• This repository has been archived on 29/Apr/2024
  • Stars
    star
    324
  • Rank 126,543 (Top 3 %)
  • Language
    Python
  • License
    MIT License
  • Created almost 7 years ago
  • Updated over 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A REST API security testing framework.

Susanoo:

Susanoo is a REST API security testing framework. 

Features

  • Configurable inputs/outputs formats
  • API Vulnerability Scan: Normal scanning engine that scans for IDOR, Authentication issues, SQL injections, Error stacks.
  • Smoke Scan: Custom output checks for known pocs can be configured to run daily.

Types of Scans:

* API Vulnerability Scan
	**  Scans for following bugs:
		***   Indirect Object References
		***   Authentication issues
		***   SQL injections
		***   Error stacks

* Smoke Scan
	**  A known Proof-of-concept can be configured to run daily/weekly etc.

Configuration:

Susanoo takes yaml files in configuration. Please check the examples folder for sample configuration files.

Parameter Types:

	resource --> static
		Eg: In the following example the value "password" is used for grant_type:

			password: {"type":"resource", "required":True, "value":"p@ssw0rd"}

	hex-n:
		Generate hex of length n.
			Eg: a hex value of length 16 is generated for uniqueId in below example:

				id: {'type':'hex-16', 'required': True} 

	int-n:
		Generates int of size n
			Eg: a int value of size 4 is generated for uniqueId in below example:
			
				bonus: {'type':'int-4', 'required':'True'}

	email:
		Generates random email id
			Eg: a random email id is generated and assigned for email_id

				email_id: {"type":"email", "required":True}

	username:
		Generates random username
			Eg: a random username is generated and assigned for username

				username: {"type":"username", "required":True}

	string:
		Generates random strings
			Eg: generates random strings of variable length.

				string: {"type":"string", "required":True}

Donation:

If you like the project, you can buy me beers :)

Donate Bitcoin

Installation:

^^/D/projects >>> git clone https://github.com/ant4g0nist/susanoo
^^/D/projects >>> cd susanoo
^^/D/p/susanoo >>> sudo pip install -r requirements.txt

Usage:

^^/D/p/susanoo >>> cd db
^^/D/p/s/db >>> sudo mongod --dbpath . --bind_ip=127.0.0.1	

^^/D/p/susanoo >>> python susanoo.py

TODO:

  • Use celery/scheduler to schedule the scans
  • Chain apis together? pickup value from one api and use in another
  • Add more vulnerability checks
  • Make it more reliable
  • Parallelize scans using Celery
  • Add better reporting

Thanks:

More Repositories

1

lisa.py

- An Exploit Dev Swiss Army Knife.
Python
671
star
2

Vulnerable-Kext

A WIP "Vulnerable by Design" kext for iOS/macOS to play & learn *OS kernel exploitation
C
230
star
3

vegvisir

A browser based GUI for **LLDB** Debugger.
JavaScript
201
star
4

ManuFuzzer

Binary code-coverage fuzzer for macOS, based on libFuzzer and LLVM
Objective-C++
144
star
5

rudroid

Rudroid - Writing the World's worst Android Emulator in Rust πŸ¦€
Rust
142
star
6

polar

A LLDB plugin which brings LLMs to LLDB
Python
125
star
7

Sloth

Sloth πŸ¦₯ is a coverage guided fuzzing framework for fuzzing Android Native libraries that makes use of libFuzzer and QEMU user-mode emulation
C++
117
star
8

decompiler

RetDec plugin for LLDB. RetDec is a retargetable machine-code decompiler based on LLVM.
C++
63
star
9

crashmon

crashmon - A LLDB Based replacement for CrashWrangler
C++
46
star
10

webgl-fuzzer

WebGL fuzzer
JavaScript
37
star
11

chinstrap

A development environment, testing framework, and origination pipeline focused solely on Tezos
Python
34
star
12

crashwrangler

Apple's crashwrangler with support for Apple Silicon
C
29
star
13

fuzzing-pdfs-like-its-1990s

Python
25
star
14

ManuCombi

Mutates and generates files with all possible combinations of fuzzed bytes in the file.
Python
10
star
15

gLLDB

Very Basic gui for LLDB, serves as example for usage of pyobjc
Python
6
star
16

fuzzing.science

ant4g0nist's blog
JavaScript
5
star
17

tzktpy

Autogenerated Python SDK for TzKT API
Python
5
star
18

chinfuzz

Tezos smart contract fuzzer
Python
4
star
19

chronometry

Chronometry, a transparent and cryptographically verifiable proof-of-hack signature store
Go
3
star
20

hackfi-labs

Solidity
3
star
21

SecureSons

Modules for developing Secure Smart contract for Tezos in SmartPy
Python
2
star
22

vertigo-foundry-sample

Test project to test Foundry support for Vertigo
Solidity
1
star
23

ChinToken

A sample FA1.2 Token setup with Chinstrap to learn how to create, test and deploy Tezos smart contracts
Python
1
star