLA

-   Data Exposure

-   BOPLA / Mass Assignment

-   Broken Access Control

-   Basic Command Injection

-   Basic XSS/HTML Injection test

## Features

-   Few Security Checks from OWASP API Top 10

-   Automated Testing

-   User Config Based Testing

-   API for Automating tests and Integrating Tool with other platforms/tools

-   CLI tool

-   Dockerized Project for Easy Usage

-   Open Source Tool with MIT License

## Try Tool

-   Install Tool using pip

```bash

python -m pip install offat

```

-   Run Tool

```bash

offat -f swagger_file.json

```

-   For more usage options read [README.md](https://github.com/OWASP/OFFAT/blob/main/src/README.md)