Comments (4)
dmdhrumilmistry
commented on May 29, 2024
Documentation would requires more details for instance i got
1st lines indicate leak found ; yes but what can of leak ? , still the test passed successfully
2nd lines says Failed , but not a clear answer about why
having a 200 not clear why it is mentionned as suspicious ?
according to what i understood the datalleak is a parsing of sensitive data such as telephone as part of the returned payload ? i got in mine for instance date, jwtToken, PhoneNumberIN, PhoneNumberUS is that correct understanding ?
it is important to document here what the tooling is doing
For time being I've separated Data Leak and API test, so currently they're interpreted individually.
Yes, telephone number could be leading to failure of Data leak test.
I'll be make necessary changes for data leak tests for be reflected in overall API test results.
from offat.
LasneF
commented on May 29, 2024
May be add as well a filter on the reporting HTML file
i am still not clear on what this kind of output means
Test Name:
BOPLA Test
Test Result:
❌ Failed
Result Details:
Endpoint might be vulnerable to BOPLA
Test Response Filter:
STATUS_CODE_FILTER
Data Leak:
No Data Leakage Found
we need to have further details on what STATUS_CODE_FILTER means
from offat.
dmdhrumilmistry
commented on May 29, 2024
May be add as well a filter on the reporting HTML file
i am still not clear on what this kind of output means
Test Name: BOPLA Test Test Result: ❌ Failed Result Details: Endpoint might be vulnerable to BOPLA Test Response Filter: STATUS_CODE_FILTER Data Leak: No Data Leakage Found
we need to have further details on what STATUS_CODE_FILTER means
HTML report is kinda buggy at the moment and I'm not planning to update it any time soon. There are several challenges while handling HTML reports such as sanitizing and formatting data correctly which can be tricky and If I miss something it can lead to security issues.
STATUS_CODE_FILTER is used internally to find indicator of vulnerability in few cases after receiving response from the API server.
OFFAT/src/offat/tester/post_test_processor.py
Line 183 in ce7086c
I've clarified the usage of data_leak and result columns in the results table in README.md files for now.
PR: #77
from offat.
dmdhrumilmistry
commented on May 29, 2024
Closing issue due to inactivity.
from offat.
Related Issues (17)
- Semaphore-Lock-Bug
- API Testing Error HOT 5
- Host/Server Parsing Bug leading to scan crash HOT 4
- [feature] capability to set Host and port , and even basePath HOT 5
- Feature : Output filter HOT 1
- Install Error HOT 2
- Installation fails on Ubuntu / venv HOT 3
- False positive on SSTI check HOT 6
- False negative in OS Injection HOT 1
- Strange values instead of Payloads HOT 2
- False negative related to SQL Injection HOT 2
- Make output more clear if the endpoint is or not vulnerable HOT 5
- `PhoneNumberIN` returns empty values in the array HOT 7
- Additional tokens for `data_leak` HOT 2
- Add automated tests HOT 1
- Issue running the OFFAT tool to scan Open Source API's HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from offat.