bbva / apicheck Goto Github PK
View Code? Open in Web Editor NEWThe DevSecOps toolset for REST APIs
Home Page: https://bbva.github.io/apicheck/
License: Apache License 2.0
The DevSecOps toolset for REST APIs
Home Page: https://bbva.github.io/apicheck/
License: Apache License 2.0
The most commands in ApiCheck return a json structure that represent the request.
The proposed command will perform the request json and return the response json.
When issuing use-problem-json-for-errors
, the message shows an inconsistency between the URL and the name:
Name: RFC 7807
URL: https://tools.ietf.org/html/rfc6648
Star tool, the most asked for. We can compare the captured traffic with the openapi definition and alert when discrepancies are found.
Following the documentation I can't produce a new tool:
nil at xan in ~/Project/apicheck/apicheck/apicheck/tools (master) (apicheck-srmIl9AW)
$ at-manage create-tool replay
usage: at-manage create-tool [-h] --dest DEST name
at-manage create-tool: error: the following arguments are required: --dest/-d
nil at xan in ~/Project/apicheck/apicheck/apicheck/tools (master) (apicheck-srmIl9AW)
$ at-manage create-tool -d replay replay
usage: at-manage [-h] -C DB_CONNECTION_STRING
[--log-level {DEBUG,INFO,WARNING,ERROR,CRITICAL}]
{api,create-tool,definition} ...
at-manage: error: the following arguments are required: -C/--connection-string
nil at xan in ~/Project/apicheck/apicheck/apicheck/tools (master) (apicheck-srmIl9AW)
$ at-manage -C sqlite:///lala create-tool -d replay replay
Traceback (most recent call last):
File "/home/nil/.local/share/virtualenvs/apicheck-srmIl9AW/bin/at-manage", line 11, in <module>
load_entry_point('apicheck', 'console_scripts', 'at-manage')()
File "/home/nil/Project/apicheck/apicheck/apicheck/tools/manage/cli.py", line 71, in cli
running_config = config(**cli_config)
TypeError: run() got an unexpected keyword argument 'db_connection_string'
As of now, we assumed that both query params and headers could be informed only once (per request). @nilp0inter brought some light into this, and clarified that the HTTP RFC clearly speficies the opposite.
We have to update at-proxy
as well as ac-replay
to handle these cases. Right now they will fail if multiple headers and/or query params are used.
Hi guys,
I am trying to follow the installation instructions and when I type this command an error message is returned:
docker run --rm bbvalabs/apicheck -h
Unable to find image 'bbvalabs/apicheck:latest' locally
docker: Error response from daemon: pull access denied for bbvalabs/apicheck, repository does not exist or may require 'docker login': denied: requested access to the resource is denied.
See 'docker run --help'.
Any idea?
Thx
Code it's text. Text can checked to detect several framework's endpoints.
With a litte intelligence we can guess what the endpoints are.
Issue:
When trying to pass the custom ruleset to sensitive-data detector with either -r or --rules-file options it throws an error:
[!!] 'list' object has no attribute 'update'
Reproduce error:
acurl https://mockbin.org/bin/60dfe0f7-8f4e-4063-a940-7162d1ec3cc1 | sensitive-data -r rules.yaml
- id: core-001 description: Find 'password' keyword in flow data regex: '([pP][aA][sS][sS][wW][oO][rR][dD])' severity: Medium # Allowed values: Low, Medium, High searchIn: All # Allowed values: Response, Request, Headers, All
Notes:
Found that function load hardcoded 'rules.yaml' file name at: https://github.com/BBVA/apicheck/blob/master/tools/sensitive-data/sensitive_data/__main__.py#L79
Maybe that is the reason for error?
Tried to change the rule filename and id name in rule file. Result is same.
Some times (too frecuently in my oppinion) there is no OpenApi file.
The proposed tool will create an OpenApi file from proxy captured traffic.
Will be awesome
The entry point for JWT checker is not valid anymore (due to the tool name changed?)
I'm willing to provide another OAS3 linting tool based on Spectral. I'm working on a set of security rules which are not provided by speccy, to ensure:
Your feedback is welcome!
after successful installation of apicheck-proxy on macOS Big Sur, I am getting this error message
$ apicheck-proxy
usage: mitmdump [options] [filter]
mitmdump: error: ambiguous option: --cert could match --certs, --cert-passphrase
--cert is deprecated.
Please use --certs
instead.
With captured traffic replay all requests
Related to: #5
The Rules file must have a mechanism to tell apicheck when you want to pic one random element for each dictionary or when you want to visit all dictionary combinations.
For all users add this basic example
Study this projert to see if it has something that can be added to jwt_check tool
think, this is a good tool to detect HTTP package, but need to add url level detection
RIght now every time that you declare a dicctionary a random element is picked at data generation. So, you can't know if every item is visited or not.
In order to make a dictionary combinator the actual combinator must receive the dictionary elements as parameters. This enable to choose one random o combine dictionary values afterwards.
Rigth now the code it's more PoC and less stable. Test and TDD from now please.
We can move the _apicheck tree to a zip, to prevent dependabot from making noise, since it is not used anymore.
Right now the transformation engine is call Rule. But it is more than a tool, can made a lot of things.
How sould we name it?
Rigth now you can fuzz when generate data from open api.
If we enable fuzz within the rules we be able to fuzz the proxy captured traffic also.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.