{ "info": { "author": "Appknox & OpenStack Security Group", "author_email": "engineering@appknox.com", "bugtrack_url": null, "classifiers": [ "Environment :: Console", "Intended Audience :: Developers", "Intended Audience :: Information Technology", "License :: OSI Approved :: Apache Software License", "Natural Language :: English", "Operating System :: MacOS :: MacOS X", "Operating System :: POSIX :: Linux", "Programming Language :: Python", "Programming Language :: Python :: 2", "Programming Language :: Python :: 2.7", "Programming Language :: Python :: 3", "Programming Language :: Python :: 3.5", "Topic :: Security", "Topic :: Software Development :: Testing", "Topic :: Utilities" ], "description": "=================================================\nSyntribos, An Automated API Security Testing Tool\n=================================================\n\n::\n\n syntribos\n xxxxxxx\n x xxxxxxxxxxxxx x\n x xxxxxxxxxxx x\n xxxxxxxxx\n x xxxxxxx x\n xxxxx\n x xxx x\n x\n xxxxxxxxxxxxxxx xxxxxxxxxxxxxxx\n xxxxxxxxxxxxx xxxxxxxxxxxxx\n xxxxxxxxxxx xxxxxxxxxxx\n xxxxxxxxx xxxxxxxxx\n xxxxxx xxxxxx\n xxx xxx\n x x\n x\n === Automated API Scanning ===\n\n.. image:: https://img.shields.io/badge/docs-latest-brightgreen.svg?style=flat\n :target: http://docs.openstack.org/developer/syntribos/\n\n.. image:: https://img.shields.io/pypi/v/syntribos.svg\n :target: https://pypi.python.org/pypi/syntribos/\n\n.. image:: https://img.shields.io/pypi/dm/syntribos.svg\n :target: https://pypi.python.org/pypi/syntribos/\n\n.. image:: https://img.shields.io/pypi/pyversions/syntribos.svg\n :target: https://pypi.python.org/pypi/syntribos/\n\n.. image:: https://img.shields.io/pypi/wheel/syntribos.svg\n :target: https://pypi.python.org/pypi/syntribos/\n\n.. image:: https://img.shields.io/irc/%23openstack-security.png\n :target: http://webchat.freenode.net/?channels=openstack-security\n\n\nSyntribos is an open source automated API security testing tool that is\nmaintained by members of the `OpenStack Security Project `__.\n\nGiven a simple configuration file and an example HTTP request, syntribos\ncan replace any API URL, URL parameter, HTTP header and request body\nfield with a given set of strings. Syntribos iterates through each position\nin the request automatically. Syntribos aims to automatically detect common\nsecurity defects such as SQL injection, LDAP injection, buffer overflow, etc. In\naddition, syntribos can be used to help identify new security defects\nby automated fuzzing.\n\nSyntribos has the capability to test any API, but is designed with\n`OpenStack `__ applications in mind.\n\nList of Tests\n~~~~~~~~~~~~~\n\nSyntribos is shipped with batteries included, which means, with minimal\nconfiguration effort you can initiate automated testing of any API of\nyour choice. If testing OpenStack API is in your mind, then syntribos\nby default will help you in automatically downloading a set of templates\nof some of the bigger OpenStack projects like nova, neutron, keystone etc.\n\nA short list of tests that can be run using syntribos is given below:\n\n* Buffer Overflow\n* Command Injection\n* CORS Wildcard\n* Integer Overflow\n* LDAP Injection\n* SQL Injection\n* String Validation\n* XML External Entity\n* Cross Site Scripting ( XSS )\n\nBuffer Overflow\n---------------\n\nThe idea of `buffer overflow attacks`_ in the context of a web application\nis to force an application to handle more data than it can hold in a buffer.\nIn syntribos a buffer overflow test is attempted by injecting a large\nstring into the body of an HTTP request.\n\nCommand Injection\n-----------------\n\n`Command injection attacks`_ are done by injecting arbitrary commands in an\nattempt to execute these commands on a remote system. In syntribos, this is\nachieved by injecting a set of strings that have been proven to be successful\nin executing a command injection attacks.\n\nCORS Wildcard\n-------------\n\n`CORS wildcard test`_ is used to verify if a web server allows cross-domain\nresource sharing from any external URL ( wild carding of\n`Access-Control-Allow-Origin` header) rather than a white list of URLs.\n\nInteger Overflow\n----------------\n\n`Integer overflow test`_ in syntribos attempts to inject numeric values that\nthe remote application may fail to represent within its storage, for example\na 32 bit integer type trying to store a 64 bit number\n\nLDAP Injection\n--------------\n\nSyntribos attempts `LDAP injection attacks`_ by injecting LDAP statements\ninto HTTP requests; if an application fails to properly sanitize the\nrequest content, it may be possible to execute arbitrary commands.