-
-
Notifications
You must be signed in to change notification settings - Fork 5.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Scan api using swagger description #3140
Comments
Can you please give a quick info/introduction what would this provide compared to the current situation and/or compared to other xyz frameworks? |
ping? |
I want this too. Willing to write this if the project wants it. Swagger is an API documentation and testing tool that a lot of folks are using the industry right now. From a SQL injection perspective, it would be nice be able to read in the Swagger document (in .toml), and generate the URIs and their respective parameters to test. |
@alexk307 I am opened for this. If you can at least provide a decent template and a "howto" use it I could further adapt it |
@alexk307 ping? |
Any example? Like, something to work with? |
@stamparm sorry for the delay, I was working on this before but got sidetracked. I'm going to try to write something up |
In the meantime, you can look at a sample Swagger schema that they provide here |
This whole issue can go into two tracks, as I am not sure whether @burtsevyg wanted Anyway, for starter I decided to work on "swagging" the Will commit the initial version of |
I think both asked for the ability to read their Swagger definition in order to scan their APIs, not a Swagger file for the sqlmap API. It would be great if that was possible, I'm trying to use sqlmap that way and I suppose there are many companies that have their API definition in Swagger and are looking to test their API with sqlmap. |
@benj56 Exactly, to rephrase, I think, we need something like below:
This switch should then parse given swagger spec and try to inject each and every API endpoints. |
A) how to provide parameter values in such case(s)? I bet that there would be new issues where users would complain about non-automatic sqlmap behavior in filling values |
Apologies for the delay.
Parameters information & authorization information are already available in Swagger. For example, you may check http://editor.swagger.io/ where these details are parsed and displayed in an UI
Swagger has different versions. To handle them, it may be enough to wrap them around their libraries
Thank you. It may be simple, if you use existing parser and refer around the implementation of http://editor.swagger.io/ it may be easier. |
A) |
All in all, as this whole swagger is such a mess and I am pretty sure that people from Swagger are aware of it (who makes 3 totally different "standard" propositions in couple of years??? - answer: nobody serious), if I am going to create any kind of support, it is going to be a "Rube Goldberg" machine |
Of course. I was referring to the project only to highlight how they've parsed Swagger spec.
At least, AFAIK, most REST based projects use Swagger/OpenAPI as a de facto standard for their projects. So, when trying to use In case, if you feel it is too much to handle it inside |
I would also love to have this feature ... I think using swagger is a great way to enumerate what URLs should be tested but it also provides clues as to what input might be exploitable. Path parameters are one example - in the sqlmap examples, it shows We generate Swagger definitions for our REST APIs so it would be great to reuse them during security testing. |
@smoyer64 Exactly. Like I mentioned in #3140 (comment) something like this might be helpful:
Though I am not quite sure and not tried, quick Google search currently suggest that similar projects are available these days: |
@rrjanbiah could you please elaborate what's useful on first two links? Second one is just a dummy fork of sqlmap, while first one is plain dummy |
@rrjanbiah third link FTW, in case of Swagger does this:
Hence, please restrain yourself from giving any more "advices" |
Do you have an idea for a solution?
Scan api using swagger description.
How can we reproduce the issue?
The text was updated successfully, but these errors were encountered: