flipkart-incubator/Astra flipkart-incubator/Astra

  • Stars
    star
    2,485
  • Rank 18,492 (Top 0.4 %)
  • Language
    Python
  • License
    Apache License 2.0
  • Created almost 7 years ago
  • Updated 5 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
flipkart-incubator/Astra
github

flipkart-incubator

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Automated Security Testing For REST API's

Github Release Version Github Release Version

BH 2018 USA

BH 2018 Europe

Astra

alt text

REST API penetration testing is complex due to continuous changes in existing APIs and newly added APIs. Astra can be used by security engineers or developers as an integral part of their process, so they can detect and patch vulnerabilities early during development cycle. Astra can automatically detect and test login & logout (Authentication API), so it's easy for anyone to integrate this into CICD pipeline. Astra can take API collection as an input so this can also be used for testing apis in standalone mode.

  • SQL injection
  • Cross site scripting
  • Information Leakage
  • Broken Authentication and session management
  • CSRF (including Blind CSRF)
  • Rate limit
  • CORS misconfiguration (including CORS bypass techniques)
  • JWT attack
  • CRLF detection
  • Blind XXE injection
  • Server-side Requrest Forgery
  • Template Injection

Roadmap

https://www.astra-security.info/roadmap/

Requirement

  • Linux or MacOS
  • Python 3.7+
  • mongoDB
  • Celery
  • RabbitMQ

Installation

$ git clone https://github.com/flipkart-incubator/Astra

$ cd Astra
$ sudo pip install -r requirements.txt
$ sudo rabbitmq-server
$ celery -A worker -loglevel=INFO
$ cd API
$ python3 api.py

Docker Installation

Run Mongo Container:

$ docker pull mongo
$ docker run --name astra-mongo -d mongo

Installing GUI Docker:

$ git clone https://github.com/flipkart-incubator/Astra.git
$ cd Astra
$ docker build -t astra .
$ docker run --rm -it --link astra-mongo:mongo -p 8094:8094 astra

Installing CLI Docker :

$ git clone -b docker-cli https://github.com/flipkart-incubator/Astra.git
$ cd Astra
$ docker build -t astra-cli .
$ docker run --rm -it --link astra-mongo:mongo astra-cli

Dependencies

- requests
- logger
- pymongo
- ConfigParser
- pyjwt
- flask
- sqlmap
- celery

Documentation

https://www.astra-security.info

Usage: CLI

$ python astra.py --help

                      _
        /\       | |
       /  \   ___| |_ _ __ __ _
      / /\ \ / __| __| '__/ _` |
     / ____ \__ \ |_| | | (_| |
    /_/    \_\___/\__|_|  \__,_|



usage: astra.py [-h] [-c {Postman,Swagger}] [-n COLLECTION_NAME] [-u URL]
                [-headers HEADERS] [-method {GET,POST}] [-b BODY]
                [-l LOGINURL] [-H LOGINHEADERS] [-d LOGINDATA]

REST API Security testing Framework

optional arguments:
  -h, --help            show this help message and exit
  -c {Postman,Swagger}, --collection_type {Postman,Swagger}
                        Type of API collection
  -n COLLECTION_NAME, --collection_name COLLECTION_NAME
                        Type of API collection
  -u URL, --url URL     URL of target API
  -headers HEADERS, --headers HEADERS
                        Custom headers.Example: {"token" : "123"}
  -method {GET,POST}, --method {GET,POST}
                        HTTP request method
  -b BODY, --body BODY  Request body of API
  -l LOGINURL, --loginurl LOGINURL
                        URL of login API
  -H LOGINHEADERS, --loginheaders LOGINHEADERS
                        Headers should be in a dictionary format. Example:
                        {"accesstoken" : "axzvbqdadf"}
  -d LOGINDATA, --logindata LOGINDATA
                        login data of API

Usage: Web interface

Run the api.py and access the web interface at http://127.0.0.1:8094

$ cd API
$ python api.py

NOTE: On macOS 10.13+ you must use the flag OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES to prevent scanning processes from being killed due to the way fork() and exec() has been changed. See here for more information.