\n\nSQL Injection\n-------------\n\n`SQL injection attacks`_ are one of the most common web application attacks.\nIf the user input is not properly sanitized, it is fairly easy to\nexecute SQL queries that may result in an attacker reading sensitive\ninformation or gaining control of the SQL server. In syntribos\nan application is tested for SQL injection vulnerabilities by injecting\nSQL strings into the HTTP request.\n\nString Validation\n-----------------\n\nString validation attacks in syntribos try to exploit the fact that\nsome string patterns are not sanitized effectively by the input\nvalidator and may cause the application to crash. Examples of characters\nthat may cause string validation vulnerabilities are special unicode\ncharacters, emojis etc.\n\nXML External Entity\n-------------------\n\n`XML external entity attacks`_ are attacks that targets the web\napplication's XML parser. If an XML parser allows processing of\nexternal entities referenced in an XML document then an attacker\nmight be able to cause denial of service, leakage of information etc.\nSyntribos tries to inject a few malicious strings into an XML body\nwhile sending requests to an application in an attempt to obtain an\nappropriate response.\n\nCross Site Scripting ( XSS )\n----------------------------\nAn XSS_ attack is one where malicious JavaScript is injected into a web\napplication. Syntribos tries to find potential XSS issues by injecting\nstring containing \"script\" and other HTML tags into request fields.\n\nOther than these built-in tests, you can extend syntribos by writing\nyour own custom tests. To do this, download the source code and look at\nthe tests in ``syntribos/tests`` directory. The CORS test may be an easy\none to emulate. In the same way, users can add different extensions also\nto the tests. To see how extensions can be written please see\n``syntribos/extensions`` directory.\n\n.. _buffer overflow attacks: https://en.wikipedia.org/wiki/Buffer_overflow\n.. _Command injection attacks: https://www.owasp.org/index.php/Command_Injection\n.. _CORS wildcard test: https://www.owasp.org/index.php/Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)\n.. _Integer overflow test: https://en.wikipedia.org/wiki/Integer_overflow\n.. _LDAP injection attacks: https://www.owasp.org/index.php/LDAP_injection\n.. _SQL injection attacks: https://www.owasp.org/index.php/SQL_Injection\n.. _XML external entity attacks: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing\n.. _XSS: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)\n\n**Details**\n\n* `Documentation`_\n* Free software: `Apache license`_\n* `Launchpad project`_\n* `Blueprints`_\n* `Bugs`_\n* `Source code`_\n\nSupported Operating Systems\n~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nSyntribos has been developed primarily in Linux and Mac environments and would\nwork on most Unix and Linux based Operating Systems. At this point, we are not\nsupporting Windows, but this may change in the future.\n\n.. _Documentation: http://docs.openstack.org/developer/syntribos/\n.. _Apache license: https://github.com/openstack/syntribos/blob/master/LICENSE\n.. _Launchpad project: https://launchpad.net/syntribos\n.. _Blueprints: https://blueprints.launchpad.net/syntribos\n.. _Bugs: https://bugs.launchpad.net/syntribos\n.. _Source code: https://github.com/openstack/syntribos\n\n============\nInstallation\n============\n\nSyntribos can be installed directly from `pypi with pip `__\n\n::\n\n pip install syntribos\n\nIf you want the latest changes, you could install syntribos from `source `__\nwith `pip `__.\n\n- Clone the repository\n\n::\n\n $ git clone https://github.com/openstack/syntribos.git\n\n- cd to the directory and install with pip\n\n::\n\n $ cd syntribos\n $ pip install .\n\n======================================\nInitializing the syntribos Environment\n======================================\n\nOnce syntribos is installed, you must initialize the syntribos environment.\nThis can be done manually, or via the ``init`` command.\n\n::\n\n $ syntribos init\n\nBy default, ``syntribos init`` fetches a set of default payload files from a\n`remote repository maintained by our development team `_.\nThese payload files are necessary for our fuzz tests to run, but if you would\nlike to disable this behavior, run syntribos with the ``--no_downloads`` flag.\nPayload files can also be fetched by running ``syntribos download --payloads``\nat any time.\n\nIf you'd like to specify a custom root for syntribos to be installed in,\nspecify the ``--custom_install_root`` flag after ``init``. This will skip\nsyntribos' prompts for information from the terminal, which can be handy for\nJenkins jobs and other situations where user input cannot be retrieved.\n\nIf you've already run the ``init`` command but want to start over with a fresh\nenvironment, you can specify the ``--force`` flag to overwrite existing files.\nThe ``--custom_install_root`` and ``--force`` flags can be combined to overwrite\nfiles in a custom install root.\n\n**Example:**\n\n::\n\n $ syntribos init --custom_install_root /your/custom/path --force\n\n\n\n=============\nConfiguration\n=============\n\nAll configuration files should have at least the section\n``[syntribos]``. Depending upon what extensions you are using\nand what you are testing, you can add other sections as well.\nFor example, if you are using the built-in identity extension\nyou would also need the ``[user]`` section. The sections\n``[logging]`` and ``[remote]`` are optional.\n\nGiven below is the basic structure of a syntribos configuration\nfile.\n\n::\n\n [syntribos]\n #\n # End point URLs and versions of the services to be tested.\n #\n endpoint=http://localhost:5000\n # Set payload and templates path\n templates=\n payloads=\n\n [user]\n #\n # User credentials and endpoint URL to get an AUTH_TOKEN\n # This section is only needed if you are using the identity extension.\n #\n endpoint=\n username=\n password=\n\n [remote]\n #\n # Optional, to define remote URI and cache_dir explicitly\n #\n templates_uri=\n payloads_uri=\n cache_dir=\n\n [logging]\n log_dir=\n\n\nTo test any project, just update the endpoint URL under\n``[syntribos]`` to point to the API and also modify the user\ncredentials if needed. The endpoint URL in the ``[syntribos]``\nsection is the one being tested by syntribos and the endpoint URL in\n``[user]`` section is just used to get an AUTH_TOKEN.\n\nDownloading templates and payloads remotely\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nPayload and template files can be downloaded remotely in syntribos.\nIn the config file under ``[syntribos]`` section, if ``templates``\nand ``payloads`` options are not set, then, by default syntribos will\ndownload all the latest payloads and the templates for a few OpenStack\nprojects.\n\nAs a user you can specify a URI to download custom templates and payloads\nfrom as well; this is done by using ``[remotes]`` section in the config file.\nAvailable options under ``[remotes]`` are ``cache_dir``, ``templates_uri``,\n``payloads_uri`` and ``enable_cache``. The ``enable_cache`` option is\n``True`` by default and can be set to ``False`` to disable caching of remote\ncontent while syntribos is running. If the ``cache_dir`` set to a path,\nsyntribos will attempt to use that as a base directory to save downloaded\ntemplate and payload files.\n\nThe advantage of using these options are that you will be able to get\nthe latest payloads from the official repository and if you are\nusing syntribos to test OpenStack projects, then, in most cases you\ncould directly use the well defined templates available with this option.\n\nThis option also helps to easily manage different versions of templates\nremotely, without the need to maintain a set of different versions offline.\n\nTesting OpenStack keystone API\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nA sample config file is given in ``examples/configs/keystone.conf``.\nCopy this file to a location of your choice (default file path for\nconfiguration file is: ``~/.syntribos/syntribos.conf``) and update the\nnecessary fields like user credentials, log, template directory etc.\n\n::\n\n $ vi examples/configs/keystone.conf\n\n\n\n [syntribos]\n #\n # As keystone is being tested in the example, enter your\n #\n # keystone auth endpoint url.