bbva / apicheck Goto Github PK

The most commands in ApiCheck return a json structure that represent the request.

The proposed command will perform the request json and return the response json.

When issuing use-problem-json-for-errors, the message shows an inconsistency between the URL and the name:
Name: RFC 7807
URL: https://tools.ietf.org/html/rfc6648

Star tool, the most asked for. We can compare the captured traffic with the openapi definition and alert when discrepancies are found.

Following the documentation I can't produce a new tool:

nil at xan in ~/Project/apicheck/apicheck/apicheck/tools (master) (apicheck-srmIl9AW) 
$ at-manage create-tool replay
usage: at-manage create-tool [-h] --dest DEST name
at-manage create-tool: error: the following arguments are required: --dest/-d

nil at xan in ~/Project/apicheck/apicheck/apicheck/tools (master) (apicheck-srmIl9AW) 
$ at-manage create-tool -d replay replay
usage: at-manage [-h] -C DB_CONNECTION_STRING
                 [--log-level {DEBUG,INFO,WARNING,ERROR,CRITICAL}]
                 {api,create-tool,definition} ...
at-manage: error: the following arguments are required: -C/--connection-string

nil at xan in ~/Project/apicheck/apicheck/apicheck/tools (master) (apicheck-srmIl9AW) 
$ at-manage -C sqlite:///lala create-tool -d replay replay
Traceback (most recent call last):
  File "/home/nil/.local/share/virtualenvs/apicheck-srmIl9AW/bin/at-manage", line 11, in <module>
    load_entry_point('apicheck', 'console_scripts', 'at-manage')()
  File "/home/nil/Project/apicheck/apicheck/apicheck/tools/manage/cli.py", line 71, in cli
    running_config = config(**cli_config)
TypeError: run() got an unexpected keyword argument 'db_connection_string'

As of now, we assumed that both query params and headers could be informed only once (per request). @nilp0inter brought some light into this, and clarified that the HTTP RFC clearly speficies the opposite.

We have to update at-proxy as well as ac-replay to handle these cases. Right now they will fail if multiple headers and/or query params are used.

Hi guys,

I am trying to follow the installation instructions and when I type this command an error message is returned:

docker run --rm bbvalabs/apicheck -h

Unable to find image 'bbvalabs/apicheck:latest' locally
docker: Error response from daemon: pull access denied for bbvalabs/apicheck, repository does not exist or may require 'docker login': denied: requested access to the resource is denied.
See 'docker run --help'.

Any idea?

Thx

Code it's text. Text can checked to detect several framework's endpoints.
With a litte intelligence we can guess what the endpoints are.

Issue:
When trying to pass the custom ruleset to sensitive-data detector with either -r or --rules-file options it throws an error:
[!!] 'list' object has no attribute 'update'

Reproduce error:

1. Passed the following command:
   acurl https://mockbin.org/bin/60dfe0f7-8f4e-4063-a940-7162d1ec3cc1 | sensitive-data -r rules.yaml
2. Mockbin with password header set at: https://mockbin.org/bin/60dfe0f7-8f4e-4063-a940-7162d1ec3cc1/view#apiembed
3. Custom rule set (was taken from core):
   - id: core-001 description: Find 'password' keyword in flow data regex: '([pP][aA][sS][sS][wW][oO][rR][dD])' severity: Medium # Allowed values: Low, Medium, High searchIn: All # Allowed values: Response, Request, Headers, All
4. File name is rules.yaml

Notes:
Found that function load hardcoded 'rules.yaml' file name at: https://github.com/BBVA/apicheck/blob/master/tools/sensitive-data/sensitive_data/__main__.py#L79

Maybe that is the reason for error?

Tried to change the rule filename and id name in rule file. Result is same.

Some times (too frecuently in my oppinion) there is no OpenApi file.

The proposed tool will create an OpenApi file from proxy captured traffic.

Will be awesome

The entry point for JWT checker is not valid anymore (due to the tool name changed?)

Proposal

I'm willing to provide another OAS3 linting tool based on Spectral. I'm working on a set of security rules which are not provided by speccy, to ensure:

• numbers, strings and arrays are properly constrained;
• endpoints use https://
• Cache policy prevent euristic caching
• PATCH content-type avoids bad behavior

Notes

• I chose Spectral because it supports both javascript and yaml rules;
• rule sources are here
  but you can just use the assembled spectral.yml
• the initial work on security rules is here and it will be delivered in another file (eg. spectral-security.yml)

Your feedback is welcome!

after successful installation of apicheck-proxy on macOS Big Sur, I am getting this error message

$ apicheck-proxy
usage: mitmdump [options] [filter]
mitmdump: error: ambiguous option: --cert could match --certs, --cert-passphrase

--cert is deprecated.
Please use --certs instead.

With captured traffic replay all requests

Related to: #5

The Rules file must have a mechanism to tell apicheck when you want to pic one random element for each dictionary or when you want to visit all dictionary combinations.

For all users add this basic example

Study this projert to see if it has something that can be added to jwt_check tool

think, this is a good tool to detect HTTP package, but need to add url level detection

RIght now every time that you declare a dicctionary a random element is picked at data generation. So, you can't know if every item is visited or not.
In order to make a dictionary combinator the actual combinator must receive the dictionary elements as parameters. This enable to choose one random o combine dictionary values afterwards.

Rigth now the code it's more PoC and less stable. Test and TDD from now please.

We can move the _apicheck tree to a zip, to prevent dependabot from making noise, since it is not used anymore.

Right now the transformation engine is call Rule. But it is more than a tool, can made a lot of things.
How sould we name it?

Rigth now you can fuzz when generate data from open api.
If we enable fuzz within the rules we be able to fuzz the proxy captured traffic also.