Merge "Detailed edit of about.rst doc"
This commit is contained in:
commit
fa352623ae
104
README.rst
104
README.rst
|
@ -51,14 +51,14 @@ Syntribos, An Automated API Security Testing Tool
|
|||
|
||||
|
||||
Syntribos is an open source automated API security testing tool that is
|
||||
maintained by members of the `OpenStack Security Project <https://wiki.openstack.org/wiki/Security>`__.
|
||||
maintained by members of the `OpenStack Security Project <https://wiki.openstack.org/wiki/Security>`_.
|
||||
|
||||
Given a simple configuration file and an example HTTP request, syntribos
|
||||
can replace any API URL, URL parameter, HTTP header and request body
|
||||
field with a given set of strings. Syntribos iterates through each position
|
||||
in the request automatically. Syntribos aims to automatically detect common
|
||||
security defects such as SQL injection, LDAP injection, buffer overflow, etc. In
|
||||
addition, syntribos can be used to help identify new security defects
|
||||
security defects such as SQL injection, LDAP injection, buffer overflow, etc.
|
||||
In addition, syntribos can be used to help identify new security defects
|
||||
by automated fuzzing.
|
||||
|
||||
Syntribos has the capability to test any API, but is designed with
|
||||
|
@ -67,11 +67,10 @@ Syntribos has the capability to test any API, but is designed with
|
|||
List of Tests
|
||||
~~~~~~~~~~~~~
|
||||
|
||||
Syntribos is shipped with batteries included, which means, with minimal
|
||||
configuration effort you can initiate automated testing of any API of
|
||||
your choice. If testing OpenStack API is in your mind, then syntribos
|
||||
by default will help you in automatically downloading a set of templates
|
||||
of some of the bigger OpenStack projects like nova, neutron, keystone etc.
|
||||
With syntribos, you can initiate automated testing of any API with minimal
|
||||
configuration effort. Syntribos is ideal for testing the OpenStack API as it
|
||||
will help you in automatically downloading a set of templates of some of the
|
||||
bigger OpenStack projects like nova, neutron, keystone, etc.
|
||||
|
||||
A short list of tests that can be run using syntribos is given below:
|
||||
|
||||
|
@ -83,7 +82,7 @@ A short list of tests that can be run using syntribos is given below:
|
|||
* SQL Injection
|
||||
* String Validation
|
||||
* XML External Entity
|
||||
* Cross Site Scripting ( XSS )
|
||||
* Cross Site Scripting (XSS)
|
||||
* Regex Denial of Service (ReDoS)
|
||||
* JSON Parser Depth Limit
|
||||
* User Defined
|
||||
|
@ -91,88 +90,79 @@ A short list of tests that can be run using syntribos is given below:
|
|||
Buffer Overflow
|
||||
---------------
|
||||
|
||||
The idea of `buffer overflow attacks`_ in the context of a web application
|
||||
is to force an application to handle more data than it can hold in a buffer.
|
||||
In syntribos a buffer overflow test is attempted by injecting a large
|
||||
`Buffer overflow`_ attacks, in the context of a web application,
|
||||
force an application to handle more data than it can hold in a buffer.
|
||||
In syntribos, a buffer overflow test is attempted by injecting a large
|
||||
string into the body of an HTTP request.
|
||||
|
||||
Command Injection
|
||||
-----------------
|
||||
|
||||
`Command injection attacks`_ are done by injecting arbitrary commands in an
|
||||
`Command injection`_ attacks are done by injecting arbitrary commands in an
|
||||
attempt to execute these commands on a remote system. In syntribos, this is
|
||||
achieved by injecting a set of strings that have been proven to be successful
|
||||
in executing a command injection attacks.
|
||||
achieved by injecting a set of strings that have been proven as successful
|
||||
executors of injection attacks.
|
||||
|
||||
CORS Wildcard
|
||||
-------------
|
||||
|
||||
`CORS wildcard test`_ is used to verify if a web server allows cross-domain
|
||||
resource sharing from any external URL ( wild carding of
|
||||
`Access-Control-Allow-Origin` header) rather than a white list of URLs.
|
||||
`CORS wildcard`_ tests are used to verify if a web server allows cross-domain
|
||||
resource sharing from any external URL (wild carding of
|
||||
`Access-Control-Allow-Origin` header), rather than a white list of URLs.
|
||||
|
||||
Integer Overflow
|
||||
----------------
|
||||
|
||||
`Integer overflow test`_ in syntribos attempts to inject numeric values that
|
||||
the remote application may fail to represent within its storage, for example
|
||||
a 32 bit integer type trying to store a 64 bit number
|
||||
`Integer overflow`_ tests in syntribos attempt to inject numeric values that
|
||||
the remote application may fail to represent within its storage. For example,
|
||||
injecting a 64 bit number into a 32 bit integer type.
|
||||
|
||||
LDAP Injection
|
||||
--------------
|
||||
|
||||
Syntribos attempts `LDAP injection attacks`_ by injecting LDAP statements
|
||||
Syntribos attempts `LDAP injection`_ attacks by injecting LDAP statements
|
||||
into HTTP requests; if an application fails to properly sanitize the
|
||||
request content, it may be possible to execute arbitrary commands.
|
||||
|
||||
SQL Injection
|
||||
-------------
|
||||
|
||||
`SQL injection attacks`_ are one of the most common web application attacks.
|
||||
`SQL injection`_ attacks are one of the most common web application attacks.
|
||||
If the user input is not properly sanitized, it is fairly easy to
|
||||
execute SQL queries that may result in an attacker reading sensitive
|
||||
information or gaining control of the SQL server. In syntribos
|
||||
execute SQL queries that may result in an attacker reading sensitive
|
||||
information or gaining control of the SQL server. In syntribos,
|
||||
an application is tested for SQL injection vulnerabilities by injecting
|
||||
SQL strings into the HTTP request.
|
||||
|
||||
String Validation
|
||||
-----------------
|
||||
|
||||
String validation attacks in syntribos try to exploit the fact that
|
||||
some string patterns are not sanitized effectively by the input
|
||||
validator and may cause the application to crash. Examples of characters
|
||||
that may cause string validation vulnerabilities are special unicode
|
||||
characters, emojis etc.
|
||||
Some string patterns are not sanitized effectively by the input validator and
|
||||
may cause the application to crash. String validation attacks in syntribos
|
||||
try to exploit this by inputting characters that may cause string validation
|
||||
vulnerabilities. For example, special unicode characters, emojis, etc.
|
||||
|
||||
XML External Entity
|
||||
-------------------
|
||||
|
||||
`XML external entity attacks`_ are attacks that targets the web
|
||||
application's XML parser. If an XML parser allows processing of
|
||||
external entities referenced in an XML document then an attacker
|
||||
might be able to cause denial of service, leakage of information etc.
|
||||
Syntribos tries to inject a few malicious strings into an XML body
|
||||
while sending requests to an application in an attempt to obtain an
|
||||
appropriate response.
|
||||
`XML external entity`_ attacks target the web application's XML parser.
|
||||
If an XML parser allows processing of external entities referenced in an
|
||||
XML document then an attacker might be able to cause a denial of service,
|
||||
or leakage of information, etc. Syntribos tries to inject a few malicious
|
||||
strings into an XML body while sending requests to an application in an
|
||||
attempt to obtain an appropriate response.
|
||||
|
||||
Cross Site Scripting (XSS)
|
||||
----------------------------
|
||||
|
||||
An `XSS`_ attack is one where malicious JavaScript is injected into a web
|
||||
`XSS`_ attacks inject malicious JavaScript into a web
|
||||
application. Syntribos tries to find potential XSS issues by injecting
|
||||
string containing "script" and other HTML tags into request fields.
|
||||
|
||||
Other than these built-in tests, you can extend syntribos by writing
|
||||
your own custom tests. To do this, download the source code and look at
|
||||
the tests in ``syntribos/tests`` directory. The CORS test may be an easy
|
||||
one to emulate. In the same way, users can add different extensions also
|
||||
to the tests. To see how extensions can be written please see
|
||||
``syntribos/extensions`` directory.
|
||||
|
||||
Regex Denial of Service (ReDoS)
|
||||
-------------------------------
|
||||
|
||||
A `ReDoS`_ attack is one that attempts to produce a denial of service by
|
||||
`ReDoS`_ attacks attempt to produce a denial of service by
|
||||
providing a regular expression that takes a very long time to evaluate.