\n endpoint=http://localhost:5000\n # Set payload and templates path\n templates=\n payloads=\n\n [user]\n #\n # User credentials\n #\n endpoint=http://localhost:5000\n username=\n password=\n # Optional, only needed if Keystone V3 API is used\n #user_id=\n # Optional, api version if required\n #version=v2.0\n # Optional, for getting scoped tokens\n #user_id=\n # If user id is not known\n # For V3 API\n #domain_name=\n #project_name=\n # For Keystone V2 API\n #tenant_name=\n\n #[alt_user]\n #\n # Optional, Used for cross auth tests (-t AUTH)\n #\n #endpoint=http://localhost:5000\n #username=\n #password=\n # Optional, for getting scoped tokens\n #user_id=\n # If user id is not known\n # For V3 API\n #domain_name=\n #project_name=\n # For Keystone V2 API\n #tenant_name=\n\n [remote]\n #\n # Optional, Used to specify URLs of templates and payloads\n #\n #cache_dir=\n #templates_uri=https://github.com/your_project/templates.tar\n #payloads_uri=https://github.com/your_project/payloads.tar\n # To disable caching of these remote contents, set the following variable to False\n #enable_caching=True\n\n [logging]\n #\n # Logger options go here\n #\n log_dir=\n # Optional, compresses http_request_content,\n # if you don't want this, set this option to False.\n http_request_compression=True\n\n========\nCommands\n========\n\nBelow are the set of commands that can be specified while\nusing syntribos.\n\n- **init**\n\n This command sets up the syntribos environment after installation. It will\n create the necessary folders for templates, payloads, and logs, as well as\n an example configuration file.\n\n ::\n\n $ syntribos init\n\n To learn more about ``syntribos init``, see the installation instructions\n `here `_\n\n- **run**\n\n This command runs syntribos with the given config options\n\n ::\n\n $ syntribos --config-file keystone.conf -t SQL run\n\n- **dry-run**\n\n This command ensures that the template files given for this run parse\n successfully without errors. It then runs a debug test which sends no\n requests of its own.\n\n Note: If any external calls referenced inside the template file do make\n requests, the parser will still make those requests even for a dry run.\n\n ::\n\n $ syntribos --config-file keystone.conf dry_run\n\n- **list_tests**\n\n This command will list the names and description of all the tests\n that can be executed by the ``run`` command.\n\n ::\n\n $ syntribos --config-file keystone.conf list_tests\n\n- **download**\n\n This command will download templates and payload files. By default, it will\n download a default set of OpenStack template files (with the --templates\n flag) or our default set of payloads (with the --payloads flag) to your\n syntribos root directory. However, the behavior of this command can be\n configured in the [remote] section of your config file.\n\n ::\n\n $ syntribos download --templates\n\nAll these commands except init will only work if a configuration file\nis specified. If a configuration file is present in the default\npath ( ``~/.syntribos/syntribos.conf`` ), then you\ndo not need to explicitly specify a config file and\ncan run syntribos using the command ``syntribos run``.\n\n=================\nRunning syntribos\n=================\n\nTo run syntribos against all the available tests, just specify the\ncommand ``syntribos`` with the configuration file without\nspecifying any test type.\n\n::\n\n $ syntribos --config-file keystone.conf run\n\nFuzzy-matching test names\n~~~~~~~~~~~~~~~~~~~~~~~~~\n\nIt is possible to limit syntribos to run a specific test type using\nthe ``-t`` flag.\n\n::\n\n $ syntribos --config-file keystone.conf -t SQL run\n\n\nThis will match all tests that contain ``SQL`` in their name\nlike SQL_INJECTION_HEADERS, SQL_INJECTION_BODY etc.\n\nSpecifying a custom root directory\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nIf you set up the syntribos environment with a custom root (i.e. with\n``syntribos init --custom_install_root``), you can point to it with the\n``--syntribos-custom_root`` configuration option. Syntribos will look for a\n``syntribos.conf`` file inside this directory, and will read further\nconfiguration information from there.\n\n===================\nLogging and Results\n===================\n\nTwo types of logs are generated by syntribos, results and debug logs. While\nresults log is the representation of results ( collection of issues ) from a\ngiven syntribos run, debug logs contain debugging information captured during\na particular run. Debug logs may include exception messages, warnings, raw\nbut sanitized request/response data and a few more details as well.\nA modified version of Python logger is used for collecting debug logs in\nsyntribos.\n\nResults Log\n~~~~~~~~~~~\n\nThe results log as described above is a collection of issues (failures and\nerrors) generated at the end of a syntribos run. The \"failures\" key represents\ntests that have failed, indicating a possible security vulnerability and the\n\"errors\" key gives us information on any unhandled exceptions such as connection\nerrors encountered on that run.