openstack
/
syntribos
Code Issues Proposed changes

Documentation updates and styling changes 

Updates to the syntribos official docs to reflect the present
state of the tool and also few styling changes.

Adding details about different tests
Fixing headings
Fixing typos
Adding links to source code and documentation

Change-Id: I99be3d150db72e88cdc9dcaf08668df7c831fec6
This commit is contained in:
Rahul Nair 2016-10-20 18:58:07 -05:00
parent 37dbc3524e
commit 0e116be551
16 changed files with 438 additions and 272 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CONTRIBUTING.rst
View File

@ -17,7 +17,7 @@ Anyone wanting to contribute to OpenStack must follow
All changes should be submitted through the code review process in Gerrit
described above. All pull requests on Github will be closed/ignored.
Bugs should be filed on the `Syntribos launchpad site <https://bugs.launchpad.net/syntribos>`__,
Bugs should be filed on the `syntribos launchpad site <https://bugs.launchpad.net/syntribos>`__,
and not on Github. All Github issues will be closed/ignored.
Breaking changes, feature requests, and other unprioritized work should first be

297
README.rst
View File

@ -1,9 +1,10 @@
=================================================
Syntribos, An Automated API Security Testing Tool
=================================================
::
Syntribos
syntribos
xxxxxxx
x xxxxxxxxxxxxx x
x xxxxxxxxxxx x
@ -34,37 +35,151 @@ Syntribos, An Automated API Security Testing Tool
Syntribos is an automated API security testing tool that is maintained by
members of the `OpenStack Security Project <https://wiki.openstack.org/wiki/Security>`__.
Given a simple configuration file and an example HTTP request, Syntribos
Given a simple configuration file and an example HTTP request, syntribos
can replace any API URL, URL parameter, HTTP header and request body
field with a given set of strings. This is similar to Burp Proxy's
Intruder sniper attack, but Syntribos iterates through each position
automatically. Syntribos aims to automatically detect common security
defects such as SQL injection, LDAP injection, buffer overflow, etc. In
addition, Syntribos can be used to help identifying new security defects
by fuzzing.
field with a given set of strings. Syntribos iterates through each position
in the request automatically. Syntribos aims to automatically detect common
security defects such as SQL injection, LDAP injection, buffer overflow, etc. In
addition, syntribos can be used to help identify new security defects
by automated fuzzing.
Syntribos has the capability to test any API, but is designed with
`OpenStack <http://http://www.openstack.org/>`__ applications in mind.
List of Tests
~~~~~~~~~~~~~
Syntribos is shipped with batteries included, which means, with minimal
configuration effort you can initiate automated testing of any API of
your choice. If testing OpenStack API is in your mind, then syntribos
by default will help you in automatically downloading a set of templates
of some of the bigger OpenStack projects like nova, neutron, keystone etc.
A short list of tests that can be run using syntribos is given below:
* Buffer Overflow
* Command Injection
* CORS Wildcard
* Integer Overflow
* LDAP Injection
* SQL Injection
* String Validation
* XML External Entity
* Cross Site Scripting ( XSS )
Buffer Overflow
---------------
The idea of `buffer overflow`_ in the context of a web application is to force
an application to handle more data than it can hold in a buffer.
In syntribos a buffer overflow test is attempted by injecting a large
string into the body of an HTTP request.
Command Injection
-----------------
`Command injection`_ attacks are done by injecting arbitrary commands in an
attempt to execute these commands on a remote system. In syntribos this is
achieved by injecting a set of strings that have been proven to be successful
in executing a command injection attacks.
CORS Wildcard
-------------
`CORS wildcard`_ test is used to verify if a web server allows cross-domain
resource sharing from any external URL ( wild carding of
`Access-Control-Allow-Origin` header) rather than a white list of URLs.
Integer Overflow
----------------
`Integer overflow`_ test in syntribos attempts to inject numeric values that
the remote application may fail to represent within in its storage, for example
a 32 bit integer type trying to store a 64 bit number
LDAP Injection
--------------
`LDAP injection`_ is attempted in syntribos by injection of LDAP statements
on to HTTP requests; if an application fails to properly sanitize the
request content, it may be possible to execute arbitrary commands.
SQL Injection
-------------
`SQL injection`_ attacks are one of the most common web application attacks.
If the user input is not properly sanitized, it is fairly easy to
execute SQL queries that may result in an attacker reading sensitive
information or gaining control of the SQL server. In syntribos
an application is tested for SQL injection vulnerabilities by injecting
SQL strings into the HTTP request.
String Validation
-----------------
String validation attacks in syntribos try to exploit the fact that
some string patterns are not sanitized effectively by the input
validator and may cause the application to crash. Examples of characters
that may cause string validation vulnerabilities are special unicode
characters, emojis etc.
XML External Entity
-------------------
An `XML external entity`_ attack is an attack that targets the web
application's XML parser. If an XML parser allows processing of
external entities referenced in an XML document then an attacker
might be able to cause denial of service, leakage of information etc.
Syntribos tries to inject a few malicious strings into an XML body
while sending requests to an application in an attempt to obtain an
appropriate response.
Cross Site Scripting ( XSS )
----------------------------
An XSS_ attack is one where malicious JavaScript is injected into a web
application. Syntribos tries to find potential XSS issues by injecting
string containing "script" and other HTML tags into request fields.
Other than these built-in tests, you can extend syntribos by writing
your own custom tests. To do this, download the source code and look at
the tests in ``syntribos/tests`` directory. The CORS test may be an easy
one to emulate. In the same way, users can add different extensions also
to the tests. To see how extensions can be written please see
``syntribos/extensions`` directory.
.. _buffer overflow: https://en.wikipedia.org/wiki/Buffer_overflow
.. _Command injection: https://www.owasp.org/index.php/Command_Injection
.. _CORS wildcard: https://www.owasp.org/index.php/Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)
.. _Integer overflow: https://en.wikipedia.org/wiki/Integer_overflow
.. _LDAP injection: https://www.owasp.org/index.php/LDAP_injection
.. _SQL injection: https://www.owasp.org/index.php/SQL_Injection
.. _XML external entity: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
.. _XSS: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
**Details**
* `Documentation`_
* Free software: `Apache license`_
* `Launchpad project`_
* `Blueprints`_
* `Bugs`_
* `Source code`_
Supported Operating Systems
---------------------------
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Syntribos has been developed primarily in Linux and Mac environments,
however it supports installation and execution on Windows. But it has
not been tested yet.
Syntribos has been developed primarily in Linux and Mac environments and would
work on most Unix and Linux based Operating Systems. At this point, we are not
supporting Windows, but this may change in the future.
.. _Documentation: http://docs.openstack.org/developer/syntribos/
.. _Apache license: https://github.com/openstack/syntribos/blob/master/LICENSE
.. _Launchpad project: https://launchpad.net/syntribos
.. _Blueprints: https://blueprints.launchpad.net/syntribos
.. _Bugs: https://bugs.launchpad.net/syntribos
.. _Source code: https://github.com/openstack/syntribos
============
Installation
============
@ -79,12 +194,17 @@ pip <https://pypi.python.org/pypi/pip>`__ from the git repository.
$ cd syntribos
$ pip install . --upgrade
=============
Configuration
=============
This is the basic structure of a Syntribos configuration file.
All config files should have the section ``[syntribos]`` and a
``[user]`` section, the ``[logging]`` section is optional.
This is the basic structure of a syntribos configuration file.
All configuration files should have at least the section
``[syntribos]``. Depending upon what extensions you are using
and what you are testing, you can add other sections as well,
for example, if you are using the built-in identity extension
you would also need the ``[user]`` section. The sections
``[logging]`` and ``[remote]`` are optional.
::
@ -100,6 +220,7 @@ All config files should have the section ``[syntribos]`` and a
[user]
#
# User credentials and endpoint URI to get an AUTH_TOKEN
# This section is only needed if you are using the identity extension.
#
endpoint=
username=<yourusername>
@ -112,16 +233,16 @@ All config files should have the section ``[syntribos]`` and a
To test any project, just update the endpoint URI under
``[syntribos]`` to point to the API and also modify the user
credentials if needed. The endpoint URI in the ``[syntribos]``
section is the one being tested by Syntribos and the endpoint URI in
section is the one being tested by syntribos and the endpoint URI in
``[user]`` section is just used to get an AUTH_TOKEN.
Testing Keystone API
--------------------
Testing keystone API
~~~~~~~~~~~~~~~~~~~~
A sample config file is given in ``examples/configs/keystone.conf``.
A sample config file is given in :file:`examples/configs/keystone.conf`.
Copy this file to a location of your choice (default file path for
configuration file is: ``~/.syntribos/syntribos.conf``) and update the
configuration file is: :file:`~/.syntribos/syntribos.conf`) and update the
necessary fields like user credentials, log, template directory etc.
::
@ -185,35 +306,38 @@ necessary fields like user credentials, log, template directory etc.
# if you don't want this, set this option to False.
http_request_compression=True
==================
Syntribos Commands
==================
Below are the set of commands that should be specified while
using Syntribos.
using syntribos.
- **run**
- :command:`syntribos run`
This command runs Syntribos with the given config options
This command runs syntribos with the given config options
::
$ syntribos --config-file keystone.conf -t SQL run
- **dry_run**
- :command:`syntribos dry-run`
This command prepares all the test cases that would be executed by
the ```run``` command based on the configuration options passed to
Syntribos, but simply prints their details to the screen instead
of actually running them.
This command ensures that the template files given for this run parse
successfully without errors. It then runs a debug test which sends no
requests of its own.
Note: if any external calls referenced inside the template file do make
requests, the parser will still make those requests even for a dry run.
::
$ syntribos --config-file keystone.conf -t SQL dry_run
$ syntribos --config-file keystone.conf dry_run
- **list_tests**
- :command:`syntribos list_tests`
This command will list the names and description of all the tests
@ -227,11 +351,12 @@ using Syntribos.
All these commands will only work if a configuration file
is specified.
Running Syntribos
=================
Running syntribos
=================
To run Syntribos against all the available tests, just specify the
command ``syntribos`` with the configuration file without specifying
To run syntribos against all the available tests, just specify the
command :command:`syntribos run` with the configuration file without specifying
any test type.
::
@ -239,9 +364,9 @@ any test type.
$ syntribos --config-file keystone.conf run
Fuzzy-matching test names
-------------------------
~~~~~~~~~~~~~~~~~~~~~~~~~
It is possible to limit Syntribos to run a specific test type using
It is possible to limit syntribos to run a specific test type using
the ``-t`` flag.
::
@ -346,93 +471,7 @@ above:
2016-05-19 16:11:52,083: INFO: root: Total Errored..: 0
2016-05-19 16:11:52,083: INFO: root: ========================================================
Basic Syntribos Test Anatomy
============================
Test Types
----------
The tests included at release time include LDAP injection, SQL
injection, integer overflow, command injection, XML external entity,
reflected cross-site scripting, Cross Origin Resource Sharing (CORS)
wildcard and SSL.
In order to run a specific test, simply use the ``-t, --test-types``
option and provide `syntribos` with a keyword or keywords to match from
the test files located in ``syntribos/tests/``.
For SQL injection tests, use:
::
$ syntribos --config-file keystone.conf -t SQL
Another example, to run SQL injection tests against the template body only, use:
::
$ syntribos --config-file keystone.conf -t SQL_INJECTION_BODY
For all tests against HTTP headers only, use:
::
$ syntribos --config-file keystone.conf -t HEADERS
Call External
-------------
Syntribos template files can be supplemented with variable data, or data
retrieved from external sources. This is handled using 'extensions.'
Extensions are found in ``syntribos/extensions/`` .
Calls to extensions are made in this form:
::
CALL_EXTERNAL|{extension dot path}:{function}:{arguments}
One example packaged with Syntribos enables the tester to obtain an auth
token from keystone/identity. The code is located in
``identity/client.py``
To use this extension, you can add the following to your template file:
::
X-Auth-Token: CALL_EXTERNAL|syntribos.extensions.identity.client:get_token_v3:["user"]|
The "user" string indicates the data from the configuration file we
added in ``examples/configs/keystone.conf``
Another example is found in ``random_data/client.py`` . This returns a
UUID when random but unique data is needed. This can be used in place of
usernames when fuzzing a create user call.
::
"username": "CALL_EXTERNAL|syntribos.extensions.random_data.client:get_uuid:[]|"
The extension function can return one value or be used as a generator if
you want it to change for each test.
Action Field
------------
While Syntribos is designed to test all fields in a request, it can also
ignore specific fields through the use of Action Fields. If you want to
fuzz against a static object ID, use the Action Field indicator as
follows:
::
"ACTION_FIELD:id": "1a16f348-c8d5-42ec-a474-b1cdf78cf40f"
The ID provided will remain static for every test.
===================
Executing unittests
===================
@ -449,15 +488,17 @@ Now, run
$ python -m unittest discover tests/unit -p "test_*.py"
Also, if you have configured tox you could also do
If you have configured tox you could also do
::
$ tox -e py27
$ tox -e py35
This will run all the unittests and give you a result output
containing the status and coverage details of each test.
=======================
Contributing Guidelines
=======================
@ -466,7 +507,7 @@ Contributing Guidelines
2. All new classes/functions should have appropriate docstrings in
`RST format <https://pythonhosted.org/an_example_pypi_project/sphinx.html>`__
3. All new code should have appropriate unittests (place them in the
``tests/unit`` folder)
:file:`tests/unit` folder)
Anyone wanting to contribute to OpenStack must follow
`the OpenStack development workflow <http://docs.openstack.org/infra/manual/developers.html#development-workflow>`__
@ -474,15 +515,15 @@ Anyone wanting to contribute to OpenStack must follow
All changes should be submitted through the code review process in Gerrit
