FreshRSS

πŸ”’
❌ Secure Planet Training Courses Updated For 2019 - Click Here
☷
β–³ πŸ”ƒ
There are new available articles, click to refresh the page.
Before yesterdayYour RSS feeds

APIDetector - Efficiently Scan For Exposed Swagger Endpoints Across Web Domains And Subdomains

By: Zion3R


APIDetector is a powerful and efficient tool designed for testing exposed Swagger endpoints in various subdomains with unique smart capabilities to detect false-positives. It's particularly useful for security professionals and developers who are engaged in API testing and vulnerability scanning.


Features

  • Flexible Input: Accepts a single domain or a list of subdomains from a file.
  • Multiple Protocols: Option to test endpoints over both HTTP and HTTPS.
  • Concurrency: Utilizes multi-threading for faster scanning.
  • Customizable Output: Save results to a file or print to stdout.
  • Verbose and Quiet Modes: Default verbose mode for detailed logs, with an option for quiet mode.
  • Custom User-Agent: Ability to specify a custom User-Agent for requests.
  • Smart Detection of False-Positives: Ability to detect most false-positives.

Getting Started

Prerequisites

Before running APIDetector, ensure you have Python 3.x and pip installed on your system. You can download Python here.

Installation

Clone the APIDetector repository to your local machine using:

git clone https://github.com/brinhosa/apidetector.git
cd apidetector
pip install requests

Usage

Run APIDetector using the command line. Here are some usage examples:

  • Common usage, scan with 30 threads a list of subdomains using a Chrome user-agent and save the results in a file:

    python apidetector.py -i list_of_company_subdomains.txt -o results_file.txt -t 30 -ua "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36"

  • To scan a single domain:

    python apidetector.py -d example.com

  • To scan multiple domains from a file:

    python apidetector.py -i input_file.txt

  • To specify an output file:

    python apidetector.py -i input_file.txt -o output_file.txt

  • To use a specific number of threads:

    python apidetector.py -i input_file.txt -t 20

  • To scan with both HTTP and HTTPS protocols:

    python apidetector.py -m -d example.com

  • To run the script in quiet mode (suppress verbose output):

    python apidetector.py -q -d example.com

  • To run the script with a custom user-agent:

    python apidetector.py -d example.com -ua "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36"

Options

  • -d, --domain: Single domain to test.
  • -i, --input: Input file containing subdomains to test.
  • -o, --output: Output file to write valid URLs to.
  • -t, --threads: Number of threads to use for scanning (default is 10).
  • -m, --mixed-mode: Test both HTTP and HTTPS protocols.
  • -q, --quiet: Disable verbose output (default mode is verbose).
  • -ua, --user-agent: Custom User-Agent string for requests.

RISK DETAILS OF EACH ENDPOINT APIDETECTOR FINDS

Exposing Swagger or OpenAPI documentation endpoints can present various risks, primarily related to information disclosure. Here's an ordered list based on potential risk levels, with similar endpoints grouped together APIDetector scans:

1. High-Risk Endpoints (Direct API Documentation):

  • Endpoints:
    • '/swagger-ui.html', '/swagger-ui/', '/swagger-ui/index.html', '/api/swagger-ui.html', '/documentation/swagger-ui.html', '/swagger/index.html', '/api/docs', '/docs', '/api/swagger-ui', '/documentation/swagger-ui'
  • Risk:
    • These endpoints typically serve the Swagger UI interface, which provides a complete overview of all API endpoints, including request formats, query parameters, and sometimes even example requests and responses.
    • Risk Level: High. Exposing these gives potential attackers detailed insights into your API structure and potential attack vectors.

2. Medium-High Risk Endpoints (API Schema/Specification):

  • Endpoints:
    • '/openapi.json', '/swagger.json', '/api/swagger.json', '/swagger.yaml', '/swagger.yml', '/api/swagger.yaml', '/api/swagger.yml', '/api.json', '/api.yaml', '/api.yml', '/documentation/swagger.json', '/documentation/swagger.yaml', '/documentation/swagger.yml'
  • Risk:
    • These endpoints provide raw Swagger/OpenAPI specification files. They contain detailed information about the API endpoints, including paths, parameters, and sometimes authentication methods.
    • Risk Level: Medium-High. While they require more interpretation than the UI interfaces, they still reveal extensive information about the API.

