Adding automating pentest tools for WebApi to my hacking rig. Astra and Fuzzapi. @bsdbandit @RedSiege @TimMedin @Fuzzapi0x00 #OpenSource #Security #WebServices #API #webapi

This blog will be relatively short, but I thought the webinar I listened to was so interesting that I have to write about it.

Webinar from Red Siege yesterday evening (21.00 Swedish time) regarding hacking webapi. Link: https://www.redsiege.com/api/. This was presented by @bsdbandit. I was blown away, this is really cool stuff. I was the kind of webinar that you wish was 2 hours instead of 1. And I won the first question, the answer was passwd and not /etc/passwd. The question was: What was the filename and not the path to the filename.

The webinar was about how to identify attack service regarding webapi. There was a lot of talk about manual hacking but also tools out there that are available for us to use. So I needed to test them. The tools that I will try are Astra and Fuzzapi. This short blog post is about that. Yes, I know do not run stuff as root, but I do it anyway 🙂

As always we start with the short version.

  1. Install Ubuntu 20.04
  2. Install Docker.io and docker-compose
  3. Install Astra
  4. Install fuzzapi
  5. Run it

Installing Ubuntu on a machine

If you do not now how to install Ubuntu, please google.

I called this machine docker, as I will use this machine for many more docker instance that described in this blog post.

After you have installed ubuntu as OS then install docker.

apt-get install docker.io
apt-get install docker-compose
apt-get install tmux

Astra
https://github.com/flipkart-incubator/Astra

I use Downloads directory for the applications.

First install mongo

docker pull mongo
docker run --name astra-mongo -d mongo

Then git clone the Astra project

cd ~/Downloads 
git clone https://github.com/flipkart-incubator/Astra.git
cd Astra
docker build -t astra .

Done installing Astra

Fuzzapi
https://github.com/Fuzzapi/fuzzapi.git

cd ~/Downloads
git clone https://github.com/Fuzzapi/fuzzapi.git
cd fuzzapi

Edit the Docker file and change the line to below

RUN gem install bundler -v=1.11.2 && bundle install --jobs 20 --retry 5

Then build the application with below command:

docker-compose build

Run the applications

As you did first when you installed docker you installed tmux. I used this to run the application in a tmux sessions. So it will be easy to switch between docker applications and stop them when not in use.

Command:

tmux

ctrl +b c to create new tmux screen
ctrl +b c to create new tmux screen
ctrl +b c to create new tmux screen

Switch to first screen

ctrl+b 0

Then start the Astra server with this command:

docker run --rm -it --link astra-mongo:mongo -p 8094:8094 astra

Switch to second screen

ctrl+b 1

Then start the fuzzapi server with this command:

docker-compose up

Then you can detach from tmux session with this command

ctrl+b d

Access the applications

fuzzapi
Astra

I hope this help someone out there, if not please listen to the webinar from Red Seige!

Keep document api please!

//Roger

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.