https://github.com/owasp-noir/noir
Attack surface detector that identifies endpoints by static analysis
https://github.com/owasp-noir/noir
attack-surface-detector attack-surfaces crystal crystal-lang devsecops endpoints hacktoberfest noir owasp owasp-noir pentesting security
Last synced: about 15 hours ago
JSON representation
Attack surface detector that identifies endpoints by static analysis
- Host: GitHub
- URL: https://github.com/owasp-noir/noir
- Owner: owasp-noir
- License: mit
- Created: 2022-03-05T14:19:30.000Z (about 3 years ago)
- Default Branch: main
- Last Pushed: 2025-04-05T15:09:56.000Z (10 days ago)
- Last Synced: 2025-04-06T01:44:31.130Z (9 days ago)
- Topics: attack-surface-detector, attack-surfaces, crystal, crystal-lang, devsecops, endpoints, hacktoberfest, noir, owasp, owasp-noir, pentesting, security
- Language: Crystal
- Homepage: https://owasp.org/www-project-noir/
- Size: 8.04 MB
- Stars: 684
- Watchers: 11
- Forks: 48
- Open Issues: 12
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Security: SECURITY.md
Awesome Lists containing this project
- WebHackersWeapons - noir - cr/noir?label=%20)|[`endpoint`](/categorize/tags/endpoint.md) [`url`](/categorize/tags/url.md) [`attack-surface`](/categorize/tags/attack-surface.md)|[](/categorize/langs/Crystal.md)| (Weapons / Tools)
README
Attack surface detector that identifies endpoints by static analysis.
Documentation •
Installation •
Available Support Scope •
Usage •
Contributing
OWASP Noir is an open-source project specializing in identifying attack surfaces for enhanced whitebox security testing and security pipeline. This includes the capability to discover API endpoints, web endpoints, and other potential entry points within source code for thorough security analysis.
## Key Features
- Extract API endpoints and parameters from source code.
- Support multiple languages and frameworks.
- Uncover security issues with detailed analysis and rule-based passive scanning.
- Integrate seamlessly with DevOps pipelines and tools like curl, ZAP, and Caido.
- Deliver clear, actionable results in formats like JSON, YAML, and OAS.
- Enhance endpoint discovery with AI for unfamiliar frameworks and hidden APIs.
## Usage
```bash
noir -h
```
Example
```bash
noir -b
```
JSON Result
```
noir -b . -u https://testapp.internal.domains -f json -T
```
```json
{
"endpoints": [
{
"url": "https://testapp.internal.domains/query",
"method": "POST",
"params": [
{
"name": "my_auth",
"value": "",
"param_type": "cookie",
"tags": []
},
{
"name": "query",
"value": "",
"param_type": "form",
"tags": [
{
"name": "sqli",
"description": "This parameter may be vulnerable to SQL Injection attacks.",
"tagger": "Hunt"
}
]
}
],
"details": {
"code_paths": [
{
"path": "spec/functional_test/fixtures/crystal_kemal/src/testapp.cr",
"line": 8
}
]
},
"protocol": "http",
"tags": []
}
]
}
```
For more details, please visit our [documentation](https://owasp-noir.github.io/noir/) page.
## Contributing
Noir is open-source project and made it with ❤️
if you want contribute this project, please see [CONTRIBUTING.md](./CONTRIBUTING.md) and Pull-Request with cool your contents.
[](https://github.com/owasp-noir/noir/graphs/contributors)
*PassiveScan Rule contributors*
[](https://github.com/owasp-noir/noir-passive-rules/graphs/contributors)