Automatically Tests for vulnerabilities after generating tests from openapi specification file. Project is in Beta stage, so sometimes it might crash while running.
Project proposal has been approved by the OWASP Foundation. As a result, OFFAT will now be taken care of within the OWASP Repository and will go by the name OWASP OFFAT.
For the most up-to-date releases and updates, be sure to check out the OWASP OFFAT Repository at this link.
- Restricted HTTP Methods
- SQLi
- BOLA (Might need few bug fixes)
- Data Exposure (Detects Common Data Exposures)
- BOPLA / Mass Assignment
- Broken Access Control
- Basic Command Injection
- Basic XSS/HTML Injection test
- Broken Authentication
- Few Security Checks from OWASP API Top 10
- Automated Testing
- User Config
- API for Automating tests and Integrating Tool with other platforms/tools
- CLI tool
- Dockerized Project for Easy Usage
- Open Source Tool with MIT License
Period | Count |
---|---|
Weekly | |
Monthy | |
Total |
The disclaimer advises users to use the open-source project for ethical and legitimate purposes only and refrain from using it for any malicious activities. The creators and contributors of the project are not responsible for any illegal activities or damages that may arise from the misuse of the project. Users are solely responsible for their use of the project and should exercise caution and diligence when using it. Any unauthorized or malicious use of the project may result in legal action and other consequences.
-
Install main branch using pip
python3 -m pip install git+https://github.com/dmdhrumilmistry/offat.git
-
Install Release from PyPi
python3 -m pip install offat # only cli tool python3 -m pip install offat[api] # cli + api
-
Build Image
make build-local-images
-
CLI Tool
docker run --rm dmdhrumilmistry/offat
-
API
docker compose up -d
POST
openapi
documentation to/api/v1/scan/
endpoint with its validtype
(json/yaml);job_id
will be returned,job_id
should
-
Open terminal
-
Install git package
sudo apt install git python3 -y
-
Install Poetry
-
clone the repository to your machine
git clone https://github.com/dmdhrumilmistry/offat.git
-
Change directory
cd offat
-
install with poetry
# without options poetry install
-
Start API Server
python -m offat.api
-
API Documentation can be found at http://localhost:8000/docs
-
Run offat
offat -f swagger_file.json
-
To get all the commands use
help
offat -h
-
Run tests only for endpoint paths matching regex pattern
offat -f swagger_file.json -pr '/user'
-
Add headers to requests
offat -f swagger_file.json -H 'Accept: application/json' -H 'Authorization: Bearer YourJWTToken'
-
Run Test with Requests Rate Limited
offat -f swagger_file.json -rl 1000 -dr 0.001
rl
: requests rate limit,dr
: delay between requests -
Use user provided inputs for generating tests
offat -f swagger_file.json -tdc test_data_config.yaml
test_data_config.yaml
actors: - actor1: request_headers: - name: Authorization value: Bearer [Token1] - name: User-Agent value: offat-actor1 query: - name: id value: 145 type: int - name: country value: uk type: str - name: city value: london type: str body: - name: name value: actorone type: str - name: email value: [email protected] type: str - name: phone value: +11233211230 type: str unauthorized_endpoints: # For broken access control - '/store/order/.*' - actor2: request_headers: - name: Authorization value: Bearer [Token2] - name: User-Agent value: offat-actor2 query: - name: id value: 199 type: int - name: country value: uk type: str - name: city value: leeds type: str body: - name: name value: actortwo type: str - name: email value: [email protected] type: str - name: phone value: +41912312311 type: str
If you're using Termux or windows, then use
pip
instead ofpip3
.
Few features are only for linux os, hence they might not work on windows and require admin priviliges.
- Create an issue
- Fork the repo, update script and create a Pull Request
Refer CONTRIBUTIONS.md for contributing to the project.
Offat is distributed under MIT
License. Refer License for more information.
Platforms | ||
---|---|---|