Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 19 additions & 3 deletions secator/configs/workflows/api_discover.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,9 @@ long_description: |
brute-forcing of API routes (ffuf, using Assetnote's HTTP Archive apiroutes wordlist — the same real-world
route dataset kiterunner relied on). Discovered endpoints are probed with httpx to verify they are live and
fingerprint their technologies. The apiroutes wordlist also covers exposed API specification paths
(openapi/swagger), so they surface when fuzzing is enabled. Endpoint discovery only — parameter fuzzing,
vulnerability scanning and secrets hunting are handled by the url_params_fuzz and url_vuln workflows (see
the `api` scan).
(openapi/swagger); when one is found, the --spec option hands it off to nuclei, which parses the spec
(input-mode openapi) and DAST-fuzzes every documented endpoint with the correct method and parameters —
recovering the contextual testing kiterunner used to provide, using a maintained tool already in secator.
tags: [http, api, crawl, fuzz]
input_types:
- url
Expand All @@ -30,6 +30,12 @@ options:
default: False
short: fuzz

spec:
is_flag: True
help: Hand off discovered OpenAPI/Swagger specs to nuclei for endpoint fuzzing (combine with --fuzz to find them)
default: False
short: spec

tasks:
katana:
description: Crawl for API endpoints
Expand All @@ -56,3 +62,13 @@ tasks:
- type: url
field: url
condition: not url.verified

nuclei:
description: Fuzz endpoints from discovered API specs
input_mode: openapi
dast: True
targets_:
- type: url
field: url
condition: "'openapi' in url.url or 'swagger' in url.url or 'api-docs' in url.url"
if: opts.spec
1 change: 1 addition & 0 deletions secator/tasks/nuclei.py
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ class nuclei(VulnMulti):
opts = {
'automatic_scan': {'is_flag': True, 'short': 'as', 'help': 'Automatic web scan using wappalyzer technology detection to tags mapping'}, # noqa: E501
'bulk_size': {'type': int, 'short': 'bs', 'help': 'Maximum number of hosts to be analyzed in parallel per template'}, # noqa: E501
'dast': {'is_flag': True, 'default': False, 'help': 'Enable DAST fuzzing templates (required to fuzz OpenAPI/Swagger endpoints)'}, # noqa: E501
'debug': {'type': str, 'help': 'Debug mode'},
'display_templates': {'is_flag': True, 'default': False, 'short': 'dt', 'help': 'Display loaded template names.'},
'exclude_severity': {'type': str, 'short': 'es', 'help': 'Exclude severity'},
Expand Down