GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → flipkart-incubator → Astra

flipkart-incubator / Astra

Licence: apache-2.0
Automated Security Testing For REST API's

Programming Languages

python
139335 projects - #7 most used programming language
HTML
75241 projects
CSS
56736 projects
javascript
184084 projects - #8 most used programming language
Dockerfile
14818 projects

Labels

securitypenetration-testingci-cdowaspsecurity-automationpenetration-testing-frameworkpostman-collectionsdlcrestapiautomation

Projects that are alternatives of or similar to Astra

Nettacker
Automated Penetration Testing Framework
Stars: ✭ 982 (-48.26%)
Mutual labels:  penetration-testing, owasp, penetration-testing-framework
Rapidscan
🆕 The Multi-Tool Web Vulnerability Scanner.
Stars: ✭ 775 (-59.17%)
Mutual labels:  penetration-testing, penetration-testing-framework
Dependency Track
Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
Stars: ✭ 718 (-62.17%)
Mutual labels:  owasp, security-automation
Silentbridge
Silentbridge is a toolkit for bypassing 802.1x-2010 and 802.1x-2004.
Stars: ✭ 136 (-92.83%)
Mutual labels:  penetration-testing, penetration-testing-framework
Easy hack
Hack the World using Termux
Stars: ✭ 549 (-71.07%)
Mutual labels:  penetration-testing, penetration-testing-framework
Monkey
Infection Monkey - An automated pentest tool
Stars: ✭ 5,572 (+193.57%)
Mutual labels:  penetration-testing, security-automation
Hacktronian
Tools for Hacking
Stars: ✭ 857 (-54.85%)
Mutual labels:  penetration-testing, penetration-testing-framework
Vanquish
Vanquish is Kali Linux based Enumeration Orchestrator. Vanquish leverages the opensource enumeration tools on Kali to perform multiple active information gathering phases.
Stars: ✭ 449 (-76.34%)
Mutual labels:  penetration-testing, penetration-testing-framework
Owasp Workshop Android Pentest
Learning Penetration Testing of Android Applications
Stars: ✭ 60 (-96.84%)
Mutual labels:  penetration-testing, owasp
Minimalistic Offensive Security Tools
A repository of tools for pentesting of restricted and isolated environments.
Stars: ✭ 135 (-92.89%)
Mutual labels:  penetration-testing, security-automation
Hackerpro
All in One Hacking Tool for Linux & Android (Termux). Make your linux environment into a Hacking Machine. Hackers are welcome in our blog
Stars: ✭ 474 (-75.03%)
Mutual labels:  penetration-testing, penetration-testing-framework
Awesome Hacking Resources
A collection of hacking / penetration testing resources to make you better!
Stars: ✭ 11,466 (+504.11%)
Mutual labels:  penetration-testing, owasp
Penetration Testing Study Notes
Penetration Testing notes, resources and scripts
Stars: ✭ 461 (-75.71%)
Mutual labels:  penetration-testing, security-automation
Jackhammer
Jackhammer - One Security vulnerability assessment/management tool to solve all the security team problems.
Stars: ✭ 633 (-66.65%)
Mutual labels:  penetration-testing, penetration-testing-framework
Justtryharder
JustTryHarder, a cheat sheet which will aid you through the PWK course & the OSCP Exam. (Inspired by PayloadAllTheThings)
Stars: ✭ 450 (-76.29%)
Mutual labels:  penetration-testing, penetration-testing-framework
Awesome Ethical Hacking Resources
🔗 All the resources I could find for learning Ethical Hacking and Penetration Testing.
Stars: ✭ 933 (-50.84%)
Mutual labels:  penetration-testing, owasp
Whatweb
Next generation web scanner
Stars: ✭ 3,503 (+84.56%)
Mutual labels:  penetration-testing, owasp
Glue
Application Security Automation
Stars: ✭ 412 (-78.29%)
Mutual labels:  owasp, ci-cd
Babysploit
👶 BabySploit Beginner Pentesting Toolkit/Framework Written in Python 🐍
Stars: ✭ 883 (-53.48%)
Mutual labels:  penetration-testing, penetration-testing-framework
Yams
A collection of Ansible roles for automating infosec builds.
Stars: ✭ 98 (-94.84%)
Mutual labels:  penetration-testing, security-automation
View All Similar Projects ➔