|
||||
This can cause the regex engine to backtrack indefinitely, which can
|
||||
slow down some parsers or even cause a processing halt. The attack
|
||||
|
@ -200,13 +190,20 @@ Example::
|
|||
payload=<payload_file>
|
||||
failure_strings=<[list_of_failure_strings] # optional
|
||||
|
||||
.. _buffer overflow attacks: https://en.wikipedia.org/wiki/Buffer_overflow
|
||||
.. _Command injection attacks: https://www.owasp.org/index.php/Command_Injection
|
||||
.. _CORS wildcard test: https://www.owasp.org/index.php/Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)
|
||||
.. _Integer overflow test: https://en.wikipedia.org/wiki/Integer_overflow
|
||||
.. _LDAP injection attacks: https://www.owasp.org/index.php/LDAP_injection
|
||||
.. _SQL injection attacks: https://www.owasp.org/index.php/SQL_Injection
|
||||
.. _XML external entity attacks: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
|
||||
Other than these built-in tests, you can extend syntribos by writing
|
||||
your own custom tests. To do this, download the source code and look at
|
||||
the tests in the ``syntribos/tests`` directory. The CORS test may be an easy
|
||||
one to emulate. In the same way, you can also add different extensions
|
||||
to the tests. To see how extensions can be written please see the
|
||||
``syntribos/extensions`` directory.
|
||||
|
||||
.. _buffer overflow: https://en.wikipedia.org/wiki/Buffer_overflow
|
||||
.. _Command injection: https://www.owasp.org/index.php/Command_Injection
|
||||
.. _CORS wildcard: https://www.owasp.org/index.php/Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)
|
||||
.. _Integer overflow: https://en.wikipedia.org/wiki/Integer_overflow
|
||||
.. _LDAP injection: https://www.owasp.org/index.php/LDAP_injection
|
||||
.. _SQL injection: https://www.owasp.org/index.php/SQL_Injection
|
||||
.. _XML external entity: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
|
||||
.. _XSS: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
|
||||
.. _ReDoS: https://en.wikipedia.org/wiki/ReDoS
|
||||
|
||||
|
@ -219,7 +216,6 @@ Example::
|
|||
* `Bugs`_
|
||||
* `Source code`_
|
||||
|
||||
|
||||
Supported Operating Systems
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
|
|
|
@ -26,14 +26,14 @@ Syntribos, An Automated API Security Testing Tool
|
|||
|
||||
|
||||
Syntribos is an open source automated API security testing tool that is
|
||||
maintained by members of the `OpenStack Security Project <https://wiki.openstack.org/wiki/Security>`__.
|
||||
maintained by members of the `OpenStack Security Project <https://wiki.openstack.org/wiki/Security>`_.
|
||||
|
||||
Given a simple configuration file and an example HTTP request, syntribos
|
||||
can replace any API URL, URL parameter, HTTP header and request body
|
||||
field with a given set of strings. Syntribos iterates through each position
|
||||
in the request automatically. Syntribos aims to automatically detect common
|
||||
security defects such as SQL injection, LDAP injection, buffer overflow, etc. In
|
||||
addition, syntribos can be used to help identify new security defects
|
||||
security defects such as SQL injection, LDAP injection, buffer overflow, etc.
|
||||
In addition, syntribos can be used to help identify new security defects
|
||||
by automated fuzzing.
|
||||
|
||||
Syntribos has the capability to test any API, but is designed with
|
||||
|
@ -42,11 +42,10 @@ Syntribos has the capability to test any API, but is designed with
|
|||
List of Tests
|
||||
~~~~~~~~~~~~~
|
||||
|
||||
Syntribos is shipped with batteries included, which means, with minimal
|
||||
configuration effort you can initiate automated testing of any API of
|
||||
your choice. If testing OpenStack API is in your mind, then syntribos
|
||||
by default will help you in automatically downloading a set of templates
|
||||
of some of the bigger OpenStack projects like nova, neutron, keystone etc.
|
||||
With syntribos, you can initiate automated testing of any API with minimal
|
||||
configuration effort. Syntribos is ideal for testing the OpenStack API as it
|
||||
will help you in automatically downloading a set of templates of some of the
|
||||
bigger OpenStack projects like nova, neutron, keystone, etc.
|
||||
|
||||
A short list of tests that can be run using syntribos is given below:
|
||||
|
||||
|
@ -58,7 +57,7 @@ A short list of tests that can be run using syntribos is given below:
|
|||
* SQL Injection
|
||||
* String Validation
|
||||
* XML External Entity
|
||||
* Cross Site Scripting ( XSS )
|
||||
* Cross Site Scripting (XSS)
|
||||
* Regex Denial of Service (ReDoS)
|
||||
* JSON Parser Depth Limit
|
||||
* User Defined
|
||||
|
@ -66,88 +65,79 @@ A short list of tests that can be run using syntribos is given below:
|
|||
Buffer Overflow
|
||||
---------------
|
||||
|
||||
The idea of `buffer overflow attacks`_ in the context of a web application
|
||||
is to force an application to handle more data than it can hold in a buffer.
|
||||
In syntribos a buffer overflow test is attempted by injecting a large
|
||||
`Buffer overflow`_ attacks, in the context of a web application,
|
||||
force an application to handle more data than it can hold in a buffer.
|
||||
In syntribos, a buffer overflow test is attempted by injecting a large
|
||||
string into the body of an HTTP request.
|
||||
|
||||
Command Injection
|
||||
-----------------
|
||||
|
||||
`Command injection attacks`_ are done by injecting arbitrary commands in an
|
||||
`Command injection`_ attacks are done by injecting arbitrary commands in an
|
||||
attempt to execute these commands on a remote system. In syntribos, this is
|
||||
achieved by injecting a set of strings that have been proven to be successful
|
||||
in executing a command injection attacks.
|
||||
achieved by injecting a set of strings that have been proven as successful
|
||||
executors of injection attacks.
|
||||
|
||||
CORS Wildcard
|
||||
-------------
|
||||
|
||||
`CORS wildcard test`_ is used to verify if a web server allows cross-domain
|
||||
resource sharing from any external URL ( wild carding of
|
||||
`Access-Control-Allow-Origin` header) rather than a white list of URLs.
|
||||
`CORS wildcard`_ tests are used to verify if a web server allows cross-domain
|
||||
resource sharing from any external URL (wild carding of
|
||||
`Access-Control-Allow-Origin` header), rather than a white list of URLs.
|
||||
|
||||
Integer Overflow
|
||||
----------------
|
||||
|
||||
`Integer overflow test`_ in syntribos attempts to inject numeric values that
|
||||
the remote application may fail to represent within its storage, for example
|
||||
a 32 bit integer type trying to store a 64 bit number
|
||||
`Integer overflow`_ tests in syntribos attempt to inject numeric values that
|
||||
the remote application may fail to represent within its storage. For example,
|
||||
injecting a 64 bit number into a 32 bit integer type.
|
||||
|
||||
LDAP Injection
|
||||
--------------
|
||||
|
||||
Syntribos attempts `LDAP injection attacks`_ by injecting LDAP statements
|
||||
Syntribos attempts `LDAP injection`_ attacks by injecting LDAP statements
|
||||
into HTTP requests; if an application fails to properly sanitize the
|
||||
request content, it may be possible to execute arbitrary commands.
|
||||
|
||||
SQL Injection
|
||||
-------------
|
||||
|
||||
`SQL injection attacks`_ are one of the most common web application attacks.
|
||||
`SQL injection`_ attacks are one of the most common web application attacks.
|
||||
If the user input is not properly sanitized, it is fairly easy to
|
||||
execute SQL queries that may result in an attacker reading sensitive
|
||||
information or gaining control of the SQL server. In syntribos
|
||||
execute SQL queries that may result in an attacker reading sensitive
|
||||
information or gaining control of the SQL server. In syntribos,
|
||||
an application is tested for SQL injection vulnerabilities by injecting
|
||||
SQL strings into the HTTP request.
|
||||
|
||||
String Validation
|
||||
-----------------
|
||||
|
||||
String validation attacks in syntribos try to exploit the fact that
|
||||
some string patterns are not sanitized effectively by the input
|
||||
validator and may cause the application to crash. Examples of characters
|
||||
that may cause string validation vulnerabilities are special unicode
|
||||
characters, emojis etc.
|
||||
Some string patterns are not sanitized effectively by the input validator and
|
||||
may cause the application to crash. String validation attacks in syntribos
|
||||
try to exploit this by inputting characters that may cause string validation
|
||||
vulnerabilities. For example, special unicode characters, emojis, etc.