\n\nAn example failure object is seen below:\n\n::\n\n {\n \"defect_type\": \"xss_strings\",\n \"description\": \"The string(s): '[\\\"\\\"]',\n known to be commonly returned after a successful XSS attack, have been found in the\n response. This could indicate a vulnerability to XSS attacks.\",\n \"failure_id\": 33,\n \"instances\": [\n {\n \"confidence\": \"LOW\",\n \"param\": {\n \"location\": \"data\",\n \"method\": \"POST\",\n \"type\": null,\n \"variables\": [\n \"type\",\n \"details/name\",\n ]\n },\n \"severity\": \"LOW\",\n \"signals\": {\n \"diff_signals\": [\n \"LENGTH_DIFF_OVER\"\n ],\n \"init_signals\": [\n \"HTTP_CONTENT_TYPE_JSON\",\n \"HTTP_STATUS_CODE_2XX_201\"\n ],\n \"test_signals\": [\n \"FAILURE_KEYS_PRESENT\",\n \"HTTP_CONTENT_TYPE_JSON\",\n \"HTTP_STATUS_CODE_2XX_201\",\n ]\n },\n \"strings\": [\n \"\"\n ]\n }\n ],\n \"url\": \"127.0.0.1/test\"\n }\n\n\nErrors take the form:\n\n::\n\n ERROR:\n {\n \"error\": \"Traceback (most recent call last):\\n File \\\"/Users/test/syntribos/tests/fuzz/base_fuzz.py\\\",\n line 58, in tearDownClass\\n super(BaseFuzzTestCase, cls).tearDownClass()\\n\n File \\\"/Users/test/syntribos/tests/base.py\\\", line 166, in tearDownClass\\n\n raise sig.data[\\\"exception\\\"]\\nReadTimeout: HTTPConnectionPool(host='127.0.0.1', port=8080):\n Read timed out. (read timeout=10)\\n\",\n \"test\": \"tearDownClass (syntribos.tests.fuzz.sql.image_data_image_data_get.template_SQL_INJECTION_HEADERS_sql-injection.txt_str21_model1)\"\n }\n\n\nDebug Logs\n~~~~~~~~~~\n\nDebug logs include details about HTTP requests and responses, and other debugging\ninformation like errors and warnings across the project. The default path where\ndebug logs are saved is ``.syntribos/logs/``. Debug logs are arranged in\ndirectories based on the timestamp and in these directories, in files named\naccording to the templates.\n\nFor example:\n\n::\n\n $ ls .syntribos/logs/\n 2016-09-15_11:06:37.198412 2016-09-16_10:11:37.834892 2016-09-16_13:31:36.362584\n 2016-09-15_11:34:33.271606 2016-09-16_10:38:55.820827 2016-09-16_13:36:43.151048\n 2016-09-15_11:41:53.859970 2016-09-16_10:39:50.501820 2016-09-16_13:40:23.203920\n\n::\n\n $ ls .syntribos/logs/2016-09-16_13:31:36.362584\n API_Versions::list_versions_template.log\n API_Versions::show_api_details_template.log\n availability_zones::get_availability_zone_detail_template.log\n availability_zones::get_availability_zone_template.log\n cells::delete_os_cells_template.log\n cells::get_os_cells_capacities_template.log\n cells::get_os_cells_data_template.log\n\nEach log file includes some essential debugging information like the string representation\nof the request object, signals and checks used for tests etc.\n\nThe request:\n\n::\n\n ------------\n REQUEST SENT\n ------------\n request method.......: PUT\n request url..........: http://127.0.0.1/api\n request params.......:\n request headers size.: 7\n request headers......: {'Content-Length': '0', 'Accept-Encoding': 'gzip, deflate',\n 'Accept': 'application/json',\n 'X-Auth-Token': , 'Connection': 'keep-alive',\n 'User-Agent': 'python-requests/2.11.1', 'content-type': 'application/xml'}\n request body size....: 0\n request body.........: None\n\nThe response:\n\n::\n\n -----------------\n RESPONSE RECEIVED\n -----------------\n response status..: \n response headers.: {'Content-Length': '70',\n 'X-Compute-Request-Id': ,\n 'Vary': 'OpenStack-API-Version, X-OpenStack-Nova-API-Version',\n 'Openstack-Api-Version': 'compute 2.1', 'Connection': 'close',\n 'X-Openstack-Nova-Api-Version': '2.1', 'Date': 'Fri, 16 Sep 2016 14:15:27 GMT',\n 'Content-Type': 'application/json; charset=UTF-8'}\n response time....: 0.036277\n response size....: 70\n response body....: {\"badMediaType\": {\"message\": \"Unsupported Content-Type\", \"code\": 415}}\n -------------------------------------------------------------------------------\n [2590] : XSS_BODY\n (, 'PUT',\n 'http://127.0.0.1/api')\n {'headers': {'Accept': 'application/json', 'X-Auth-Token': },\n 'params': {}, 'sanitize': False, 'data': '', 'requestslib_kwargs': {'timeout': 10}}\n Starting new HTTP connection (1): 127.0.0.1\n \"PUT http://127.0.0.1/api HTTP/1.1\" 501 93\n\nAnd the signals captured:\n\n::\n\n Signals: ['HTTP_STATUS_CODE_4XX_400', 'HTTP_CONTENT_TYPE_JSON']\n Checks used: ['HTTP_STATUS_CODE', 'HTTP_CONTENT_TYPE']\n\nDebug logs are sanitized to prevent storing secrets to log files.