Github Release Version Github Release Version

BH 2018 USA

BH 2018 Europe

Astra

alt text

REST API penetration testing is complex due to continuous changes in existing APIs and newly added APIs. Astra can be used by security engineers or developers as an integral part of their process, so they can detect and patch vulnerabilities early during development cycle. Astra can automatically detect and test login & logout (Authentication API), so it's easy for anyone to integrate this into CICD pipeline. Astra can take API collection as an input so this can also be used for testing apis in standalone mode.

  • SQL injection
  • Cross site scripting
  • Information Leakage
  • Broken Authentication and session management
  • CSRF (including Blind CSRF)
  • Rate limit
  • CORS misconfiguration (including CORS bypass techniques)
  • JWT attack
  • CRLF detection
  • Blind XXE injection

Roadmap

https://www.astra-security.info/roadmap/

Requirement

  • Linux or MacOS
  • Python 2.7
  • mongoDB

Installation

$ git clone https://github.com/flipkart-incubator/Astra

$ cd Astra

$ sudo pip install -r requirements.txt

Docker Installation

Run Mongo Container:

$ docker pull mongo
$ docker run --name astra-mongo -d mongo

Installing GUI Docker:

$ git clone https://github.com/flipkart-incubator/Astra.git
$ cd Astra
$ docker build -t astra .
$ docker run --rm -it --link astra-mongo:mongo -p 8094:8094 astra

Installing CLI Docker :

$ git clone -b docker-cli https://github.com/flipkart-incubator/Astra.git
$ cd Astra
$ docker build -t astra-cli .
$ docker run --rm -it --link astra-mongo:mongo astra-cli

Dependencies

- requests
- logger
- pymongo
- ConfigParser
- pyjwt
- flask
- sqlmap

Documentation

https://www.astra-security.info

Usage: CLI

$ python astra.py --help

                      _
        /\       | |
       /  \   ___| |_ _ __ __ _
      / /\ \ / __| __| '__/ _` |
     / ____ \__ \ |_| | | (_| |
    /_/    \_\___/\__|_|  \__,_|



usage: astra.py [-h] [-c {Postman,Swagger}] [-n COLLECTION_NAME] [-u URL]
                [-headers HEADERS] [-method {GET,POST}] [-b BODY]
                [-l LOGINURL] [-H LOGINHEADERS] [-d LOGINDATA]

REST API Security testing Framework

optional arguments:
  -h, --help            show this help message and exit
  -c {Postman,Swagger}, --collection_type {Postman,Swagger}
                        Type of API collection
  -n COLLECTION_NAME, --collection_name COLLECTION_NAME
                        Type of API collection
  -u URL, --url URL     URL of target API
  -headers HEADERS, --headers HEADERS
                        Custom headers.Example: {"token" : "123"}
  -method {GET,POST}, --method {GET,POST}
                        HTTP request method
  -b BODY, --body BODY  Request body of API
  -l LOGINURL, --loginurl LOGINURL
                        URL of login API
  -H LOGINHEADERS, --loginheaders LOGINHEADERS
                        Headers should be in a dictionary format. Example:
                        {"accesstoken" : "axzvbqdadf"}
  -d LOGINDATA, --logindata LOGINDATA
                        login data of API

Usage: Web interface

Run the api.py and access the web interface at http://127.0.0.1:8094

$ cd API
$ python api.py

Screenshots

New scan

alt text

Scan Reports

alt text

alt text

Detailed Report

alt text

Lead Developer

  • Sagar Popat (@popat_sagar)

Credits

  • Ankur Bhargava
  • Harsh Grover
  • Flipkart security team
  • Pardeep Battu
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].