Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/owasp-noir/noir

Attack surface detector that identifies endpoints by static analysis
https://github.com/owasp-noir/noir

attack-surface-detector attack-surfaces crystal crystal-lang devsecops endpoints hacktoberfest noir owasp owasp-noir pentesting security

Last synced: about 3 hours ago
JSON representation

Attack surface detector that identifies endpoints by static analysis

Host: GitHub
URL: https://github.com/owasp-noir/noir
Owner: owasp-noir
License: mit
Created: 2022-03-05T14:19:30.000Z (almost 3 years ago)
Default Branch: main
Last Pushed: 2024-11-17T13:53:50.000Z (26 days ago)
Last Synced: 2024-12-06T07:42:59.267Z (7 days ago)
Topics: attack-surface-detector, attack-surfaces, crystal, crystal-lang, devsecops, endpoints, hacktoberfest, noir, owasp, owasp-noir, pentesting, security
Language: Crystal
Homepage: https://owasp.org/www-project-noir/
Size: 5.55 MB
Stars: 611
Watchers: 11
Forks: 45
Open Issues: 8
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Security: SECURITY.md

Awesome Lists containing this project

WebHackersWeapons - noir - cr/noir?label=%20)|[`endpoint`](/categorize/tags/endpoint.md) [`url`](/categorize/tags/url.md) [`attack-surface`](/categorize/tags/attack-surface.md)|![linux](/images/linux.png)![macos](/images/apple.png)[![Crystal](/images/crystal.png)](/categorize/langs/Crystal.md)| (Weapons / Tools)

README

Attack surface detector that identifies endpoints by static analysis.

Documentation •
Installation •
Available Support Scope •
Usage •
Contributing

OWASP Noir is an open-source project specializing in identifying attack surfaces for enhanced whitebox security testing and security pipeline. This includes the capability to discover API endpoints, web endpoints, and other potential entry points within source code for thorough security analysis.

## Key Features

- Identify API endpoints and parameters from source code.
- Support various source code languages and frameworks.
- Provide analysts with technical information and security issues identified during source code analysis.
- Friendly pipeline & DevOps integration, offering multiple output formats (JSON, YAML, OAS spec) and compatibility with tools like curl and httpie.
- Friendly Offensive Security Tools integration, allowing usage with tools such as ZAP and Caido, Burpsuite.
- Identify security issues within the source code through rule-based passive scanning.
- Generate elegant and clear output results.

## Usage

```bash
noir -h
```

Example
```bash
noir -b
```

![](/docs/images/get_started/basic.png)

JSON Result
```
noir -b . -u https://testapp.internal.domains -f json -T
```

```json
{
"endpoints": [
{
"url": "https://testapp.internal.domains/query",
"method": "POST",
"params": [
{
"name": "my_auth",
"value": "",
"param_type": "cookie",
"tags": []
},
{
"name": "query",
"value": "",
"param_type": "form",
"tags": [
{
"name": "sqli",
"description": "This parameter may be vulnerable to SQL Injection attacks.",
"tagger": "Hunt"
}
]
}
],
"details": {
"code_paths": [
{
"path": "spec/functional_test/fixtures/crystal_kemal/src/testapp.cr",
"line": 8
}
]
},
"protocol": "http",
"tags": []
}
]
}
```

For more details, please visit our [documentation](https://owasp-noir.github.io/noir/) page.

## Contributing

Noir is open-source project and made it with ❤️
if you want contribute this project, please see [CONTRIBUTING.md](./CONTRIBUTING.md) and Pull-Request with cool your contents.

[![](./CONTRIBUTORS.svg)](https://github.com/owasp-noir/noir/graphs/contributors)

*PassiveScan Rule contributors*

[![](https://raw.githubusercontent.com/owasp-noir/noir-passive-rules/refs/heads/main/CONTRIBUTORS.svg)](https://github.com/owasp-noir/noir-passive-rules/graphs/contributors)