APIKit:Discovery, Scan and Audit APIs Toolkit All In One.

Overview

APIKit:Discovery, Scan and Audit APIs Toolkit All In One.

介绍

APIKitAPISecurity社区发布的第一个开源项目。

APIKit是基于BurpSuite提供的JavaAPI开发的插件。

APIKit可以主动/被动扫描发现应用泄露的API文档,并将API文档解析成BurpSuite中的数据包用于API安全测试

实际使用效果如图:

API技术指纹支持

APIKit v1.0支持的API技术的指纹有:

  • GraphQL
  • OpenAPI-Swagger
  • SpringbootActuator
  • SOAP-WSDL

更多的API指纹正在努力更新~

  • REST-WADL
  • gRPC
  • UPnP
  • 更多主流API技术...

安装

打开BurpSuite页面,点击Extender然后选择Extensions,添加APIKit.jar。 然后APIKit会对进入到BurpSuite的流量进行被动扫描。解析完成后可以在APIKit面板查看结果,同样Burpsuite的DashBoard也会有issue提示。

配置

默认情况下Request和Cookie都不开启。

Send with Cookie

开启Cookie,可以把包的Cookie存下来,生成请求的时候保留Cookie。

Auto Request Sending

开启对API的请求,注意开启API请求后。你需要明确以下几点:

1. 本工具仅面向合法授权的企业安全建设行为,如您需要测试本工具的可用性,请自行搭建靶机环境。

2. 在使用本工具进行检测时,您应确保该行为符合当地的法律法规,并且已经取得了足够的授权。请勿对非授权目标进行请求。

3. 如您在使用本工具的过程中存在任何非法行为或造成其他损失,您需自行承担相应后果,我们将不承担任何法律及连带责任。

4. 在安装并使用本工具前,请您务必审慎阅读、充分理解各条款内容,限制、免责条款或者其他涉及您重大权益的条款可能会以加粗、加下划线等形式提示您重点注意。 除非您已充分阅读、完全理解并接受本协议所有条款,否则,请您不要安装并使用本工具。您的使用行为或者您以其他任何明示或者默示方式表示接受本协议的,即视为您已阅读并同意本协议的约束。

选择开启Auto Request Sending后,可以对子API进行自动化鉴权测试,快速发现API未授权访问漏洞。

被动扫描

默认情况下流经BurpSuite的流量都会进行API探测解析和扫描。

主动扫描

在任何一个Burpsuite可以右键打开更多选项的页面中,都可以点击右键,选择Do API scan来发起一次主动扫描。

API漏洞自动扫描

所有与BurpSuite联动的工具均可联动APIKit。比如xray。

xray配置

./xray_darwin_amd64 webscan --listen 127.0.0.1:7777  --html-output APIKit.html

BurpSuite配置

实战案例

  1. 某授权项目站点为/xxgateway/index,APIKit帮助发现/xxgateway/actuator并最后完成RCE。
  2. 某SRC站点使用了swagger,使用APIKit和xray联动遍历所有的API,最终发现多个高危严重漏洞。
  3. 更多白/黑盒测试...

TODO

更多的API指纹

  • Jolokia
  • REST-WADL
  • gRPC
  • UPnP
  • 更多主流API技术...

更多实用功能

  • Fuzz鉴权绕过漏洞
  • 检测请求返回包中敏感信息 — 发现js中泄露的API — 常见数据解析依赖库识别,比如Fastjson等
  • 更多实用功能...

项目地址

https://github.com/API-Security/APIKit API Security是一个分享一切和API安全相关的工具、漏洞环境、书籍、技术文章、新闻资讯、最佳实践白皮书等资料的社区。

API Security知识星球永久免费,欢迎对API安全感兴趣的信息安全爱好者一起学习交流。

BUG、需求、PR都非常欢迎社区的小伙伴们提交。同时有疑问和意见也可以提出,我们虚心采纳。

有更多想法可以加微信yuligesec聊聊~

You might also like...

Easy-Es is a powerfully enhanced toolkit of RestHighLevelClient for simplify development

Easy-Es is a powerfully enhanced toolkit of RestHighLevelClient for simplify development

Easy-Es is a powerfully enhanced toolkit of RestHighLevelClient for simplify development. This toolkit provides some efficient, useful, out-of-the-box features for ElasticSearch. By using Easy-Es, you can use MySQL syntax to complete Es queries. Use it can effectively save your development time.

Dec 31, 2022

Rate limiting private REST APIs using Java Spring-boot, spring-security and bucket4j

Rate limiting REST APIs using Spring-security filter and Bucket4J Deployed Application (Swagger-ui on heroku) Inspired from: Baeldung Article Applicat

Jul 18, 2022

BurritoSpigot is a fork of TacoSpigot 1.8.9 that offers several enhancements to performance as well as bug fixes. while offer extra APIs and support for plugins

🌯 BurritoSpigot 🌯 BurritoSpigot is a fork of TacoSpigot 1.8.8 that offers several enhancements to performance as well as bug fixes. while offer extr

Dec 20, 2022

Lightweight service-based PubSub, RPC and public APIs in Java

kite - service-based RPC, public APIs and PubSub in Java kite is a collection of reactive application messaging libraries that aim at providing high l

Feb 17, 2022

This repository is related to the Java Web Developer (ND035), Course - Web Services and APIs

About this Repository This repository is related to the Java Web Developer (ND035), Course - Web Services and APIs It contains the following folders:

Jan 28, 2022

Portaudio4j - An exploratory project to interact with the PortAudio C library using Java's FFI (Panama) APIs

Examples of PortAudio called by Java's Panama APIs JEP 412. At the moment this is purely exploratory (still kicking the tires) as it progresses in the

Dec 29, 2021

Squadio-App is a Users-Accounts financial system. exposes Rest APIs with JWT authentication/Authorization process .

squadio-app Description Squadio-App is a Users-Accounts financial system. exposes Rest APIs with JWT authentication/Authorization process . How to Run

Jan 29, 2022

Weatherapp is a simple weather forecast app that uses some APIs to retrieve forecast data from OpenWeatherMap.