described above. All pull requests on Github will be closed/ignored.
Bugs should be filed on the `Syntribos launchpad site <https://bugs.launchpad.net/syntribos>`__,
Bugs should be filed on the `syntribos launchpad site <https://budmegs.launchpad.net/syntribos>`__,
and not on Github. All Github issues will be closed/ignored.
Breaking changes, feature requests, and other non prioritized work should
first be submitted as a blueprint `here <https://blueprints.launchpad.net/syntribos>`__
for review.
Readme.rst is auto generated from docs by running ``python readme.py`` in the
``syntribos/scripts`` directory. So when the README.rst needs to be updated;
modify the corresponding rst file in ``syntribos/doc/source`` and auto generate
README.rst is auto generated from docs by running :command:`python readme.py` in the
:file:`syntribos/scripts` directory. So when the README.rst needs to be updated;
modify the corresponding rst file in :file:`syntribos/doc/source` and auto generate
the README.

138
doc/source/about.rst
View File

@ -1,9 +1,10 @@
=================================================
Syntribos, An Automated API Security Testing Tool
=================================================
::
Syntribos
syntribos
xxxxxxx
x xxxxxxxxxxxxx x
x xxxxxxxxxxx x
@ -34,33 +35,146 @@ Syntribos, An Automated API Security Testing Tool
Syntribos is an automated API security testing tool that is maintained by
members of the `OpenStack Security Project <https://wiki.openstack.org/wiki/Security>`__.
Given a simple configuration file and an example HTTP request, Syntribos
Given a simple configuration file and an example HTTP request, syntribos
can replace any API URL, URL parameter, HTTP header and request body
field with a given set of strings. This is similar to Burp Proxy's
Intruder sniper attack, but Syntribos iterates through each position
automatically. Syntribos aims to automatically detect common security
defects such as SQL injection, LDAP injection, buffer overflow, etc. In
addition, Syntribos can be used to help identifying new security defects
by fuzzing.
field with a given set of strings. Syntribos iterates through each position
in the request automatically. Syntribos aims to automatically detect common
security defects such as SQL injection, LDAP injection, buffer overflow, etc. In
addition, syntribos can be used to help identify new security defects
by automated fuzzing.
Syntribos has the capability to test any API, but is designed with
`OpenStack <http://http://www.openstack.org/>`__ applications in mind.
List of Tests
~~~~~~~~~~~~~
Syntribos is shipped with batteries included, which means, with minimal
configuration effort you can initiate automated testing of any API of
your choice. If testing OpenStack API is in your mind, then syntribos
by default will help you in automatically downloading a set of templates
of some of the bigger OpenStack projects like nova, neutron, keystone etc.
A short list of tests that can be run using syntribos is given below:
* Buffer Overflow
* Command Injection
* CORS Wildcard
* Integer Overflow
* LDAP Injection
* SQL Injection
* String Validation
* XML External Entity
* Cross Site Scripting ( XSS )
Buffer Overflow
---------------
The idea of `buffer overflow`_ in the context of a web application is to force
an application to handle more data than it can hold in a buffer.
In syntribos a buffer overflow test is attempted by injecting a large
string into the body of an HTTP request.
Command Injection
-----------------
`Command injection`_ attacks are done by injecting arbitrary commands in an
attempt to execute these commands on a remote system. In syntribos this is
achieved by injecting a set of strings that have been proven to be successful
in executing a command injection attacks.
CORS Wildcard
-------------
`CORS wildcard`_ test is used to verify if a web server allows cross-domain
resource sharing from any external URL ( wild carding of
`Access-Control-Allow-Origin` header) rather than a white list of URLs.
Integer Overflow
----------------
`Integer overflow`_ test in syntribos attempts to inject numeric values that
the remote application may fail to represent within in its storage, for example
a 32 bit integer type trying to store a 64 bit number
LDAP Injection
--------------
`LDAP injection`_ is attempted in syntribos by injection of LDAP statements
on to HTTP requests; if an application fails to properly sanitize the
request content, it may be possible to execute arbitrary commands.
SQL Injection
-------------
`SQL injection`_ attacks are one of the most common web application attacks.
If the user input is not properly sanitized, it is fairly easy to
execute SQL queries that may result in an attacker reading sensitive
information or gaining control of the SQL server. In syntribos
an application is tested for SQL injection vulnerabilities by injecting
SQL strings into the HTTP request.
String Validation
-----------------
String validation attacks in syntribos try to exploit the fact that
some string patterns are not sanitized effectively by the input
validator and may cause the application to crash. Examples of characters
that may cause string validation vulnerabilities are special unicode
characters, emojis etc.
XML External Entity
-------------------
An `XML external entity`_ attack is an attack that targets the web
application's XML parser. If an XML parser allows processing of
external entities referenced in an XML document then an attacker
might be able to cause denial of service, leakage of information etc.
Syntribos tries to inject a few malicious strings into an XML body
while sending requests to an application in an attempt to obtain an
appropriate response.
Cross Site Scripting ( XSS )
----------------------------
An XSS_ attack is one where malicious JavaScript is injected into a web
application. Syntribos tries to find potential XSS issues by injecting
string containing "script" and other HTML tags into request fields.
Other than these built-in tests, you can extend syntribos by writing
your own custom tests. To do this, download the source code and look at
the tests in ``syntribos/tests`` directory. The CORS test may be an easy
one to emulate. In the same way, users can add different extensions also
to the tests. To see how extensions can be written please see
``syntribos/extensions`` directory.
.. _buffer overflow: https://en.wikipedia.org/wiki/Buffer_overflow
.. _Command injection: https://www.owasp.org/index.php/Command_Injection
.. _CORS wildcard: https://www.owasp.org/index.php/Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)
.. _Integer overflow: https://en.wikipedia.org/wiki/Integer_overflow
.. _LDAP injection: https://www.owasp.org/index.php/LDAP_injection
.. _SQL injection: https://www.owasp.org/index.php/SQL_Injection
.. _XML external entity: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
.. _XSS: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
**Details**
* `Documentation`_
* Free software: `Apache license`_
* `Launchpad project`_
* `Blueprints`_
* `Bugs`_
* `Source code`_
Supported Operating Systems
---------------------------
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Syntribos has been developed primarily in Linux and Mac environments,
however it supports installation and execution on Windows. But it has
not been tested yet.
Syntribos has been developed primarily in Linux and Mac environments and would
work on most Unix and Linux based Operating Systems. At this point, we are not
supporting Windows, but this may change in the future.
.. _Documentation: http://docs.openstack.org/developer/syntribos/
.. _Apache license: https://github.com/openstack/syntribos/blob/master/LICENSE
.. _Launchpad project: https://launchpad.net/syntribos
.. _Blueprints: https://blueprints.launchpad.net/syntribos
.. _Bugs: https://bugs.launchpad.net/syntribos
.. _Source code: https://github.com/openstack/syntribos

