This blog will be relatively short, but I thought the webinar I listened to was so interesting that I have to write about it.
Webinar from Red Siege yesterday evening (21.00 Swedish time) regarding hacking webapi. Link: https://www.redsiege.com/api/. This was presented by @bsdbandit. I was blown away, this is really cool stuff. I was the kind of webinar that you wish was 2 hours instead of 1. And I won the first question, the answer was passwd and not /etc/passwd. The question was: What was the filename and not the path to the filename.
The webinar was about how to identify attack service regarding webapi. There was a lot of talk about manual hacking but also tools out there that are available for us to use. So I needed to test them. The tools that I will try are Astra and Fuzzapi. This short blog post is about that. Yes, I know do not run stuff as root, but I do it anyway 🙂
As always we start with the short version.
- Install Ubuntu 20.04
- Install Docker.io and docker-compose
- Install Astra
- Install fuzzapi
- Run it
Installing Ubuntu on a machine
If you do not now how to install Ubuntu, please google.
I called this machine docker, as I will use this machine for many more docker instance that described in this blog post.
After you have installed ubuntu as OS then install docker.
apt-get install docker.io apt-get install docker-compose apt-get install tmux
Astra
https://github.com/flipkart-incubator/Astra
I use Downloads directory for the applications.
First install mongo
docker pull mongo
docker run --name astra-mongo -d mongo
Then git clone the Astra project
cd ~/Downloads
git clone https://github.com/flipkart-incubator/Astra.git
cd Astra
docker build -t astra .
Done installing Astra
Fuzzapi
https://github.com/Fuzzapi/fuzzapi.git
cd ~/Downloads git clone https://github.com/Fuzzapi/fuzzapi.git cd fuzzapi
Edit the Docker file and change the line to below
RUN gem install bundler -v=1.11.2 && bundle install --jobs 20 --retry 5
Then build the application with below command:
docker-compose build
Run the applications
As you did first when you installed docker you installed tmux. I used this to run the application in a tmux sessions. So it will be easy to switch between docker applications and stop them when not in use.
Command:
tmux
ctrl +b c to create new tmux screen ctrl +b c to create new tmux screen ctrl +b c to create new tmux screen
Switch to first screen
ctrl+b 0
Then start the Astra server with this command:
docker run --rm -it --link astra-mongo:mongo -p 8094:8094 astra
Switch to second screen
ctrl+b 1
Then start the fuzzapi server with this command:
docker-compose up
Then you can detach from tmux session with this command
ctrl+b d
Access the applications
I hope this help someone out there, if not please listen to the webinar from Red Seige!
Keep document api please!
//Roger
Tips and Tricks 
Leave a Reply