|
||||
|
||||
XML External Entity
|
||||
-------------------
|
||||
|
||||
`XML external entity attacks`_ are attacks that targets the web
|
||||
application's XML parser. If an XML parser allows processing of
|
||||
external entities referenced in an XML document then an attacker
|
||||
might be able to cause denial of service, leakage of information etc.
|
||||
Syntribos tries to inject a few malicious strings into an XML body
|
||||
while sending requests to an application in an attempt to obtain an
|
||||
appropriate response.
|
||||
`XML external entity`_ attacks target the web application's XML parser.
|
||||
If an XML parser allows processing of external entities referenced in an
|
||||
XML document then an attacker might be able to cause a denial of service,
|
||||
or leakage of information, etc. Syntribos tries to inject a few malicious
|
||||
strings into an XML body while sending requests to an application in an
|
||||
attempt to obtain an appropriate response.
|
||||
|
||||
Cross Site Scripting (XSS)
|
||||
----------------------------
|
||||
|
||||
An `XSS`_ attack is one where malicious JavaScript is injected into a web
|
||||
`XSS`_ attacks inject malicious JavaScript into a web
|
||||
application. Syntribos tries to find potential XSS issues by injecting
|
||||
string containing "script" and other HTML tags into request fields.
|
||||
|
||||
Other than these built-in tests, you can extend syntribos by writing
|
||||
your own custom tests. To do this, download the source code and look at
|
||||
the tests in ``syntribos/tests`` directory. The CORS test may be an easy
|
||||
one to emulate. In the same way, users can add different extensions also
|
||||
to the tests. To see how extensions can be written please see
|
||||
``syntribos/extensions`` directory.
|
||||
|
||||
Regex Denial of Service (ReDoS)
|
||||
-------------------------------
|
||||
|
||||
A `ReDoS`_ attack is one that attempts to produce a denial of service by
|
||||
`ReDoS`_ attacks attempt to produce a denial of service by
|
||||
providing a regular expression that takes a very long time to evaluate.
|
||||
This can cause the regex engine to backtrack indefinitely, which can
|
||||
slow down some parsers or even cause a processing halt. The attack
|
||||
|
@ -175,13 +165,20 @@ Example::
|
|||
payload=<payload_file>
|
||||
failure_strings=<[list_of_failure_strings] # optional
|
||||
|
||||
.. _buffer overflow attacks: https://en.wikipedia.org/wiki/Buffer_overflow
|
||||
.. _Command injection attacks: https://www.owasp.org/index.php/Command_Injection
|
||||
.. _CORS wildcard test: https://www.owasp.org/index.php/Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)
|
||||
.. _Integer overflow test: https://en.wikipedia.org/wiki/Integer_overflow
|
||||
.. _LDAP injection attacks: https://www.owasp.org/index.php/LDAP_injection
|
||||
.. _SQL injection attacks: https://www.owasp.org/index.php/SQL_Injection
|
||||
.. _XML external entity attacks: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
|
||||
Other than these built-in tests, you can extend syntribos by writing
|
||||
your own custom tests. To do this, download the source code and look at
|
||||
the tests in the ``syntribos/tests`` directory. The CORS test may be an easy
|
||||
one to emulate. In the same way, you can also add different extensions
|
||||
to the tests. To see how extensions can be written please see the
|
||||
``syntribos/extensions`` directory.
|
||||
|
||||
.. _buffer overflow: https://en.wikipedia.org/wiki/Buffer_overflow
|
||||
.. _Command injection: https://www.owasp.org/index.php/Command_Injection
|
||||
.. _CORS wildcard: https://www.owasp.org/index.php/Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)
|
||||
.. _Integer overflow: https://en.wikipedia.org/wiki/Integer_overflow
|
||||
.. _LDAP injection: https://www.owasp.org/index.php/LDAP_injection
|
||||
.. _SQL injection: https://www.owasp.org/index.php/SQL_Injection
|
||||
.. _XML external entity: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
|
||||
.. _XSS: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
|
||||
.. _ReDoS: https://en.wikipedia.org/wiki/ReDoS
|
||||
|
||||
|
@ -194,7 +191,6 @@ Example::
|
|||
* `Bugs`_
|
||||
* `Source code`_
|
||||
|
||||
|
||||
Supported Operating Systems
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
|
|
Loading…
Reference in New Issue