Merge pull request #33 from OWASP/bug-fixes

fix url generation for unrestricted http method tests
OWASP · Dec 31, 2023 · 649299a · 649299a
2 parents 08d218f + 6115c71
commit 649299a
Show file tree

Hide file tree

Showing 5 changed files with 8 additions and 14 deletions.
diff --git a/src/offat/openapi.py b/src/offat/openapi.py
@@ -23,7 +23,7 @@ def __init__(self, fpath_or_url: str, spec: dict = None) -> None:
         self.http_scheme = 'https' if 'https' in self._spec.get(
             'schemes', []) else 'http'
         self.api_base_path = self._spec.get('basePath', '')
-        self.base_url = f"{self.http_scheme}://{self.host}{self.api_base_path}"
+        self.base_url = f"{self.http_scheme}://{self.host}"
         self.request_response_params = self._get_request_response_params()
 
     def _populate_hosts(self):

diff --git a/src/offat/tester/test_generator.py b/src/offat/tester/test_generator.py
@@ -91,15 +91,15 @@ def check_unsupported_http_methods(
             body_params = endpoint_dict.get('body_params', [])
             path_params = endpoint_dict.get('path_params', [])
             query_params = endpoint_dict.get('query_params', [])
+            url = f'{openapi_parser.base_url}{endpoint}'
 
             http_methods: set = {'get', 'post', 'put', 'delete', 'options'}
             restricted_methods = http_methods - set(methods_allowed)
 
             for restricted_method in restricted_methods:
-
                 tasks.append({
                     'test_name': 'UnSupported HTTP Method Check',
-                    'url': f'{openapi_parser.base_url}{endpoint}',
+                    'url': url,
                     'endpoint': endpoint,
                     'method': restricted_method.upper(),
                     'malicious_payload': [],
@@ -179,8 +179,6 @@ def __fuzz_request_params(self, openapi_parser: OpenAPIParser) -> list[dict]:
             path_params = path_obj.get('path_params', [])
             path_params += path_params_in_body
             path_params = fill_params(path_params)
-            # print(path_params)
-            # print('-'*30)
 
             for path_param in path_params:
                 path_param_name = path_param.get('name')
@@ -189,7 +187,7 @@ def __fuzz_request_params(self, openapi_parser: OpenAPIParser) -> list[dict]:
                     '{' + str(path_param_name) + '}', str(path_param_value))
 
             tasks.append({
-                'url': f'{base_url}{endpoint_path}',
+                'url': f'{base_url}{openapi_parser.api_base_path}{endpoint_path}',
                 'endpoint': f'{openapi_parser.api_base_path}{endpoint_path}',
                 'method': path_obj.get('http_method', '').upper(),
                 'body_params': request_body_params,
@@ -416,8 +414,6 @@ def bola_fuzz_trailing_slash_path_test(
             path_params = path_obj.get('path_params', [])
             path_params += path_params_in_body
             path_params = fill_params(path_params)
-            # print(path_params)
-            # print('-'*30)
 
             for path_param in path_params:
                 path_param_name = path_param.get('name')
@@ -505,7 +501,6 @@ def bopla_fuzz_test(
         '''
         base_url: str = openapi_parser.base_url
         request_response_params: list[dict] = openapi_parser.request_response_params
-        # pprint(request_response_params)
 
         tasks = []
         for path_obj in request_response_params:
@@ -528,8 +523,6 @@ def bopla_fuzz_test(
             path_params = path_obj.get('path_params', [])
             path_params += path_params_in_body
             path_params = fill_params(path_params)
-            # print(path_params)
-            # print('-'*30)
 
             for path_param in path_params:
                 path_param_name = path_param.get('name')
@@ -592,7 +585,6 @@ def test_with_user_data(
         tests = test_generator_method(*args, **kwargs)
         new_tests = []
 
-        # pprint(user_data)
         actor1_data = user_data.get('actors', [])[0].get('actor1', {})
         actor2_data = user_data.get('actors', [])[1].get('actor2', {})
 

diff --git a/src/offat/tester/test_runner.py b/src/offat/tester/test_runner.py
@@ -132,6 +132,7 @@ async def run_tests(self, test_tasks: list, description: Optional[str]):
             results = await gather(*tasks)
             return results
         except Exception as e:
-            print(f'[*] Exception occurred while gathering results: {e}')
+            console.print(
+                f'[*] Exception occurred while gathering results: {e}')
             print_exc()
             return []
diff --git a/src/offat/tester/tester_utils.py b/src/offat/tester/tester_utils.py
@@ -66,6 +66,7 @@ def generate_and_run_tests(api_parser: OpenAPIParser, regex_pattern: Optional[st
     logger.info(test_name)
     unsupported_http_endpoint_tests = test_generator.check_unsupported_http_methods(
         api_parser)
+
     results += run_test(
         test_runner=test_runner,
         tests=unsupported_http_endpoint_tests,

diff --git a/src/pyproject.toml b/src/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "offat"
-version = "0.12.2"
+version = "0.12.3"
 description = "Offensive API tester tool automates checks for common API vulnerabilities"
 authors = ["Dhrumil Mistry <[email protected]>"]
 license = "MIT"