27
doc/source/code-docs.rst
View File

@ -1,8 +1,9 @@
============================
Syntribos Code Documentation
============================
Configuration
-------------
~~~~~~~~~~~~~
This section describes the configuration specified in your configuration file
(second argument to the runner).
@ -23,7 +24,7 @@ This section describes the configuration specified in your configuration file
:show-inheritance:
Signals
-------
~~~~~~~
This section describes Signals (:class:`syntribos.signal.SynSignal`) and
SignalHolders (:class:`syntribos.signal.SignalHolder`)
@ -36,19 +37,19 @@ SignalHolders (:class:`syntribos.signal.SignalHolder`)
:special-members: __init__, __contains__
Checks
------
~~~~~~
.. autofunction:: syntribos.checks.http.check_http_fail
.. autofunction:: syntribos.checks.http.check_http_status_code
Tests
-----
~~~~~
This section describes the components involved with writing your own tests with
Syntribos.
syntribos.
All Syntribos tests inherit from :class:`syntribos.tests.base.BaseTestCase`,
All syntribos tests inherit from :class:`syntribos.tests.base.BaseTestCase`,
either directly, or through a subclass like
:class:`syntribos.tests.fuzz.base_fuzz.BaseFuzzTestCase`.
@ -76,10 +77,10 @@ All tests are aggregated in the `syntribos.tests.base.test_table` variable
:show-inheritance:
Issues
------
~~~~~~
This section describes the representation of issues that are uncovered by
Syntribos.
syntribos.
.. automodule:: syntribos.issue
:members:
@ -87,10 +88,10 @@ Syntribos.
:show-inheritance:
Results
-------
~~~~~~~
This section describes the representation of results (collections of issues)
from a given Syntribos run.
from a given syntribos run.
.. automodule:: syntribos.result
:members:
@ -98,7 +99,7 @@ from a given Syntribos run.
:show-inheritance:
HTTP Requests
-------------
~~~~~~~~~~~~~
This section describes the components related to generating, fuzzing, and making
HTTP requests.
@ -119,9 +120,9 @@ HTTP requests.
:show-inheritance:
Extension
----------
~~~~~~~~~
This section describes Syntribos' extensions, which are called by the
This section describes syntribos' extensions, which are called by the
CALL_EXTERNAL field in the request template.
.. automodule:: syntribos.extensions.identity.models.base