\nPasswords and other sensitive information are masked with astericks using a\nslightly modified version of `oslo_utils.strutils.mask_password `__\n\nDebug logs also includes body compression, wherein long fuzz strings are\ncompressed before being written to the logs. The threshold to start data\ncompression is set to 512 characters. While compression can be turned off\nby setting the variable \"http_request_compression\" under logging section\nin the config file to ``False``, it is not recommended.\n\n=============================\nAnatomy of a request template\n=============================\n\nThis section will give you a brief idea on writing templates\nand on how to run specific tests. Templates are input files which has\nraw http requests and may also be supplemented with variable\ndata using extensions.\n\nSyntribos template files are ordinary text files containing raw http\nrequests.\n\nUsing external functions in templates\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nThese template files can also be supplemented with variable\ndata, or data retrieved from external sources. This is handled\nusing 'extensions.'\n\nExtensions are found in ``syntribos/extensions/`` .\n\nCalls to extensions are made in this form:\n\n::\n\n CALL_EXTERNAL|{extension dot path}:{function}:{arguments}\n\nOne example packaged with syntribos enables the tester to obtain an auth\ntoken from keystone. The code is located in ``identity/client.py``\n\nTo use this extension, you can add the following to your template file:\n\n::\n\n X-Auth-Token: CALL_EXTERNAL|syntribos.extensions.identity.client:get_token_v3:[\"user\"]|\n\nThe \"user\" string indicates the data from the configuration file we\nadded in ``examples/configs/keystone.conf``\n\nAnother example is found in ``random_data/client.py`` . This returns a\nUUID when random but unique data is needed. This can be used in place of\nusernames when fuzzing a create user call.\n\n::\n\n \"username\": \"CALL_EXTERNAL|syntribos.extensions.random_data.client:get_uuid:[]|\"\n\nThe extension function can return one value or be used as a generator if\nyou want it to change for each test.\n\nBuilt in functions\n------------------\n\nSyntribos comes with a slew of utility functions/extensions, these functions can\nbe used to dynamically inject data into templates.\n\n.. list-table:: **Utility Functions**\n :widths: 15 35 40\n :header-rows: 1\n\n * - Method\n - Parameters\n - Description\n * - hash_it\n - [data, hash_type (optional hash type, default being SHA256)]\n - Returns hashed value of data\n * - hmac_it\n - [data, key, hash_type (optional hash type, default being SHA256)]\n - Returns HMAC based on the has algorithm, data and the key provided\n * - epoch_time\n - [offset (optional integer offset value, default is zero)]\n - Returns the current time minus offset since epoch\n * - utc_datetime\n - []\n - Returns current UTC date time\n * - base64_encode\n - [data]\n - Returns base 64 encoded value of data supplied\n * - url_encode\n - [url]\n - Returns encoded URL\n\nAll these utility functions can be called using:\n\n::\n\n CALL_EXTERNAL|common_utils.client.{method_name}:{comma separated parameters in square brackets}\n\nFor example:\n\n::\n\n \"encoded_url\": \"CALL_EXTERNAL|common_utils.client:url_encode:['http://localhost:5000']|\n\nThere are a few other functions that return random values as well, they are:\n\n.. list-table:: **Random Functions**\n :widths: 15 35 40\n :header-rows: 1\n\n * - Method\n - Parameters\n - Description\n * - get_uuid\n - []\n - Returns a random UUID\n * - random_port\n - []\n - Returns random port number between 0 and 65535\n * - random_ip\n - []\n - Returns random ipv4 address\n * - random_mac\n - []\n - Returns random mac address\n * - random_integer\n - [beg (optional beginning value, default is 0), end (optional end value)]\n - Returns an integer value between 0 and 1468029570 by default\n * - random_utc_datetime\n - []\n - Returns random UTC datetime\n\nThese can be called using:\n\n::\n\n CALL_EXTERNAL|random_data.client.{method_name}:{comma separated parameters in square brackets}\n\nFor example,\n\n::\n\n \"address\": \"CALL_EXTERNAL|random_data.client:random_ip:[]|\"\n\nAction Field\n~~~~~~~~~~~~\n\nWhile syntribos is designed to test all fields in a request, it can also\nignore specific fields through the use of Action Fields. If you want to\nfuzz against a static object ID, use the Action Field indicator as\nfollows:\n\n::\n\n \"ACTION_FIELD:id\": \"1a16f348-c8d5-42ec-a474-b1cdf78cf40f\"\n\nThe ID provided will remain static for every test.