Merge pull request #128 from OWASP/dev

Dev RELEASE: v0.19.2
OWASP · Jul 29, 2024 · 1b43851 · 1b43851
2 parents e48dbea + 7dc6027
commit 1b43851
Show file tree

Hide file tree

Showing 9 changed files with 141 additions and 107 deletions.
diff --git a/.gitignore b/.gitignore
@@ -205,6 +205,7 @@ oas.yml
 
 ## unknown data
 .DS_Store
+.idea
 
 ## local testing scripts
 test.py

diff --git a/src/offat/__main__.py b/src/offat/__main__.py
@@ -167,6 +167,7 @@ def start():
         test_data_config=test_data_config,
         proxies=args.proxies_list,
         capture_failed=args.capture_failed,
+        ssl_verify=args.ssl_verify,
     )
 
 

diff --git a/src/offat/api/jobs.py b/src/offat/api/jobs.py
@@ -22,6 +22,7 @@ def scan_api(body_data: CreateScanSchema, ssl_verify: bool = True):
             proxies=body_data.proxies,
             capture_failed=body_data.capture_failed,
             remove_unused_data=body_data.remove_unused_data,
+            ssl_verify=ssl_verify,
         )
         return results
     except Exception as e:

diff --git a/src/offat/tester/handler.py b/src/offat/tester/handler.py
@@ -27,6 +27,7 @@ def generate_and_run_tests(
     test_data_config: dict | None = None,
     capture_failed: bool = False,
     remove_unused_data: bool = True,
+    ssl_verify: bool = True,
 ):
     """
     Generates and runs tests for the provided OAS/Swagger file.
@@ -56,7 +57,7 @@ def generate_and_run_tests(
     Returns:
         A list of test results.
     """
-    if not is_host_up(openapi_parser=api_parser):
+    if not is_host_up(openapi_parser=api_parser, ssl_verify=ssl_verify):
         logger.error(
             'Stopping tests due to unavailability of host: %s', api_parser.host
         )

diff --git a/src/offat/tester/tester_utils.py b/src/offat/tester/tester_utils.py
@@ -32,14 +32,20 @@ def is_host_up(openapi_parser: SwaggerParser | OpenAPIv3Parser, ssl_verify: bool
             logger.warning('Invalid host: %s', openapi_parser.host)
             return False
 
+    if openapi_parser.http_scheme == 'https':
+        use_ssl = True
+
     host = host.split('/')[0]
 
     match port:
         case 443:
             use_ssl = True
             proto = http_client.HTTPSConnection
         case _:
-            proto = http_client.HTTPConnection
+            if use_ssl:
+                proto = http_client.HTTPSConnection
+            else:
+                proto = http_client.HTTPConnection
 
     logger.info('Checking whether host %s:%s is available', host, port)
     try:

diff --git a/src/offat/tests/self_signed/__init__.py b/src/offat/tests/self_signed/__init__.py
diff --git a/src/offat/tests/self_signed/self_signed_server_tester.py b/src/offat/tests/self_signed/self_signed_server_tester.py
@@ -0,0 +1,20 @@
+#!/usr/bin/python3
+
+# Generate a cert:
+# openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
+
+import http.server
+import ssl
+
+
+class SimpleHTTPRequestHandler(http.server.SimpleHTTPRequestHandler):
+    pass
+
+
+httpd = http.server.HTTPServer(("localhost", 4443), SimpleHTTPRequestHandler)
+httpd.socket = ssl.wrap_socket(
+    httpd.socket, keyfile="key.pem", certfile="cert.pem", server_side=True
+)
+
+print("Serving on https://localhost:4443")
+httpd.serve_forever()
diff --git a/src/poetry.lock b/src/poetry.lock
diff --git a/src/pyproject.toml b/src/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "offat"
-version = "0.19.1"
+version = "0.19.2"
 description = "Offensive API tester tool automates checks for common API vulnerabilities"
 authors = ["Dhrumil Mistry <[email protected]>"]
 license = "MIT"
-Original file line number
+Diff line change
@@ Expand Up / @@ -205,6 +205,7 @@ oas.yml @@
     ## unknown data
     .DS_Store
+    .idea
     ## local testing scripts
     test.py
@@ Expand Down @@