12
doc/source/commands.rst
View File

@ -1,19 +1,20 @@
==================
Syntribos Commands
==================
Below are the set of commands that should be specified while
using Syntribos.
using syntribos.
- **run**
- :command:`syntribos run`
This command runs Syntribos with the given config options
This command runs syntribos with the given config options
::
$ syntribos --config-file keystone.conf -t SQL run
- **dry_run**
- :command:`syntribos dry-run`
This command ensures that the template files given for this run parse
@ -22,12 +23,13 @@ using Syntribos.
Note: if any external calls referenced inside the template file do make
requests, the parser will still make those requests even for a dry run.
::
$ syntribos --config-file keystone.conf dry_run
- **list_tests**
- :command:`syntribos list_tests`
This command will list the names and description of all the tests

55
doc/source/conf.py
View File

@ -15,33 +15,29 @@
import os
import sys
sys.path.insert(0, os.path.abspath('../../'))
sys.path.insert(0, os.path.abspath("../../"))
# -- General configuration ----------------------------------------------------
# Add any Sphinx extension module names here, as strings. They can be
# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom ones.
extensions = [
'sphinx.ext.autodoc',
'sphinx.ext.intersphinx',
'oslosphinx'
]
# extensions coming with Sphinx (named "sphinx.ext.*") or your custom ones.
extensions = ["sphinx.ext.autodoc", "sphinx.ext.intersphinx", "oslosphinx"]
# autodoc generation is a bit aggressive and a nuisance when doing heavy
# text edit cycles.
# execute "export SPHINX_DEBUG=1" in your terminal to disable
# The suffix of source filenames.
source_suffix = '.rst'
source_suffix = ".rst"
# The master toctree document.
master_doc = 'index'
master_doc = "index"
# General information about the project.
project = u'Syntribos'
copyright = u'2015, OpenStack Foundation'
project = u"syntribos"
copyright = u"2015-present, OpenStack Foundation"
# If true, '()' will be appended to :func: etc. cross-reference text.
# If true, "()" will be appended to :func: etc. cross-reference text.
add_function_parentheses = True
# If true, the current module name will be prepended to all description
@ -49,40 +45,37 @@ add_function_parentheses = True
add_module_names = True
# The name of the Pygments (syntax highlighting) style to use.
pygments_style = 'sphinx'
pygments_style = "sphinx"
#-- Options for man page output --------------------------------------------
# -- Options for man page output --------------------------------------------
# Grouping the document tree for man pages.
# List of tuples 'sourcefile', 'target', u'title', u'Authors name', 'manual'
# List of tuples "sourcefile", "target", u"title", u"Authors name", "manual"
man_pages = [
('man/syntribos', 'syntribos', u'Automated API security testing tool',
[u'OpenStack Security Group'], 1)
]
man_pages = [("man/syntribos", "syntribos",
u"Automated API security testing tool",
[u"OpenStack Security Group"], 1)]
# -- Options for HTML output --------------------------------------------------
# The theme to use for HTML and HTML Help pages. Major themes that come with
# Sphinx are currently 'default' and 'sphinxdoc'.
# Sphinx are currently "default" and "sphinxdoc".
# html_theme_path = ["."]
# html_theme = '_theme'
# html_static_path = ['static']
# html_theme = "_theme"
# html_static_path = ["static"]
html_theme_options = {}
# Output file base name for HTML help builder.
htmlhelp_basename = '%sdoc' % project
htmlhelp_basename = "%sdoc" % project
# Grouping the document tree into LaTeX files. List of tuples
# (source start file, target name, title, author, documentclass
# [howto/manual]).
latex_documents = [
('index',
'%s.tex' % project,
u'%s Documentation' % project,
u'OpenStack Foundation', 'manual'),
]
latex_documents = [("index", "%s.tex" % project, u"%s Documentation" % project,
u"OpenStack Foundation", "manual"), ]
# Example configuration for intersphinx: refer to the Python standard library.
# intersphinx_mapping = {'http://docs.python.org/': None}
intersphinx_mapping = {'requests': ('http://docs.python-requests.org/en/master', None)}
# intersphinx_mapping = {"http://docs.python.org/": None}
intersphinx_mapping = {
"requests": ("http://docs.python-requests.org/en/master", None)
}

