Skip to content
This repository has been archived by the owner on May 10, 2022. It is now read-only.
/ apisec-toolbox Public archive

A Swiss knife for API security testing including a docker image, some labs and resources.

8 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

arainho/apisec-toolbox

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

608 Commits

.github/workflows

.github/workflows

 
 

drafts

drafts

 
 

labs

labs

 
 

utils

utils

 
 

wordlists

wordlists

 
 

.dockerignore

.dockerignore

 
 

Dockerfile

Dockerfile

 
 

Dockerfile.testing

Dockerfile.testing

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

TODO.md

TODO.md

 
 

Repository files navigation

APIsec Toolbox

The APIsec toolbox is a Swiss knife for API Security testing.

This repository includes a wordlist bundle, dedicated docker image, labs, and resources. It's dedicated to experimenting around automatic and manual flows related to security testing for APIs.

WARNING: This is a development repository, use it at your own risk !!!

1 - workdlists bundle

Collect several wordlists and build a bundle.

2 - build docker image for apisec-toolbox

The apisec-toolbox is a swiss knife for API security testing.

The main image is based on the Dockerfile and has the following features:

  • multi-stage build to save disk space
  • linux os utilities installed as root
  • tools and utilities installed as appuser (normal user with sudo)

Note: there is an old image called api-security-toolbox that will be removed in the future.

3. run the apisec-toolbox

docker run -it --rm arainho/apisec-toolbox /bin/bash

Set a password for user

passwd appuser

warning: for simplicity, the sudo works without password for any command.
You are advised to remove the NOPASSWD word from the line appuser ALL=(ALL) ALL in /etc/sudoers.d/appuser file and the linux will start asking your password to run commands as sudo.

If you need apicheck tools inside the apisec-toolbox you need to share 'docker unix socket' from the host

docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock arainho/apisec-toolbox /bin/bash

warning: Using docker.sock could expose your host within the apisec-toolbox container as stated in this article.

Then you can install apicheck tools

acp install jwt-checker
acp install acurl
acp install oas-checker
acp install send-to-proxy
acp install apicheck-curl
acp install sensitive-data
acp install replay
acp install openapiv3-lint
acp install openapiv2-lint
acp install oas-checker

4 - run vulnerable API's locally

The labs folders has scripts to build and run vulnerable APIs locally.
The purpose is to have local labs to exploit and learn API security.

5. collaboration

For adding new tools or fix broken entries from ToDo list use the following procedure:

  1. Clone the repository

    git clone https://github.com/arainho/apisec-toolbox
git checkout -b tool-xyz

  2. Open the Dockerfile.testing with a text editor and change the following lines:

    • ENV TOOL_NAME="tool-name"
    • RUN <add installation commands here>

  3. Build the image

    docker build -t apisec-toolbox:local -f Dockerfile.testing

  4. If everything looks good, create a pull request

    git add Dockerfile.testing
git commit -m "new entry for tool-xyz"
git push origin tool-xyz

    you can check more information on creating a pull request here

  5. A maintainer will review the pull request

    • manual review
    • add extra lines on Dockerfile.multistage
    • github actions workflow will run
    • If all looks good your PR will pass 😃

About

A Swiss knife for API security testing including a docker image, some labs and resources.

Topics

docker-image api-security api-pentest api-sec apisec api-hacking

Resources

Readme
Activity

Stars

8 stars

Watchers

3 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages