Scan api using swagger description

[burtsevyg]

Do you have an idea for a solution?

Scan api using swagger description.

How can we reproduce the issue?

1. Read api description from swagger
2. Scan backend api

[stamparm]

Can you please give a quick info/introduction what would this provide compared to the current situation and/or compared to other xyz frameworks?

[stamparm]

ping?

[alexk307]

I want this too. Willing to write this if the project wants it.

Swagger is an API documentation and testing tool that a lot of folks are using the industry right now. From a SQL injection perspective, it would be nice be able to read in the Swagger document (in .toml), and generate the URIs and their respective parameters to test.

[stamparm]

@alexk307 I am opened for this. If you can at least provide a decent template and a "howto" use it I could further adapt it

[stamparm]

@alexk307 ping?

[burtsevyg]

For example https://www.netsparker.com/blog/docs-and-faqs/vulnerability-scan-rest-api-web-service-automatic/

[stamparm]

Any example? Like, something to work with?

[alexk307]

@stamparm sorry for the delay, I was working on this before but got sidetracked. I'm going to try to write something up

[alexk307]

In the meantime, you can look at a sample Swagger schema that they provide here

[stamparm]

This whole issue can go into two tracks, as I am not sure whether @burtsevyg wanted sqlmap API (REST-JSON) to be "swagged" or for sqlmap to accept swag definition for some third party service.

Anyway, for starter I decided to work on "swagging" the sqlmap API (REST-JSON) interface. Later on I could work on the second option.

Will commit the initial version of swagger.yaml this moment

[benj56]

I think both asked for the ability to read their Swagger definition in order to scan their APIs, not a Swagger file for the sqlmap API.

It would be great if that was possible, I'm trying to use sqlmap that way and I suppose there are many companies that have their API definition in Swagger and are looking to test their API with sqlmap.

[rrjanbiah]

@benj56 Exactly, to rephrase, I think, we need something like below:

python sqlmap.py --swagger-uri https://petstore.swagger.io/v2/swagger.json

This switch should then parse given swagger spec and try to inject each and every API endpoints.

[stamparm]

@benj56 @rrjanbiah

A) how to provide parameter values in such case(s)? I bet that there would be new issues where users would complain about non-automatic sqlmap behavior in filling values
B) YAML or JSON? Swagger itself is not clear with a format nor standard. Deprecations and format changes are everywhere
C) I could implement (e.g.) support for JSON up to some point, but, there are some really complex cases to cover. Not sure if worth the trouble

[rrjanbiah]

@stamparm

Apologies for the delay.

A) how to provide parameter values in such case(s)? I bet that there would be new issues where users would complain about non-automatic sqlmap behavior in filling values

Parameters information & authorization information are already available in Swagger. For example, you may check http://editor.swagger.io/ where these details are parsed and displayed in an UI

B) YAML or JSON? Swagger itself is not clear with a format nor standard. Deprecations and format changes are everywhere

Swagger has different versions. To handle them, it may be enough to wrap them around their libraries

C) I could implement (e.g.) support for JSON up to some point, but, there are some really complex cases to cover. Not sure if worth the trouble

Thank you. It may be simple, if you use existing parser and refer around the implementation of http://editor.swagger.io/ it may be easier.

[stamparm]

A) Parameters information & authorization information are already available in Swagger. For example, you may check http://editor.swagger.io/ where these details are parsed and displayed in an UI <- I am still asking what should be the workflow. http://editor.swagger.io/ expects user to provide parameter values. I am pretty sure that "pen tester" won't be able to provide nor he'll want to enter all data by himself.
B) I went to swagger and found literary 20 different libraries. It is a mess at least. Attaching the screenshot
C) http://editor.swagger.io/ is just a dummy editor. Please forget about it when talking about the sqlmap's workflow

---

[stamparm]

All in all, as this whole swagger is such a mess and I am pretty sure that people from Swagger are aware of it (who makes 3 totally different "standard" propositions in couple of years??? - answer: nobody serious), if I am going to create any kind of support, it is going to be a "Rube Goldberg" machine

[rrjanbiah]

A) Parameters information & authorization information are already available in Swagger. For example, you may check http://editor.swagger.io/ where these details are parsed and displayed in an UI

I am still asking what should be the workflow. http://editor.swagger.io/ expects user to provide parameter values. I am pretty sure that "pen tester" won't be able to provide nor he'll want to enter all data by himself.

Of course. I was referring to the project only to highlight how they've parsed Swagger spec.

B) I went to swagger and found literary 20 different libraries. It is a mess at least. Attaching the screenshot
C) http://editor.swagger.io/ is just a dummy editor. Please forget about it when talking about the sqlmap's workflow

All in all, as this whole swagger is such a mess and I am pretty sure that people from Swagger are aware of it (who makes 3 totally different "standard" propositions in couple of years??? - answer: nobody serious), if I am going to create any kind of support, it is going to be a "Rube Goldberg" machine

At least, AFAIK, most REST based projects use Swagger/OpenAPI as a de facto standard for their projects. So, when trying to use sqlmap, it might be easier to feed only the swagger spec and get the attack vector processed for all related endpoints.

In case, if you feel it is too much to handle it inside sqlmap, may spin off a sister project. I'll also try to open a ticket in Swagger project about it.

[smoyer64]

I would also love to have this feature ... I think using swagger is a great way to enumerate what URLs should be tested but it also provides clues as to what input might be exploitable. Path parameters are one example - in the sqlmap examples, it shows .../mysql/get_int.php?id=1 but for a REST service, you'll commonly see something like .../mysql/integers/1 where the 1 is in fact the id (and what you'd want to test for injection). Input can also be passed as (effectively) form data in JSON, YML or CSV documents sent to the server via a POST.

We generate Swagger definitions for our REST APIs so it would be great to reuse them during security testing.

[rrjanbiah]

@smoyer64 Exactly. Like I mentioned in #3140 (comment) something like this might be helpful:

python sqlmap.py --swagger-uri https://petstore.swagger.io/v2/swagger.json

Though I am not quite sure and not tried, quick Google search currently suggest that similar projects are available these days:

1. https://github.com/ghsec/BBProfiles
2. https://github.com/shayan-taheri/sqlmap?files=1
3. https://github.com/flipkart-incubator/Astra

[stamparm]

@rrjanbiah could you please elaborate what's useful on first two links? Second one is just a dummy fork of sqlmap, while first one is plain dummy

[stamparm]

@rrjanbiah third link FTW, in case of Swagger does this:

def parse_collection(collection_name,collection_type):
    if collection_type == 'Postman':
        parse_data.postman_parser(collection_name)
    else:  # swagger
        print "[-]Failed to Parse collection"
        sys.exit(1)

Hence, please restrain yourself from giving any more "advices"