WeatherMobileApp Weatherapp is a simple weather forecast app that uses some APIs to retrieve forecast data from OpenWeatherMap. Table of Contents Tech

Jan 17, 2022

This project demonstrates usage of Captcha, OTP APIs to access Offline eKYC XML.

Client Application to simulate offline eKYC wrapper API flow Introduction This is a Spring boot application which can be used to download offline eKYC

Oct 29, 2021
Comments
  • Extension is not loading

    Extension is not loading

    java.lang.ClassNotFoundException: burp.BurpExtender
    	at java.base/java.net.URLClassLoader.findClass(URLClassLoader.java:433)
    	at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:586)
    	at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:519)
    	at java.base/java.lang.Class.forName0(Native Method)
    	at java.base/java.lang.Class.forName(Class.java:466)
    	at burp.ab5.a(Unknown Source)
    	at burp.ab5.<init>(Unknown Source)
    	at burp.b__.a(Unknown Source)
    	at burp.gly.lambda$panelLoaded$0(Unknown Source)
    	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
    	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
    	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
    	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
    	at java.base/java.lang.Thread.run(Thread.java:831)
    
    
    opened by br33z3 0
  • burpsuite 最新版报错

    burpsuite 最新版报错

    也不能右键doscan

    ` java.lang.NullPointerException: Cannot invoke "burp.IHttpRequestResponse.getResponse()" because "newHttpRequestResponse" is null at burp.application.apitypes.soap.ApiTypeSoap.urlAddPath(ApiTypeSoap.java:96) at burp.application.apitypes.soap.ApiTypeSoap.isFingerprintMatch(ApiTypeSoap.java:62) at burp.application.ApiScanner.detect(ApiScanner.java:30) at burp.PassiveScanner.doPassiveScan(PassiveScanner.java:45) at burp.hs6.run(Unknown Source) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630) at java.base/java.lang.Thread.run(Thread.java:831)

    ` 好像扫描会有重复,两个扫出来是一模样的 image

    opened by getcode2git 5
Releases(v1.3)
Owner
APISecurity Community
APISecurity is a community that shares everything about API Security, such as Tools, Vulnerable Environments, Books, Articles, News, etc.
APISecurity Community
Scan and patch tool for CVE-2021-44228 and related log4j concerns.

A Log4J2 CVE-2021-44228 Vulnerability Scanner and Patcher Links to download the latest version: Linux x64 with glibc2.17+ (RHEL7+) Windows & all other

SAS Software 33 Jun 1, 2022
The all-in-one cosmetics solution created by HibiscusMC Staff, for HibiscusMC.

HMCCosmetics Table of Contents Description Installation Download Description HMCCosmetics is a free, open source cosmetics plugin which allows you to

HibiscusMC 44 Dec 12, 2022
An All-In-One Macro for Hypixel Skyblock. Includes numerous features for Quality of Life that do NOT abide by the Hypixel Rules.

AIOMacro An All-In-One Macro for Hypixel Skyblock. Includes numerous features for Quality of Life that do NOT abide by the Hypixel Rules. Installation

Jackson 18 Dec 19, 2022
This repo contains all the materials for placement as well as Practical lab codes for all subjects and notes. For students graduating in 2023

UEMK_PLACEMENT_2023 This repo contains all the materials for placement as well as Practical lab codes for all subjects and notes. For students graduat

Shambashib Majumdar 8 Mar 5, 2022
Spring MSA api gateway & service discovery with consul & Jaeger & Cassandra

Spring-Cloud-MSA 준비 Cassandra 서버를 준비한다 table.sql 파일로 keyspace와 테이블을 만들어 둔다 Consul 1.11.1버전 기준 https://www.consul.io/downloads 에서 1.11.1 버전 운영체제 맞게 다운

INSUNG CHOI 2 Nov 22, 2022
SnoopEE - A Discovery Service for Java EE

SnoopEE - A Discovery Service for Java EE SnoopEE [ˈsnuːpı] is an experimental registration and discovery service for Java EE based microservices. Sno

Ivar Grimstad 76 Feb 18, 2022
A Toolkit for Modeling and Simulation of Resource Management Techniques in Internet of Things, Edge and Fog Computing Environments

The iFogSimToolkit (with its new release iFogSim2) for Modeling and Simulation of Resource Management Techniques in Internet of Things, Edge and Fog Computing Environments. In the new release Mobili Management, Microservice Management, and Dynamic Clustering mechanisms are added as new features.

The Cloud Computing and Distributed Systems (CLOUDS) Laboratory 69 Dec 17, 2022
A proof-of-concept Android application to detect and defeat some of the Cellebrite UFED forensic toolkit extraction techniques.

LockUp An Android-based Cellebrite UFED self-defense application LockUp is an Android application that will monitor the device for signs for attempts

levlesec 300 Dec 4, 2022
An powerful enhanced toolkit of MyBatis for simplify development

Born To Simplify Development 企业版 Mybatis-Mate 高级特性 What is MyBatis-Plus? MyBatis-Plus is an powerful enhanced toolkit of MyBatis for simplify developm

baomidou 13.9k Jan 10, 2023
Hexagon is a microservices toolkit written in Kotlin

Hexagon is a microservices' toolkit (not a framework) written in Kotlin. Its purpose is to ease the building of server applications (Web applications, APIs or queue consumers) that run inside a cloud platform.

Hexagon 413 Jan 5, 2023