$ cd API
$ OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES python api.py

Screenshots

New scan

alt text

Scan Reports

alt text

alt text

Detailed Report

alt text

Lead Developer

  • Sagar Popat (@popat_sagar)

Credits

  • Ankur Bhargava
  • Harsh Grover
  • Flipkart security team
  • Pardeep Battu
  • Rajasekar

More Repositories

1

proteus

Proteus : A JSON based LayoutInflater for Android
Java
1,302
star
2

zjsonpatch

This is an implementation of RFC 6902 JSON Patch written in Java
Java
522
star
3

watchdog

Watchdog - A Comprehensive Security Scanning and a Vulnerability Management Tool.
Python
410
star
4

RTA

Red team Arsenal - An intelligent scanner to detect security vulnerabilities in company's layer 7 assets.
Python
409
star
5

springy-heads

Chat heads library for android
Java
370
star
6

android-inline-youtube-view

Utility library around using YouTube inside your android app.
Java
323
star
7

fk-visual-search

Flipkart's visual search and recommendation system
Python
172
star
8

Lois

Golang like channels for java
Java
108
star
9

flux

Highly scalable Event-driven, Reactive system for building Stateful apps and Workflow services.
Java
107
star
10

optimus

Train, evaluate and deploy Deep Learning based text classifiers. Currently supports CNN
Python
105
star
11

okhttp-stats

OkHttp Analytical library to get stats like average network speed. Also get global callbacks for network errors and successes. Can be used for logging errors to Fabric or Firebase analytical tools
Java
95
star
12

phrontend

A Framework to build rich UIs
JavaScript
88
star
13

ContentSheet

A simple control that enables presenting any view controller or navigation controller or any other object that can provide a view like an ActionSheet
Swift
82
star
14

hbase-orm

A production-grade HBase ORM library that makes accessing HBase clean, fast and fun (Can also be used as Bigtable ORM)
Java
78
star
15

madman-android

Madman (Media ads manager) is a high performance alternative to Google's standard IMA android SDK. If you have your own VAST server and want to render video ads and have full control over the UI, then this library is for you.
Kotlin
69
star
16

dkv

Distributed KV data store with tunable consistency, synchronous replication
Go
64
star
17

fk-ios-chatheads

Objective-C
58
star
18

animation-wrapper-view

Declarative animations with imperative controls for RN/RNW.
TypeScript
55
star
19

batchman

This library for Android will take any set of events and batch them up before sending it to the server. It also supports persisting the events on disk so that no event gets lost because of an app crash. Typically used for developing any in-house analytics sdk where you have to make a single api call to push events to the server but you want to optimize the calls so that the api call happens only once per x events, or say once per x minutes. It also supports exponential backoff in case of network failures
Java
55
star
20

priority-kafka-client

Library to support priority queuing in Kafka
Java
54
star
21

phantom

Phantom is a high performance proxy for accessing distributed services. It is an RPC system with support for different transports and protocols. Phantom is inspired by Twitter Finagle clients and builds on the capabilities of technologies like Netty, Unix Domain Sockets, Netflix Hystrix and Spring. Phantom proxies have been used to serve several hundred million API calls in production deployments at Flipkart.
Java
50
star
22

spark-transformers

Spark-Transformers: Library for exporting Apache Spark MLLIB models to use them in any Java application with no other dependencies.
Java
40
star
23

kafka-filtering

Very fast & efficient grep for Kafka stream
Java
38
star
24

databuilderframework

A data driven execution engine
Java
34
star
25

circular-image

Creates circular image drawable.
Java
30
star
26

android-studio-proteus-plugin

Plugin for Android studio which helps you to convert XML resources to JSON which can be used by proteus.
Java
29
star
27

storm-mysql

Storm Spout that reads off MySql Bin Logs
Java
29
star
28

ranger

Feature rich service discovery on ZooKeeper
Java
28
star
29

android-video-player

Kotlin
26
star
30

varadhi

Java
25
star
31

Poseidon

Platform to build API applications that have to aggregate data from distributed services in an efficient way.
Java
22
star
32

ios-inline-youtube-view

Utility library around using YouTube inside your iOS app.
Objective-C
20
star
33

grpc-jexpress

Developer friendly container for writing gRPC services using grpc-java
Java
18
star
34

hbase-k8s-operator

Hbase operator for kubernetes
Go
15
star
35

diligent

Run performance experiments on MySQL compatible databases
Go
15
star
36

StockPile

Provides in-memory and database based caching
Objective-C
14
star
37

Hunch

Hunch allows users to turn arbitrary machine learning models built using Python into a scalable, hosted service.
Python
14
star
38

scroll-coordinator-ios

ScrollCoordinator allows you to attach gestures to scrollviews and perform behaviours like Hiding the navigation bar, hiding the bottom bar and anchoring your scroll on these gestures.
Swift
13
star
39

gojira

Gojira is a record and replay framework for Java apps meant for regression testing. It provides complete recording capability within a single request-response scope, by recording request, response and any external interactions(outside of the jvm), thereby circumventing the need to provide a mock service.
Java
13
star
40

