purpleteam
purpleteam copied to clipboard
Published
20 hours ago •
purpleteam-labs
purpleteam-labs
Create API SUT and test
SUT Resources
Mentioned by Nicholas Tolstoshev on #project-zap of OWASP Slack
- https://github.com/OWASP/crAPI
- https://github.com/kaakaww
Mentioned by @ricekot on #project-zap of OWASP Slack
- https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
- https://github.com/righettod/poc-graphql
- https://github.com/kaakaww/vuln-graphql-api
- Others: https://github.com/search?q=graphql+vulnerable
Mentioned by @kingthorin_rm on #project-zap of OWASP Slack
- https://owasp.org/www-project-vulnerable-web-applications-directory/
Mentioned by @Kinnaird McQuade on #project-zap of OWASP Slack
- REST: http://www.webscantest.com/rest/demo/
- SOAP: http://www.webscantest.com/soap/demo/api/index.php?wsdl
Todo
- [x] Make sure NodeGoat runs locally on the
compose_pt-netnetwork and you have runlocalTest Runs with PurpleTeam successfully against NodeGoat locally - [ ] Create ordered list/matrix (Google doc or markdown table in this issue) of purposely vulnerable APIs with their attributes so that we can decide which one to use first. This should be a simple task of evaluating which APIs are most fit for the purpose. I provided details of what we're looking for here. The SUT should also obviously have as many vulnerabilities as possible for PurpleTeam via Zaproxy to find. Once this is done, we'll make a decision as to which API to start with
- [ ] Test that the API SUT works locally
- [ ] Test all of the API end-points and setup authentication - All using Zaproxy on the desktop
- [ ] Make sure the API SUT that we choose runs locally on the
compose_pt-netnetwork and you have runlocalTest Runs with PurpleTeam successfully against the API SUT locally. Now we know we're completely happy with the API SUT- [ ] You will need to provide a docker-compose.override.yml
- [ ] You may need to provide some other replacement files, for example we have a db-reset.js for NodeGoat which simply has a different set of passwords in it
- [ ] Add the API SUT to purpleteam-iac-sut
- [ ] Once the API SUT is added, if you want to do your own deploy, you'll need an AWS account and a cheap throwaway domain on CloudFlare, otherwise we can just do the deploy (
terragrunt apply) for you. If you do decide you want to get a cheap domain and free AWS account, you'll also need to workout how to persist your Terraform state, we do this on Terraform Cloud (free), but you could just as easily do it locally, it really doesn't matter how you do it - [ ] Once the API SUT is deployed to AWS do a Test Run to confirm everything is working as expected. If you decided to get a cheap CloudFlare domain and free AWS account you can do this, otherwise we can easily do it
- [ ] For this you will need an API Job file, when you get here, we will either help you create one or just provide one
- [ ] Once the API SUT is added, if you want to do your own deploy, you'll need an AWS account and a cheap throwaway domain on CloudFlare, otherwise we can just do the deploy (
API types we need to support
- ImportUrls
- OpenApi
- Soap
- GraphQl
Authentication Strategies
Basically anything, or as many as possible that Zaproxy supports, there are quite a few Zap resources now. Google does well at listing them.
- https://www.zaproxy.org/docs/api/#getting-authenticated (you've seen this one), I think this covers all, mostSome details that Simon (Zaproxy Lead) put together https://docs.google.com/document/d/1LSg8CMb4LI5yP-8jYDTVJw1ZIJD2W_WDWXLtJNk3rsQ/edit# I haven't spent much time in here, don't get bogged down in this
- As per docs: https://purpleteam-labs.com/doc/jobfile/api/
- Source code is here: https://github.com/purpleteam-labs/purpleteam-app-scanner/tree/main/src/sUtAndEmissaryStrategies/3_emissaryAuthentication there can be many here, don't get hung-up on this code as it's not really relevant to you, but more so to Build Users
- High level doc here: https://purpleteam-labs.com/doc/next-steps/#3-emissaryauthentication
Basically we want to support as many as possible.
| OpenAPI | SOAP | GraphQL | Import URLs | Script Based Authentication | JSON Based Authentication | HTTP/NTLM based authentication | Active | Stars | Pull Requests | Issues | Contributors | Tested Locally | Comments | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| [Recent commits or Active PRs/Issues] | [main/minor] | |||||||||||||
| crAPI | ✓ | ✓ | ✓ | 249 | 3 (51 closed) | 6 (21 closed) | 1 main / 6 | ✓ | ||||||
| juice-shop | ✓ | ✓ | ✓ | ✓ | 7000 | 0 ((1121 close) | 2 (708 closed) | 14 main / 77 | ✓ | |||||
| Damn-Vulnerable-GraphQL-Application | ✓ | ✓ | ✓ | ✓ | 1000 | 0 (38 closed) | 1 (18 closed) | 2 main / 1 | https://notepad.pw/code/5pa89yk6 as described in Slack | |||||
| vuln-graphql-ruby | ✓ | ✓ | ✓ (apr'21) | 0 | 4 (0 closed) | 0 (0 closed) | 2 main | |||||||
| poc-graphql | ✓ | ✓(sep'20) | 339 | 0 | 0 | 1 main | ||||||||
| VAmPI | ✓ | ✓ | ✓ | ✓ | 275 | 0 (12 closed) | 1 (7 closed) | 2 main / 1 | ✓ | |||||
| Vulnerable-Web-Services | ✓ | ✓ | No | 6 | 0 | 0 | 1 main | |||||||
| vulny-spring-soap-api | ✓ | ✓ | ✓ | No | 0 | 0 | 0 | 2 main | ||||||
| vulnerable-graphql-api | ✓ | ✓ | ✓ | No | 36 | 0 | 0 | 2 main | ||||||
| Pixi | ✓ | ✓ | ✓ | No | 54 | 2(2 closed) | 23(7 closed) | 2 main | ||||||
| parabank | ✓ | ✓ | Yes | 31 | 30(29 closed) | 3(3 closed) | 2 main |