\n\nRunning a specific test\n~~~~~~~~~~~~~~~~~~~~~~~\n\nAs mentioned above, some tests included with syntribos by default\nare LDAP injection, SQL injection, integer overflow, command injection,\nXML external entity, reflected cross-site scripting,\nCross Origin Resource Sharing (CORS) wildcard and SSL.\n\nIn order to run a specific test, simply use the ``-t, --test-types``\noption and provide `syntribos` with a keyword or keywords to match from\nthe test files located in ``syntribos/tests/``.\n\nFor SQL injection tests, use:\n\n::\n\n $ syntribos --config-file keystone.conf -t SQL\n\nAnother example, to run SQL injection tests against the template body only,\nuse:\n\n::\n\n $ syntribos --config-file keystone.conf -t SQL_INJECTION_BODY\n\nFor all tests against HTTP headers only, use:\n\n::\n\n $ syntribos --config-file keystone.conf -t HEADERS\n\n\n\n===================\nExecuting unittests\n===================\n\nTo execute unittests automatically, navigate to the ``syntribos`` root\ndirectory and install the test requirements.\n\n::\n\n $ pip install -r test-requirements.txt\n\nNow, run\n\n::\n\n $ python -m unittest discover tests/unit -p \"test_*.py\"\n\nIf you have configured tox you could also do\n\n::\n\n $ tox -e py27\n $ tox -e py35\n\nThis will run all the unittests and give you a result output\ncontaining the status and coverage details of each test.\n\n=======================\nContributing Guidelines\n=======================\n\nSyntribos is an open source project and contributions are always\nwelcome, if you have any questions, we can be found in the\n#openstack-security channel on Freenode IRC.\n\n1. Follow all the `OpenStack Style Guidelines `__\n (e.g. PEP8, Py3 compatibility)\n2. All new classes/functions should have appropriate docstrings in\n `RST format `__\n3. All new code should have appropriate unittests (place them in the\n ``tests/unit`` folder)\n4. Any change you make can be tested using tox:\n\n::\n\n pip install tox\n tox -e pep8\n tox -e py27\n tox -e py35\n tox -e cover\n\nAnyone wanting to contribute to OpenStack must follow\n`the OpenStack development workflow `__\n\nAll changes should be submitted through the code review process in Gerrit\ndescribed above. All pull requests on Github will be closed/ignored.\n\nBugs should be filed on the `syntribos launchpad site `__,\nand not on Github. All Github issues will be closed/ignored.\n\nBreaking changes, feature requests, and other unprioritized work should first be\nsubmitted as a blueprint `here `__\nfor review.\n\n\n**Note:** README.rst is an auto generated file, from the rst files in the\ndocs directory. The file can be generated by running ``python readme.py``\nfrom the ``syntribos/scripts`` directory. When the README needs to be\nupdated; modify the corresponding rst file in ``syntribos/doc/source``\nand generate it by running the script.\n\n\n\n", "description_content_type": "", "docs_url": null, "download_url": "", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://github.com/appknox/syntribos/", "keywords": "", "license": "Apache License, Version 2.0", "maintainer": "", "maintainer_email": "", "name": "ak-syntribos", "package_url": "https://pypi.org/project/ak-syntribos/", "platform": "", "project_url": "https://pypi.org/project/ak-syntribos/", "project_urls": { "Homepage": "https://github.com/appknox/syntribos/" }, "release_url": "https://pypi.org/project/ak-syntribos/0.3.4/", "requires_dist": [ "six (>=1.9.0)", "requests (>=2.10.0)", "oslo.config (!=3.18.0,>=3.14.0)", "oslo.utils (>=3.18.0)", "python-cinderclient (!=1.7.0,!=1.7.1,>=1.6.0)", "python-glanceclient (>=2.5.0)", "python-neutronclient (>=5.1.0)", "python-novaclient (!=2.33.0,>=2.29.0)" ], "requires_python": "", "summary": "API Security Scanner", "version": "0.3.4" }, "last_serial": 5444457, "releases": { "0.3.1.dev91": [ { "comment_text": "", "digests": { "md5": "c7040c65ed2858f574e274c58b43ac24", "sha256": "7ae04375ee6aad0f49dc96ec04fa93ec9568bd64d842f5643516471bef993ac6" }, "downloads": -1, "filename": "ak-syntribos-0.3.1.dev91.tar.gz", "has_sig": false, "md5_digest": "c7040c65ed2858f574e274c58b43ac24", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 140088, "upload_time": "2017-06-14T04:54:03", "url": "https://files.pythonhosted.org/packages/9c/4f/4b00d71e3edf7ce6dcdce12f1d1b57a1c7235aa3f52ca3c208d2691f1584/ak-syntribos-0.3.1.dev91.tar.gz" } ], "0.3.2": [ { "comment_text": "", "digests": { "md5": "37f591937b4799fb45200c862b849da4", "sha256": "eaf7c7904841e7f32eaabcceba134c4d5f053c2bad0da71829c169dfd4725c29" }, "downloads": -1, "filename": "ak_syntribos-0.3.2-py2-none-any.whl", "has_sig": false, "md5_digest": "37f591937b4799fb45200c862b849da4", "packagetype": "bdist_wheel", "python_version": "py2", "requires_python": null, "size": 17160, "upload_time": "2019-06-24T22:43:29", "url": "https://files.pythonhosted.org/packages/18/3a/272e7c61dd65535abb209e00f21f0b5c3610505092e27fde468e306ffe8d/ak_syntribos-0.3.2-py2-none-any.whl" }, { "comment_text": "", "digests": { "md5": "982b33123e09e24c4b1360223a0b5a7f", "sha256": "ba5b009c1141a1204154d78f36030a7768c7fdd83c05e5f41da8711583b640b8" }, "downloads": -1, "filename": "ak-syntribos-0.3.2.tar.gz", "has_sig": false, "md5_digest": "982b33123e09e24c4b1360223a0b5a7f", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 157335, "upload_time": "2019-06-24T22:43:31", "url": "https://files.pythonhosted.org/packages/a0/8e/6218444dd6853cfcb80c4734822841060f3072237fd3ed997106a509e366/ak-syntribos-0.3.2.tar.gz" } ], "0.3.3": [ { "comment_text": "", "digests": { "md5": "ffcfb0e8e99796c69d9307016e9db7e8", "sha256": "08da367437bda5a71ca8fbad3f2ec072d1c962c818828bcfb69758dbdacdc2fc" }, "downloads": -1, "filename": "ak_syntribos-0.3.3-py2-none-any.whl", "has_sig": false, "md5_digest": "ffcfb0e8e99796c69d9307016e9db7e8", "packagetype": "bdist_wheel", "python_version": "py2", "requires_python": null, "size": 17159, "upload_time": "2019-06-25T05:57:30", "url": "https://files.pythonhosted.org/packages/d2/c6/5b0d8777f74d8d8d42af81d9585387ce1e5b7e1bab0f2902651af024af21/ak_syntribos-0.3.3-py2-none-any.whl" }, { "comment_text": "", "digests": { "md5": "0fead4aee3705f36624034c4e2613748", "sha256": "97ac6be4f36178bc8b81db2be1c2ef771563db7934243d0c1a24c00afc605e70" }, "downloads": -1, "filename": "ak-syntribos-0.3.3.tar.gz", "has_sig": false, "md5_digest": "0fead4aee3705f36624034c4e2613748", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 157355, "upload_time": "2019-06-25T05:57:33", "url": "https://files.pythonhosted.org/packages/7c/7b/b8f63f3e34d41ce5798bbeb256702145a222a2c85e2b10f71ce4fc1e1c37/ak-syntribos-0.3.3.tar.gz" } ], "0.3.4": [ { "comment_text": "", "digests": { "md5": "d7b170be0db5fc00c3e32c3a74cb71a4", "sha256": "6ad1143241bfadb837fda066e1f8b2a2f55e42613e630986bc23ec8ae6d817ca" }, "downloads": -1, "filename": "ak_syntribos-0.3.4-py2-none-any.whl", "has_sig": false, "md5_digest": "d7b170be0db5fc00c3e32c3a74cb71a4", "packagetype": "bdist_wheel", "python_version": "py2", "requires_python": null, "size": 111490, "upload_time": "2019-06-25T08:28:21", "url": "https://files.pythonhosted.org/packages/ef/ce/80325401db86f2c051bbc98e2c5ed851a1d70a3cd51d9a7e21eee9c3db5f/ak_syntribos-0.3.4-py2-none-any.whl" }, { "comment_text": "", "digests": { "md5": "65f72465bea855f996a175d2e5b16fcb", "sha256": "de872c96232238986a51be69e9ce74826fcd856bae633a7aee0729c1c3f65bac" }, "downloads": -1, "filename": "ak-syntribos-0.3.4.tar.gz", "has_sig": false, "md5_digest": "65f72465bea855f996a175d2e5b16fcb", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 157419, "upload_time": "2019-06-25T08:28:23", "url": "https://files.pythonhosted.org/packages/6e/b7/d6eb157837c57fd8e546f1e6243844b9a9e02412b007fd01e716ef3ecba9/ak-syntribos-0.3.4.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "d7b170be0db5fc00c3e32c3a74cb71a4", "sha256": "6ad1143241bfadb837fda066e1f8b2a2f55e42613e630986bc23ec8ae6d817ca" }, "downloads": -1, "filename": "ak_syntribos-0.3.4-py2-none-any.whl", "has_sig": false, "md5_digest": "d7b170be0db5fc00c3e32c3a74cb71a4", "packagetype": "bdist_wheel", "python_version": "py2", "requires_python": null, "size": 111490, "upload_time": "2019-06-25T08:28:21", "url": "https://files.pythonhosted.org/packages/ef/ce/80325401db86f2c051bbc98e2c5ed851a1d70a3cd51d9a7e21eee9c3db5f/ak_syntribos-0.3.4-py2-none-any.whl" }, { "comment_text": "", "digests": { "md5": "65f72465bea855f996a175d2e5b16fcb", "sha256": "de872c96232238986a51be69e9ce74826fcd856bae633a7aee0729c1c3f65bac" }, "downloads": -1, "filename": "ak-syntribos-0.3.4.tar.gz", "has_sig": false, "md5_digest": "65f72465bea855f996a175d2e5b16fcb", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 157419, "upload_time": "2019-06-25T08:28:23", "url": "https://files.pythonhosted.org/packages/6e/b7/d6eb157837c57fd8e546f1e6243844b9a9e02412b007fd01e716ef3ecba9/ak-syntribos-0.3.4.tar.gz" } ] }