Skip to content

/Astra

Automated Security Testing For REST API's
security restapiautomation python owasp penetration-testing-framework postman-collection ci-cd sdlc penetration-testing security-automation
  1. Python 85.3%
  2. HTML 10.7%
  3. CSS 2.7%
  4. JavaScript 1.2%
  5. Dockerfile 0.1%
Branch: master
Find File
Clone or download

Clone with HTTPS

Use Git or checkout with SVN using the web URL.

Open in Desktop Download ZIP

Launching GitHub Desktop...

If nothing happens, download GitHub Desktop and try again.

Launching GitHub Desktop...

If nothing happens, download GitHub Desktop and try again.

Launching Xcode...

If nothing happens, download Xcode and try again.

Launching Visual Studio...

If nothing happens, download the GitHub extension for Visual Studio and try again.

@sagarpo
sagarpo Merge pull request #92 from flipkart-incubator/dev 
Added logs folder
Latest commit 394d538 Apr 5, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
API
Dashboard UI changes Nov 24, 2018
Payloads Added CRLF module Aug 1, 2018
core Auto Login detection improvement Jul 25, 2018
docs Update installation.md May 17, 2018
logs Added logs folder Apr 5, 2019
modules 19/02/28 fix sqlmap issue Feb 28, 2019
utils 19/02/28 fix sqlmap issue Feb 28, 2019
.dockerignore add Docker support May 4, 2018
.gitignore 19/04/05 delete some files for pr Apr 5, 2019
Dockerfile Added Docker support for GUI May 14, 2018
LICENSE Create LICENSE Jan 10, 2018
README.md Update README.md Dec 10, 2018
astra.py Added security-headers-missing module that checks for various securit… Dec 5, 2018
mkdocs.yml Added docs for usage, credits, roadmap Apr 24, 2018
requirements.txt Update README file Apr 6, 2018

README.md

Github Release Version Github Release Version

BH 2018 USA

BH 2018 Europe

Astra

alt text

REST API penetration testing is complex due to continuous changes in existing APIs and newly added APIs. Astra can be used by security engineers or developers as an integral part of their process, so they can detect and patch vulnerabilities early during development cycle. Astra can automatically detect and test login & logout (Authentication API), so it's easy for anyone to integrate this into CICD pipeline. Astra can take API collection as an input so this can also be used for testing apis in standalone mode.

  • SQL injection
  • Cross site scripting
  • Information Leakage
  • Broken Authentication and session management
  • CSRF (including Blind CSRF)
  • Rate limit
  • CORS misconfiguration (including CORS bypass techniques)
  • JWT attack
  • CRLF detection
  • Blind XXE injection

Roadmap

https://www.astra-security.info/roadmap/

Requirement

  • Linux or MacOS
  • Python 2.7
  • mongoDB

Installation

$ git clone https://github.com/flipkart-incubator/Astra

$ cd Astra

$ sudo pip install -r requirements.txt

Docker Installation

Run Mongo Container:

$ docker pull mongo
$ docker run --name astra-mongo -d mongo

Installing GUI Docker:

$ git clone https://github.com/flipkart-incubator/Astra.git
$ cd Astra
$ docker build -t astra .
$ docker run --rm -it --link astra-mongo:mongo -p 8094:8094 astra

Installing CLI Docker :

$ git clone -b docker-cli https://github.com/flipkart-incubator/Astra.git
$ cd Astra
$ docker build -t astra-cli .
$ docker run --rm -it --link astra-mongo:mongo astra-cli

Dependencies

- requests
- logger
- pymongo
- ConfigParser
- pyjwt
- flask
- sqlmap

Documentation

https://www.astra-security.info

Usage: CLI

$ python astra.py --help

                      _
        /\       | |
       /  \   ___| |_ _ __ __ _
      / /\ \ / __| __| '__/ _` |
     / ____ \__ \ |_| | | (_| |
    /_/    \_\___/\__|_|  \__,_|



usage: astra.py [-h] [-c {Postman,Swagger}] [-n COLLECTION_NAME] [-u URL]
                [-headers HEADERS] [-method {GET,POST}] [-b BODY]
                [-l LOGINURL] [-H LOGINHEADERS] [-d LOGINDATA]

REST API Security testing Framework

optional arguments:
  -h, --help            show this help message and exit
  -c {Postman,Swagger}, --collection_type {Postman,Swagger}
                        Type of API collection
  -n COLLECTION_NAME, --collection_name COLLECTION_NAME
                        Type of API collection
  -u URL, --url URL     URL of target API
  -headers HEADERS, --headers HEADERS
                        Custom headers.Example: {"token" : "123"}
  -method {GET,POST}, --method {GET,POST}
                        HTTP request method
  -b BODY, --body BODY  Request body of API
  -l LOGINURL, --loginurl LOGINURL
                        URL of login API
  -H LOGINHEADERS, --loginheaders LOGINHEADERS
                        Headers should be in a dictionary format. Example:
                        {"accesstoken" : "axzvbqdadf"}
  -d LOGINDATA, --logindata LOGINDATA
                        login data of API

Usage: Web interface

Run the api.py and access the web interface at http://127.0.0.1:8094

$ cd API
$ python api.py

Screenshots

New scan

alt text

Scan Reports

alt text

alt text

Detailed Report

alt text

Lead Developer

  • Sagar Popat (@popat_sagar)

Credits

  • Ankur Bhargava
  • Harsh Grover
  • Flipkart security team
  • Pardeep Battu
You can’t perform that action at this time.