Astra – Automated Security Testing For REST API’s

REST API penetration testing is complex due to continuous changes in existing APIs and newly added APIs. Astra can be used by security engineers or developers as an integral part of their process, so they can detect and patch vulnerabilities early during development cycle.

Astra can automatically detect and test login & logout (Authentication API), so it’s easy for anyone to integrate this into CICD pipeline.

Astra - Automated Security Testing For REST API's
Astra – Automated Security Testing For REST API’s

Astra can take API collection as an input so this can also be used for testing apis in standalone mode. There are several possible Attacks during the scan with this tool including:

  • SQL injection
  • Cross site scripting
  • Information Leakage
  • Broken Authentication and session management
  • CSRF (including Blind CSRF)
  • Rate limit
  • CORS misconfiguration (including CORS bypass techniques)
  • JWT attack
  • CRLF detection
  • Blind XXE injection

Installing the tool is very straightforward. You can clone the github repo and use pip to install all the required dependencies. Or you can use docker. Once you have set up the tool, you can use either CLI or web interface to start a scan. the tool stores api login & logout information in utils/config.property file.
Note: Postman allows you to export apis as a collection and you can pass this collection to astra to start the scan. 

you can read more and download this tool over here: https://github.com/flipkart-incubator/Astra

Share
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments