implement check for API1:2019 OWASP API

mamaoag · May 2, 2022 · a82e2f3 · a82e2f3
1 parent 77fe27a
commit a82e2f3
Show file tree

Hide file tree

Showing 3 changed files with 114 additions and 3 deletions.
diff --git a/main.go b/main.go
@@ -5,6 +5,7 @@ import (
 	"log"
 	"os"
 
+	owasp "github.com/mamaoag/binosearch/services/owasp"
 	scanner "github.com/mamaoag/binosearch/services/scanner"
 	resource "github.com/mamaoag/binosearch/services/url"
 	wordlist "github.com/mamaoag/binosearch/services/wordlist"
@@ -14,7 +15,8 @@ func main() {
 	const APPNAME string = "Binoscan"
 	var baseUrl string
 	var wordlistPath string
-	// var resultsFound uint8 = 0
+	var endpointsFound []resource.Url
+	var message string
 
 	fmt.Printf("%s - an api application scanner.\n", APPNAME)
 	fmt.Print("Enter your base url > ")
@@ -34,8 +36,39 @@ func main() {
 
 	for _, path := range dir {
 		url := resource.Parse(baseUrl, path)
-		scanner.ScanEndpoint(url)
+		found := scanner.ScanEndpoint(url)
+
+		if found.Path != "" {
+			endpointsFound = append(endpointsFound, found)
+		}
+	}
+
+	if len(endpointsFound) > 0 {
+		fmt.Printf("\nScanning for OWASP API Security 2019 Issues\n")
+		result, err := owasp.BrokenObjectLevelAuth(endpointsFound)
+
+		if err != nil {
+			log.Fatalln(err)
+		}
+
+		if result {
+			message = "There are issues found. ❌"
+		} else {
+			message = "No issues found. ✅"
+		}
+
+		logResult("API1:2019", message)
 	}
 
 	fmt.Printf("Scanning Complete.\n")
 }
+
+func logResult(code string, message string) {
+	log.Printf(
+		"%d %d: [%s] %s\n",
+		log.Ldate,
+		log.Ltime,
+		code,
+		message,
+	)
+}
diff --git a/services/owasp/owasp.go b/services/owasp/owasp.go
@@ -0,0 +1,74 @@
+package services
+
+import (
+	"io/ioutil"
+	"strings"
+
+	proxy "github.com/mamaoag/binosearch/services/http"
+	url "github.com/mamaoag/binosearch/services/url"
+)
+
+func unAuthCodes(statusCode int) bool {
+	switch statusCode {
+	case
+		200,
+		400,
+		429,
+		500,
+		503:
+		return true
+	}
+
+	return false
+}
+
+// API1:2019 - Broken Object Level Auth. Checks for GUIDs
+func BrokenObjectLevelAuth(endpoints []url.Url) (bool, error) {
+
+	var endpointIssue []url.Url
+	var message string
+
+	for i := 0; i < len(endpoints); i++ {
+		res, err := proxy.Request(endpoints[i].Full)
+
+		if err != nil {
+			return false, err
+		}
+
+		message = "Endpoint shows no data."
+
+		if unAuthCodes(res.StatusCode) {
+			defer res.Body.Close()
+
+			body, err := ioutil.ReadAll(res.Body)
+
+			if err != nil {
+				return false, err
+			}
+
+			bodyString := string(body)
+
+			if strings.Contains(bodyString, "[") {
+				endpointIssue = append(endpointIssue, endpoints[i])
+				message = "Endpoint shows data."
+			} else if strings.Contains(bodyString, "id") {
+				endpointIssue = append(endpointIssue, endpoints[i])
+				message = "Endpoint shows data."
+			}
+		}
+
+		response := proxy.LogHttpResponse{
+			Path:       endpoints[i].Path,
+			StatusCode: res.StatusCode,
+			Message:    message,
+		}
+
+		proxy.LogResponse(response)
+	}
+
+	if len(endpointIssue) == 0 {
+		return false, nil
+	}
+
+	return true, nil
+}
diff --git a/services/scanner/scanner.go b/services/scanner/scanner.go
@@ -7,8 +7,9 @@ import (
 	url "github.com/mamaoag/binosearch/services/url"
 )
 
-func ScanEndpoint(resource url.Url) {
+func ScanEndpoint(resource url.Url) url.Url {
 	var message string
+	var found url.Url = url.Url{}
 
 	res, err := proxy.Request(resource.Full)
 
@@ -22,6 +23,7 @@ func ScanEndpoint(resource url.Url) {
 		message = "Not found. ❌"
 	} else {
 		message = "Found. ✅"
+		found = resource
 	}
 
 	response := proxy.LogHttpResponse{
@@ -31,4 +33,6 @@ func ScanEndpoint(resource url.Url) {
 	}
 
 	proxy.LogResponse(response)
+
+	return found
 }