3. Medium Risk Endpoints (API Documentation Versions):

  • Endpoints:
    • '/v2/api-docs', '/v3/api-docs', '/api/v2/swagger.json', '/api/v3/swagger.json', '/api/v1/documentation', '/api/v2/documentation', '/api/v3/documentation', '/api/v1/api-docs', '/api/v2/api-docs', '/api/v3/api-docs', '/swagger/v2/api-docs', '/swagger/v3/api-docs', '/swagger-ui.html/v2/api-docs', '/swagger-ui.html/v3/api-docs', '/api/swagger/v2/api-docs', '/api/swagger/v3/api-docs'
  • Risk:
    • These endpoints often refer to version-specific documentation or API descriptions. They reveal information about the API's structure and capabilities, which could aid an attacker in understanding the API's functionality and potential weaknesses.
    • Risk Level: Medium. These might not be as detailed as the complete documentation or schema files, but they still provide useful information for attackers.

4. Lower Risk Endpoints (Configuration and Resources):

  • Endpoints:
    • '/swagger-resources', '/swagger-resources/configuration/ui', '/swagger-resources/configuration/security', '/api/swagger-resources', '/api.html'
  • Risk:
    • These endpoints often provide auxiliary information, configuration details, or resources related to the API documentation setup.
    • Risk Level: Lower. They may not directly reveal API endpoint details but can give insights into the configuration and setup of the API documentation.

Summary:

  • Highest Risk: Directly exposing interactive API documentation interfaces.
  • Medium-High Risk: Exposing raw API schema/specification files.
  • Medium Risk: Version-specific API documentation.
  • Lower Risk: Configuration and resource files for API documentation.

Recommendations:

  • Access Control: Ensure that these endpoints are not publicly accessible or are at least protected by authentication mechanisms.
  • Environment-Specific Exposure: Consider exposing detailed API documentation only in development or staging environments, not in production.
  • Monitoring and Logging: Monitor access to these endpoints and set up alerts for unusual access patterns.

Contributing

Contributions to APIDetector are welcome! Feel free to fork the repository, make changes, and submit pull requests.

Legal Disclaimer

The use of APIDetector should be limited to testing and educational purposes only. The developers of APIDetector assume no liability and are not responsible for any misuse or damage caused by this tool. It is the end user's responsibility to obey all applicable local, state, and federal laws. Developers assume no responsibility for unauthorized or illegal use of this tool. Before using APIDetector, ensure you have permission to test the network or systems you intend to scan.

License

This project is licensed under the MIT License.

Acknowledgments



Caracal - Static Analyzer For Starknet Smart Contracts

By: Zion3R


Caracal is a static analyzer tool over the SIERRA representation for Starknet smart contracts.

Features

  • Detectors to detect vulnerable Cairo code
  • Printers to report information
  • Taint analysis
  • Data flow analysis framework
  • Easy to run in Scarb projects

Installation

Precompiled binaries

Precompiled binaries are available on our releases page. If you are using Cairo compiler 1.x.x uses the binary v0.1.x otherwise if you are using the Cairo compiler 2.x.x uses v0.2.x.

Building from source

You need the Rust compiler and Cargo. Building from git:

cargo install --git https://github.com/crytic/caracal --profile release --force

Building from a local copy:

git clone https://github.com/crytic/caracal
cd caracal
cargo install --path . --profile release --force

Usage

List detectors:

caracal detectors

List printers:

caracal printers

Standalone

To use with a standalone cairo file you need to pass the path to the corelib library either with the --corelib cli option or by setting the CORELIB_PATH environment variable. Run detectors:

caracal detect path/file/to/analyze --corelib path/to/corelib/src

Run printers:

caracal print path/file/to/analyze --printer printer_to_use --corelib path/to/corelib/src

Scarb

If you have a project that uses Scarb you need to add the following in Scarb.toml:

[[target.starknet-contract]]
sierra = true

[cairo]
sierra-replace-ids = true

Then pass the path to the directory where Scarb.toml resides. Run detectors:

caracal detect path/to/dir

Run printers:

caracal print path/to/dir --printer printer_to_use

Detectors

Num Detector What it Detects Impact Confidence Cairo
1 controlled-library-call Library calls with a user controlled class hash High Medium 1 & 2
2 unchecked-l1-handler-from Detect L1 handlers without from address check High Medium 1 & 2
3 felt252-overflow Detect user controlled operations with felt252 type, which is not overflow safe High Medium 1 & 2
4 reentrancy Detect when a storage variable is read before an external call and written after Medium Medium 1 & 2
5 read-only-reentrancy Detect when a view function read a storage variable written after an external call Medium Medium 1 & 2
6 unused-events Events defined but not emitted Medium Medium 1 & 2
7 unused-return Unused return values Medium Medium 1 & 2
8 unenforced-view Function has view decorator but modifies state Medium Medium 1
9 unused-arguments Unused arguments Low Medium 1 & 2
10 reentrancy-benign Detect when a storage variable is written after an external call but not read before Low Medium 1 & 2
11 reentrancy-events Detect when an event is emitted after an external call leading to out-of-order events Low Medium 1 & 2
12 dead-code Private functions never used Low Medium 1 & 2

The Cairo column represent the compiler version(s) for which the detector is valid.

Printers

  • cfg: Export the CFG of each function to a .dot file
  • callgraph: Export function call graph to a .dot file

How to contribute

Check the wiki on the following topics:

Limitations

  • Inlined functions are not handled correctly.
  • Since it's working over the SIERRA representation it's not possible to report where an error is in the source code but we can only report SIERRA instructions/what's available in a SIERRA program.


Cbrutekrag - Penetration Tests On SSH Servers Using Brute Force Or Dictionary Attacks. Written In C

By: Zion3R


Penetration tests on SSH servers using dictionary attacks. Written in C.

brute krag means "brute force" in afrikΓ‘ans

Disclaimer

This tool is for ethical testing purpose only.
cbrutekrag and its owners can't be held responsible for misuse by users.
Users have to act as permitted by local law rules.

Β 

Requirements

cbrutekrag uses libssh - The SSH Library (http://www.libssh.org/)

Build

Requirements:

  • make
  • gcc compiler
  • libssh-dev
git clone --depth=1 https://github.com/matricali/cbrutekrag.git
cd cbrutekrag
make
make install

Static build

Requirements:

  • cmake
  • gcc compiler
  • make
  • libssl-dev
  • libz-dev
git clone --depth=1 https://github.com/matricali/cbrutekrag.git
cd cbrutekrag
bash static-build.sh
make install

Run

OpenSSH Brute force tool 0.5.0 __/ | (c) Copyright 2014-2022 Jorge Matricali |___/ usage: ./cbrutekrag [-h] [-v] [-aA] [-D] [-P] [-T TARGETS.lst] [-C combinations.lst] [-t THREADS] [-o OUTPUT.txt] [TARGETS...] -h This help -v Verbose mode -V Verbose mode (sshlib) -s Scan mode -D Dry run -P Progress bar -T <targets> Targets file -C <combinations> Username and password file -t <threads> Max threads -o <output> Output log file -a Accepts non OpenSSH servers -A Allow servers detected as honeypots." dir="auto">
$ cbrutekrag -h
       _                _       _
      | |              | |     | |
  ___ | |__  _ __ _   _| |_ ___| | ___ __ __ _  __ _
 / __|| '_ \| '__| | | | __/ _ \ |/ / '__/ _` |/ _` |
| (__ | |_) | |  | |_| | ||  __/   <| | | (_| | (_| |
 \___||_.__/|_|   \__,_|\__\___|_|\_\_|  \__,_|\__, |
          OpenSSH Brute force tool 0.5.0        __/ |
      (c) Copyright 2014-2022 Jorge Matricali  |___/


usage: ./cbrutekrag [-h] [-v] [-aA] [-D] [-P] [-T TARGETS.lst] [-C combinations.lst]
		[-t THREADS] [-o OUTPUT.txt] [TARGETS...]

  -h                This help
  -v                Verbose mode
  -V                Verbose mode (sshlib)
  -s                Scan mode
  -D                Dry run
  -P                Progress bar
  -T <targets>      Targets file
  -C <combinations> Username and password file  -t <threads>      Max threads
  -o <output>       Output log file
  -a                Accepts non OpenSSH servers
  -A                Allow servers detected as honeypots.

Example usages

cbrutekrag -T targets.txt -C combinations.txt -o result.log
cbrutekrag -s -t 8 -C combinations.txt -o result.log 192.168.1.0/24

Supported targets syntax

  • 192.168.0.1
  • 10.0.0.0/8
  • 192.168.100.0/24:2222
  • 127.0.0.1:2222

Combinations file format

root root
root password
root $BLANKPASS$


❌