kubric

Android's co-ordinator layout ported to work on react native (Android, iOS and on the web)
TypeScript
11
star
41

babel-plugin-pseudolocalize-react-native

Babel plugin to transform React Native Text nodes with a custom language map for Pseudo-localization
JavaScript
11
star
42

pulsar-weighted-consumer

Pulsar consumer clients offering priority consumption
Java
10
star
43

phrontend-webpack

A webpack config maker for phrontend apps
JavaScript
10
star
44

kafka-balancer

Balance partitions among brokers with minimal data movement. Supports re-replication of under replicated partitions and setting replication as well.
Java
9
star
45

hbase-compactor

Trigger major compaction in Hbase
Java
9
star
46

BlueShift

Hadoop Data Mover Project
Java
8
star
47

Krystal

Java
8
star
48

android-RDX

Redux for Android.
Java
8
star
49

lenna

Go
8
star
50

Lyrics

Java
7
star
51

Iris-BufferQueue

A fast, in-process, persisted queue for buffering data on local host.
Java
7
star
52

hbase-sep

HBase side-effect-processor to stream changes from WAL to kafka sink.
Java
6
star
53

chronosq

⏱ A Scalable Distributed Scheduler
Java
6
star
54

Cuppa

Caffe as a service and KNN as a service
Python
5
star
55

hydra

A JVM based DispatcherComposer Engine
Java
5
star
56

mongodb-replicator

Mongodb Replicator java library for both sharded & non-sharded mongo setup.
Java
4
star
57

CTDrive

A tool which uses Google drive APIs internally and allows users to easily navigate through their files. This tool allows to maintain all organisation documents at one place similar to Confluence
TypeScript
4
star
58

polyglot

Tiered data store for use by on-line applications
Java
4
star
59

nexus

Sync replication using RAFT consensus onto pluggable backends
Go
4
star
60

dropwizard-one

Dropwizard One is a wrapper around Dropwizard that enables writing web services with minimal boilerplate code and good testability.
Java
4
star
61

Service-Worker-Tools

HTML
4
star
62

dropwizard-multitenancy

Java
4
star
63

bifrost

A remote execution framework over RabbitMQ.
Java
3
star
64

vbroker

high throughput PUSH based messaging
Java
3
star
65

wolverine

Master elected daemon, which heals itself
Java
3
star
66

prognos

Scala
3
star
67

truss

Javascript Framework
JavaScript
3
star
68

Lego

Library to build any entity (web/api response) in a scatter-gather fashion
Java
3
star
69

protobuf-util

Utility library for protobuf
Java
3
star
70

simpleJobScheduler

Java
3
star
71

ultra-docs

Documentation for Project Ultra : Flipkart's App-in-App experience
3
star
72

dsp

Java
2
star
73

tef

Java
2
star
74

molecule

ML platform with seamless experiment tracking and sharing. Supports multiple languages and platforms, meta-learning constructs and MLOps.
CSS
2
star
75

rediscast

Rediscast is an In-memory data grid, that synchronizes Entity changes in Redis server with all cluster nodes (JVM instances) within a short SLA. It uses Redis Streams for change data propagation.
Java
2
star
76

polyguice

A set of useful extensions to Google Guice and better integration with popular frameworks for creation of highly concurrent micro-services.
Java
2
star
77

portkey

Portkey is a Java model abstraction of persistence that works across multiple data stores and supports sharding. Entities can be persisted to more than one data store based on a set of rules.
Java
2
star
78

Swagger-publish

Java
2
star
79

ottoscalr

Ottoscalr provides a drop-in component for autonomous management of HPAs
Go
2
star
80

Regnator

Rule based decision engine. RESTful service where one could define the facts/variables and configures rules for the evaluation on the facts/variables and eventually choose one of the configured decision/result.
1
star
81

CoreDataLite

Lightweight core data library for iOS
Objective-C
1
star
82

statreduce

A library which to write Hadoop MapReduce jobs with map step in Java and reduce step in R for statistical computations
Java
1
star
83

homebrew-taps

Ruby
1
star
84

light-house

JavaScript
1
star
85

jupyterlab-extensions

Jupyterlab extensions
TypeScript
1
star
86

continuum

Lambda Architecture is not enough! Continuum is more fundamental
1
star
87

storm-sidelining

Java
1
star
88

turbo-relayer

Java
1
star
89

foxtrot-client

A service discovery client for foxtrot.
Java
1
star