22
doc/source/configuration.rst
View File

@ -1,9 +1,14 @@
=============
Configuration
=============
This is the basic structure of a Syntribos configuration file.
All config files should have the section ``[syntribos]`` and a
``[user]`` section, the ``[logging]`` section is optional.
This is the basic structure of a syntribos configuration file.
All configuration files should have at least the section
``[syntribos]``. Depending upon what extensions you are using
and what you are testing, you can add other sections as well,
for example, if you are using the built-in identity extension
you would also need the ``[user]`` section. The sections
``[logging]`` and ``[remote]`` are optional.
::
@ -19,6 +24,7 @@ All config files should have the section ``[syntribos]`` and a
[user]
#
# User credentials and endpoint URI to get an AUTH_TOKEN
# This section is only needed if you are using the identity extension.
#
endpoint=
username=<yourusername>
@ -31,16 +37,16 @@ All config files should have the section ``[syntribos]`` and a
To test any project, just update the endpoint URI under
``[syntribos]`` to point to the API and also modify the user
credentials if needed. The endpoint URI in the ``[syntribos]``
section is the one being tested by Syntribos and the endpoint URI in
section is the one being tested by syntribos and the endpoint URI in
``[user]`` section is just used to get an AUTH_TOKEN.
Testing Keystone API
--------------------
Testing keystone API
~~~~~~~~~~~~~~~~~~~~
A sample config file is given in ``examples/configs/keystone.conf``.
A sample config file is given in :file:`examples/configs/keystone.conf`.
Copy this file to a location of your choice (default file path for
configuration file is: ``~/.syntribos/syntribos.conf``) and update the
configuration file is: :file:`~/.syntribos/syntribos.conf`) and update the
necessary fields like user credentials, log, template directory etc.
::

11
doc/source/contributing.rst
View File

@ -1,3 +1,4 @@
=======================
Contributing Guidelines
=======================
@ -6,7 +7,7 @@ Contributing Guidelines
2. All new classes/functions should have appropriate docstrings in
`RST format <https://pythonhosted.org/an_example_pypi_project/sphinx.html>`__
3. All new code should have appropriate unittests (place them in the
``tests/unit`` folder)
:file:`tests/unit` folder)
Anyone wanting to contribute to OpenStack must follow
`the OpenStack development workflow <http://docs.openstack.org/infra/manual/developers.html#development-workflow>`__
@ -14,14 +15,14 @@ Anyone wanting to contribute to OpenStack must follow
All changes should be submitted through the code review process in Gerrit
described above. All pull requests on Github will be closed/ignored.
Bugs should be filed on the `Syntribos launchpad site <https://bugs.launchpad.net/syntribos>`__,
Bugs should be filed on the `syntribos launchpad site <https://budmegs.launchpad.net/syntribos>`__,
and not on Github. All Github issues will be closed/ignored.
Breaking changes, feature requests, and other non prioritized work should
first be submitted as a blueprint `here <https://blueprints.launchpad.net/syntribos>`__
for review.
Readme.rst is auto generated from docs by running ``python readme.py`` in the
``syntribos/scripts`` directory. So when the README.rst needs to be updated;
modify the corresponding rst file in ``syntribos/doc/source`` and auto generate
README.rst is auto generated from docs by running :command:`python readme.py` in the
:file:`syntribos/scripts` directory. So when the README.rst needs to be updated;
modify the corresponding rst file in :file:`syntribos/doc/source` and auto generate
the README.

28
doc/source/index.rst
View File

@ -1,22 +1,22 @@
=========
Syntribos
=========
Syntribos is an automated API security testing tool
Syntribos is an automated API security testing tool.
Given a simple configuration file and an example HTTP request, Syntribos
Given a simple configuration file and an example HTTP request, syntribos
can replace any API URL, URL parameter, HTTP header and request body
field with a given set of strings. This is similar to Burp Proxy's
Intruder sniper attack, but Syntribos iterates through each position
automatically. Syntribos aims to automatically detect common security
defects such as SQL injection, LDAP injection, buffer overflow, etc. In
addition, Syntribos can be used to help identifying new security defects
by fuzzing.
field with a given set of strings. Syntribos iterates through each position
in the request automatically. Syntribos aims to automatically detect common
security defects such as SQL injection, LDAP injection, buffer overflow, etc. In
addition, syntribos can be used to help identify new security defects
by automated fuzzing.
Syntribos has the capability to test any API, but is designed with
`OpenStack <http://http://www.openstack.org/>`__ applications in mind.
Index
-----
~~~~~
.. toctree::
:maxdepth: 1
@ -27,10 +27,10 @@ Index
commands
running
logging
test.anatomy
test-anatomy
For Developers
--------------
~~~~~~~~~~~~~~
.. toctree::
:maxdepth: 1
@ -41,14 +41,18 @@ For Developers
unittests
Project information
-------------------
~~~~~~~~~~~~~~~~~~~
* `Documentation`_
* Free software: `Apache license`_
* `Launchpad project`_
* `Blueprints`_
* `Bugs`_
* `Source code`_
.. _Documentation: http://docs.openstack.org/developer/syntribos/
.. _Apache license: https://github.com/openstack/syntribos/blob/master/LICENSE
.. _Launchpad project: https://launchpad.net/syntribos
.. _Blueprints: https://blueprints.launchpad.net/syntribos
.. _Bugs: https://bugs.launchpad.net/syntribos
.. _Source code: https://github.com/openstack/syntribos

1
doc/source/installation.rst
View File

@ -1,3 +1,4 @@
============
Installation
============

42
doc/source/man/syntribos.rst
View File

@ -3,7 +3,7 @@ syntribos
=========
SYNOPSIS
========
~~~~~~~~
syntribos [-h] [--colorize] [--config-dir DIR] [--config-file PATH]
[--excluded-types EXCLUDED_TYPES] [--format OUTPUT_FORMAT]
@ -17,29 +17,27 @@ syntribos [-h] [--colorize] [--config-dir DIR] [--config-file PATH]
{list_tests,run,dry_run} ...
DESCRIPTION
===========
~~~~~~~~~~~
Syntribos is an automated API security testing tool.
Given a simple configuration file and an example HTTP request, Syntribos
Given a simple configuration file and an example HTTP request, syntribos
can replace any API URL, URL parameter, HTTP header and request body
field with a given set of strings. This is similar to Burp Proxy's
Intruder sniper attack, but Syntribos iterates through each position
automatically. Syntribos aims to automatically detect common security
defects such as SQL injection, LDAP injection, buffer overflow, etc. In
addition, Syntribos can be used to help identifying new security defects
by fuzzing.
field with a given set of strings. Syntribos aims to automatically detect
common security defects such as SQL injection, LDAP injection, buffer
overflow, etc. In addition, syntribos can be used to help identifying new
security defects by fuzzing.
Syntribos has the capability to test any API, but is designed with
OpenStack applications in mind.
OPTIONS
=======
~~~~~~~
-h, --help show this help message and exit
--colorize, -cl Enable color in Syntribos terminal output
--config-dir DIR Path to a config directory to pull *.conf files from.
This file set is sorted, so as to provide a
--colorize, -cl Enable color in syntribos terminal output
--config-dir DIR Path to a config directory to pull :file:`*.conf` files
from. This file set is sorted, so as to provide a
predictable parse order if individual options are
over-ridden. The set is parsed after the file(s)
specified via previous --config-file, arguments hence
@ -48,7 +46,7 @@ OPTIONS
can be specified, with values in later files taking
precedence. Defaults to None.
--excluded-types EXCLUDED_TYPES, -e EXCLUDED_TYPES
Test types to be excluded from current runagainst the
Test types to be excluded from current run against the
target API
--format OUTPUT_FORMAT, -f OUTPUT_FORMAT
The format for outputting results
@ -68,7 +66,7 @@ Main Syntribos Config:
--syntribos-exclude_results SYNTRIBOS_EXCLUDE_RESULTS
Defect types to exclude from the results output
--syntribos-payload_dir SYNTRIBOS_PAYLOAD_DIR
The location where we can find Syntribos' payloads
The location where we can find syntribos' payloads
--syntribos-templates SYNTRIBOS_TEMPLATES
A directory of template files, or a single template
file, to test on the target API
@ -77,27 +75,27 @@ Syntribos Commands:
{list_tests,run,dry_run}
Available commands
list_tests List all available tests
run Run Syntribos with given config options
run Run syntribos with given config options
dry_run Dry run Syntribos with given config options
FILES
=====
~~~~~
~/.syntribos/syntribos.conf
syntribos configuration file
EXAMPLES
========
~~~~~~~~
To run Syntribos against all the available tests, just specify the
command ``syntribos`` with the configuration file without specifying
any test type.
To run syntribos against all the available tests, just specify the
command :command:`syntribos run` with the configuration file without
specifying any test type.
::
$ syntribos --config-file keystone.conf run
SEE ALSO
========
~~~~~~~~
bandit(1)

11
doc/source/running.rst
View File

@ -1,8 +1,9 @@
Running Syntribos
=================
Running syntribos
=================
To run Syntribos against all the available tests, just specify the
command ``syntribos`` with the configuration file without specifying
To run syntribos against all the available tests, just specify the
command :command:`syntribos run` with the configuration file without specifying
any test type.
::
@ -10,9 +11,9 @@ any test type.
$ syntribos --config-file keystone.conf run
Fuzzy-matching test names
-------------------------
~~~~~~~~~~~~~~~~~~~~~~~~~
It is possible to limit Syntribos to run a specific test type using
It is possible to limit syntribos to run a specific test type using
the ``-t`` flag.
::

13
doc/source/structure.rst
View File

@ -1,21 +1,22 @@
=================
Project Structure
=================
- ``data/`` (textfiles containing data for use by Syntribos tests)
- ``data/`` (textfiles containing data for use by syntribos tests)
- ``doc/source/`` (Sphinx documentation files)
- ``examples/`` (example Syntribos request templates, config files)
- ``configs/`` (examples of Syntribos configs; currently only Keystone)
- ``examples/`` (example syntribos request templates, config files)
- ``configs/`` (examples of syntribos configs; currently only Keystone)
- ``templates/`` (examples of request templates; currently only Keystone/Solum)
- ``scripts/`` (?)
- ``syntribos/`` (core Syntribos code)
- ``syntribos/`` (core syntribos code)
- ``clients/`` (clients for making calls, e.g. HTTP)
- ``http/`` (clients for making HTTP requests)
- ``extensions/`` (extensions that can be called in request templates)
- ``identity/`` (extension for interacting with Keystone/identity)
- ``random_data/`` (extension for generating random test data)
- ``formatters/`` (output formatters, e.g. JSON, XML/XUnit)
- ``tests/`` (location of tests that Syntribos can run against a target)
- ``tests/`` (location of tests that syntribos can run against a target)
- ``auth/`` (tests related to authentication/authorization)
- ``fuzz/`` (tests that "fuzz" API requests)
- ``utils/`` (utility methods)
- ``tests/unit/`` (unittests for testing Syntribos itself)
- ``tests/unit/`` (unittests for testing syntribos itself)

13
doc/source/test.anatomy.rst → doc/source/test-anatomy.rst
View File

@ -1,8 +1,9 @@
Basic Syntribos Test Anatomy
============================
Basic syntribos Test Anatomy
============================
Test Types
----------
~~~~~~~~~~
The tests included at release time include LDAP injection, SQL
injection, integer overflow, command injection, XML external entity,
@ -33,7 +34,7 @@ For all tests against HTTP headers only, use:
Call External
-------------
~~~~~~~~~~~~~
Syntribos template files can be supplemented with variable data, or data
retrieved from external sources. This is handled using 'extensions.'
@ -46,7 +47,7 @@ Calls to extensions are made in this form:
CALL_EXTERNAL|{extension dot path}:{function}:{arguments}
One example packaged with Syntribos enables the tester to obtain an auth
One example packaged with syntribos enables the tester to obtain an auth
token from keystone/identity. The code is located in
``identity/client.py``
@ -72,9 +73,9 @@ you want it to change for each test.
Action Field
------------
~~~~~~~~~~~~
While Syntribos is designed to test all fields in a request, it can also
While syntribos is designed to test all fields in a request, it can also
ignore specific fields through the use of Action Fields. If you want to
fuzz against a static object ID, use the Action Field indicator as
follows:

