Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/owasp-noir/noir
Attack surface detector that identifies endpoints by static analysis
https://github.com/owasp-noir/noir
attack-surface-detector attack-surfaces crystal crystal-lang devsecops endpoints hacktoberfest noir owasp owasp-noir pentesting security
Last synced: 8 days ago
JSON representation
Attack surface detector that identifies endpoints by static analysis
- Host: GitHub
- URL: https://github.com/owasp-noir/noir
- Owner: owasp-noir
- License: mit
- Created: 2022-03-05T14:19:30.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2024-10-29T14:27:09.000Z (10 days ago)
- Last Synced: 2024-10-29T17:35:37.526Z (10 days ago)
- Topics: attack-surface-detector, attack-surfaces, crystal, crystal-lang, devsecops, endpoints, hacktoberfest, noir, owasp, owasp-noir, pentesting, security
- Language: Crystal
- Homepage: https://owasp.org/www-project-noir/
- Size: 5 MB
- Stars: 565
- Watchers: 11
- Forks: 43
- Open Issues: 11
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Security: SECURITY.md
Awesome Lists containing this project
- WebHackersWeapons - noir - cr/noir?label=%20)|[`endpoint`](/categorize/tags/endpoint.md) [`url`](/categorize/tags/url.md) [`attack-surface`](/categorize/tags/attack-surface.md)|[](/categorize/langs/Crystal.md)| (Weapons / Tools)
README
Attack surface detector that identifies endpoints by static analysis.
Installation •
Documentation •
Available Support Scope •
Usage •
Contributing
## Key Features
- Identify API endpoints and parameters from source code.
- Support various source code languages and frameworks.
- Provide analysts with technical information and security issues identified during source code analysis.
- Friendly pipeline & DevOps integration, offering multiple output formats (JSON, YAML, OAS spec) and compatibility with tools like curl and httpie.
- Friendly Offensive Security Tools integration, allowing usage with tools such as ZAP and Caido, Burpsuite.
- Generate elegant and clear output results.
## Available Support Scope
Endpoint's Entities
- Path
- Method
- Param
- Header
- Cookie
- Protocol (e.g ws)
- Details (e.g The origin of the endpoint)
Languages and Frameworks
| Language | Framework | URL | Method | Param | Header | Cookie | WS |
|----------|-------------|-----|--------|-------|--------|--------|----|
| Crystal | Kemal | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Crystal | Lucky | ✅ | ✅ | ✅ | ✅ | ✅ | X |
| Go | Beego | ✅ | ✅ | X | X | X | X |
| Go | Echo | ✅ | ✅ | ✅ | ✅ | ✅ | X |
| Go | Gin | ✅ | ✅ | ✅ | ✅ | ✅ | X |
| Go | Fiber | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Python | Django | ✅ | ✅ | ✅ | ✅ | ✅ | X |
| Python | Flask | ✅ | ✅ | ✅ | ✅ | ✅ | X |
| Python | FastAPI | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Ruby | Rails | ✅ | ✅ | ✅ | ✅ | ✅ | X |
| Ruby | Sinatra | ✅ | ✅ | ✅ | ✅ | ✅ | X |
| Ruby | Hanami | ✅ | ✅ | X | X | X | X |
| Php | | ✅ | ✅ | ✅ | ✅ | X | X |
| Java | Jsp | ✅ | ✅ | ✅ | X | X | X |
| Java | Armeria | ✅ | ✅ | X | X | X | X |
| Java | Spring | ✅ | ✅ | ✅ | ✅ | X | X |
| Kotlin | Spring | ✅ | ✅ | ✅ | ✅ | ✅ | X |
| JS | Express | ✅ | ✅ | ✅ | ✅ | ✅ | X |
| JS | Restify | ✅ | ✅ | ✅ | ✅ | ✅ | X |
| Rust | Axum | ✅ | ✅ | X | X | X | X |
| Rust | Rocket | ✅ | ✅ | X | X | X | X |
| Elixir | Phoenix | ✅ | ✅ | X | X | X | ✅ |
| C# | ASP.NET MVC | ✅ | X | X | X | X | X |
| JS | Next | X | X | X | X | X | X |
Specification
| Specification | Format | URL | Method | Param | Header | WS |
|------------------------|---------|-----|--------|-------|--------|----|
| OAS 2.0 (Swagger 2.0) | JSON | ✅ | ✅ | ✅ | ✅ | X |
| OAS 2.0 (Swagger 2.0) | YAML | ✅ | ✅ | ✅ | ✅ | X |
| OAS 3.0 | JSON | ✅ | ✅ | ✅ | ✅ | X |
| OAS 3.0 | YAML | ✅ | ✅ | ✅ | ✅ | X |
| RAML | YAML | ✅ | ✅ | ✅ | ✅ | X |
| HAR | JSON | ✅ | ✅ | ✅ | ✅ | X |
## Installation
### Homebrew
```bash
brew install noir
# https://formulae.brew.sh/formula/noir
```
### Snapcraft
```bash
sudo snap install noir
# https://snapcraft.io/noir
```
### From Sources
```bash
# Install Crystal-lang
# https://crystal-lang.org/install/
# Clone this repo
git clone https://github.com/owasp-noir/noir
cd noir
# Install Dependencies
shards install
# Build
shards build --release --no-debug
# Copy binary
cp ./bin/noir /usr/bin/
```
### Docker (GHCR)
```bash
docker pull ghcr.io/owasp-noir/noir:main
```
## Usage
```bash
noir -h
```
Example
```bash
noir -b
```
JSON Result
```
noir -b . -u https://testapp.internal.domains -f json -T
```
```json
{
"url": "https://testapp.internal.domains/query",
"method": "POST",
"params": [
{
"name": "my_auth",
"value": "",
"param_type": "cookie",
"tags": []
},
{
"name": "query",
"value": "",
"param_type": "form",
"tags": [
{
"name": "sqli",
"description": "This parameter may be vulnerable to SQL Injection attacks.",
"tagger": "Hunt"
}
]
}
],
"details": {
"code_paths": [
{
"path": "spec/functional_test/fixtures/crystal_kemal/src/testapp.cr",
"line": 8
}
]
},
"protocol": "http",
"tags": []
}
```
For more details, please visit our [documentation](https://owasp-noir.github.io/noir/) page.
## Contributing
Noir is open-source project and made it with ❤️
if you want contribute this project, please see [CONTRIBUTING.md](./CONTRIBUTING.md) and Pull-Request with cool your contents.
