Syntribos, An Automated API Security Testing Tool

            syntribos
             xxxxxxx
        x xxxxxxxxxxxxx x
     x     xxxxxxxxxxx     x
            xxxxxxxxx
  x          xxxxxxx          x
              xxxxx
 x             xxx             x
                x
xxxxxxxxxxxxxxx   xxxxxxxxxxxxxxx
 xxxxxxxxxxxxx     xxxxxxxxxxxxx
  xxxxxxxxxxx       xxxxxxxxxxx
   xxxxxxxxx         xxxxxxxxx
     xxxxxx           xxxxxx
       xxx             xxx
           x         x
                x
   === Automated API Scanning  ===
https://img.shields.io/badge/docs-latest-brightgreen.svg?style=flat https://img.shields.io/irc/%23openstack-security.png

Syntribos is an open source automated API security testing tool that is maintained by members of the OpenStack Security Project.

Given a simple configuration file and an example HTTP request, syntribos can replace any API URL, URL parameter, HTTP header and request body field with a given set of strings. Syntribos iterates through each position in the request automatically. Syntribos aims to automatically detect common security defects such as SQL injection, LDAP injection, buffer overflow, etc. In addition, syntribos can be used to help identify new security defects by automated fuzzing.

Syntribos has the capability to test any API, but is designed with OpenStack applications in mind.

List of Tests

Syntribos is shipped with batteries included, which means, with minimal configuration effort you can initiate automated testing of any API of your choice. If testing OpenStack API is in your mind, then syntribos by default will help you in automatically downloading a set of templates of some of the bigger OpenStack projects like nova, neutron, keystone etc.

A short list of tests that can be run using syntribos is given below:

  • Buffer Overflow
  • Command Injection
  • CORS Wildcard
  • Integer Overflow
  • LDAP Injection
  • SQL Injection
  • String Validation
  • XML External Entity
  • Cross Site Scripting ( XSS )

Buffer Overflow

The idea of buffer overflow attacks in the context of a web application is to force an application to handle more data than it can hold in a buffer. In syntribos a buffer overflow test is attempted by injecting a large string into the body of an HTTP request.

Command Injection

Command injection attacks are done by injecting arbitrary commands in an attempt to execute these commands on a remote system. In syntribos, this is achieved by injecting a set of strings that have been proven to be successful in executing a command injection attacks.

CORS Wildcard

CORS wildcard test is used to verify if a web server allows cross-domain resource sharing from any external URL ( wild carding of Access-Control-Allow-Origin header) rather than a white list of URLs.

Integer Overflow

Integer overflow test in syntribos attempts to inject numeric values that the remote application may fail to represent within its storage, for example a 32 bit integer type trying to store a 64 bit number

LDAP Injection

Syntribos attempts LDAP injection attacks by injecting LDAP statements into HTTP requests; if an application fails to properly sanitize the request content, it may be possible to execute arbitrary commands.

SQL Injection

SQL injection attacks are one of the most common web application attacks. If the user input is not properly sanitized, it is fairly easy to execute SQL queries that may result in an attacker reading sensitive information or gaining control of the SQL server. In syntribos an application is tested for SQL injection vulnerabilities by injecting SQL strings into the HTTP request.

String Validation

String validation attacks in syntribos try to exploit the fact that some string patterns are not sanitized effectively by the input validator and may cause the application to crash. Examples of characters that may cause string validation vulnerabilities are special unicode characters, emojis etc.

XML External Entity

XML external entity attacks are attacks that targets the web application’s XML parser. If an XML parser allows processing of external entities referenced in an XML document then an attacker might be able to cause denial of service, leakage of information etc. Syntribos tries to inject a few malicious strings into an XML body while sending requests to an application in an attempt to obtain an appropriate response.

Cross Site Scripting ( XSS )

An XSS attack is one where malicious JavaScript is injected into a web application. Syntribos tries to find potential XSS issues by injecting string containing “script” and other HTML tags into request fields.

Other than these built-in tests, you can extend syntribos by writing your own custom tests. To do this, download the source code and look at the tests in syntribos/tests directory. The CORS test may be an easy one to emulate. In the same way, users can add different extensions also to the tests. To see how extensions can be written please see syntribos/extensions directory.

Details

Supported Operating Systems

Syntribos has been developed primarily in Linux and Mac environments and would work on most Unix and Linux based Operating Systems. At this point, we are not supporting Windows, but this may change in the future.