4
doc/source/unittests.rst
View File

@ -1,3 +1,4 @@
===================
Executing unittests
===================
@ -14,11 +15,12 @@ Now, run
$ python -m unittest discover tests/unit -p "test_*.py"
Also, if you have configured tox you could also do
If you have configured tox you could also do
::
$ tox -e py27
$ tox -e py35
This will run all the unittests and give you a result output
containing the status and coverage details of each test.

34
syntribos/config.py
View File

@ -127,7 +127,7 @@ class TemplateType(ExistingPathType):
return [self._fetch_from_file(string)]
syntribos_group = cfg.OptGroup(name="syntribos", title="Main Syntribos Config")
syntribos_group = cfg.OptGroup(name="syntribos", title="Main syntribos Config")
user_group = cfg.OptGroup(name="user", title="Identity Config")
test_group = cfg.OptGroup(name="test", title="Test Config")
logger_group = cfg.OptGroup(name="logging", title="Logger config")
@ -137,9 +137,9 @@ def sub_commands(sub_parser):
sub_parser.add_parser('list_tests',
help="List all available tests")
sub_parser.add_parser('run',
help="Run Syntribos with given config options")
help="Run syntribos with given config options")
sub_parser.add_parser('dry_run',
help="Dry run Syntribos with given config options")
help="Dry run syntribos with given config options")
def list_opts():
@ -174,7 +174,7 @@ def list_cli_opts():
cfg.SubCommandOpt(name="sub_command",
handler=sub_commands,
help="Available commands",
title="Syntribos Commands"),
title="syntribos Commands"),
cfg.MultiStrOpt("test-types", dest="test_types", short="t",
default=[""], sample_default=["SQL", "XSS"],
help="Test types to run against the target API"),
@ -183,7 +183,7 @@ def list_cli_opts():
help="Test types to be excluded from current run"
"against the target API"),
cfg.BoolOpt("colorize", dest="colorize", short="cl", default=False,
help="Enable color in Syntribos terminal output"),
help="Enable color in syntribos terminal output"),
cfg.StrOpt("outfile", short="o",
sample_default="out.json", help="File to print output to"),
cfg.StrOpt("format", dest="output_format", short="f", default="json",
@ -209,7 +209,7 @@ def list_syntribos_opts():
"file, to test on the target API"),
cfg.StrOpt("payload_dir", default="", required=True,
sample_default="~/.syntribos/data",
help="The location where we can find Syntribos' payloads"),
help="The location where we can find syntribos' payloads"),
cfg.MultiStrOpt("exclude_results",
default=[""],
sample_default=["500_errors", "length_diff"],
@ -221,21 +221,21 @@ def list_syntribos_opts():
def list_user_opts():
return [
cfg.StrOpt("version", default="v2.0",
help="Keystone version", choices=["v2.0", "v3"]),
cfg.StrOpt("username", default="", help="Keystone username"),
cfg.StrOpt("password", default="", help="Keystone user password",
help="keystone version", choices=["v2.0", "v3"]),
cfg.StrOpt("username", default="", help="keystone username"),
cfg.StrOpt("password", default="", help="keystone user password",
secret=True),
cfg.StrOpt("user_id", default="",
help="Keystone user ID", secret=True),
cfg.StrOpt("token", default="", help="Keystone auth token",
cfg.StrOpt("token", default="", help="keystone auth token",
secret=True),
cfg.StrOpt("endpoint", default="", help="Keystone endpoint URI"),
cfg.StrOpt("domain_name", default="", help="Keystone domain name"),
cfg.StrOpt("project_id", default="", help="Keystone project id"),
cfg.StrOpt("project_name", default="", help="Keystone project name"),
cfg.StrOpt("domain_id", default="", help="Keystone domain id"),
cfg.StrOpt("tenant_name", default="", help="Keystone tenant name"),
cfg.StrOpt("tenant_id", default="", help="Keystone tenant id"),
cfg.StrOpt("endpoint", default="", help="keystone endpoint URI"),
cfg.StrOpt("domain_name", default="", help="keystone domain name"),
cfg.StrOpt("project_id", default="", help="keystone project id"),
cfg.StrOpt("project_name", default="", help="keystone project name"),
cfg.StrOpt("domain_id", default="", help="keystone domain id"),
cfg.StrOpt("tenant_name", default="", help="keystone tenant name"),
cfg.StrOpt("tenant_id", default="", help="keystone tenant id"),
cfg.StrOpt("serialize_format", default="json",
help="Type of request body"),
cfg.StrOpt("deserialize_format", default="json",