Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use swagger as the source for targets #4833

Open
wants to merge 12 commits into
base: master
Choose a base branch
from

Conversation

donnd-t
Copy link

@donnd-t donnd-t commented Sep 28, 2021

Parse a JSON swagger document describing all APIs, for possible targets. Specify the swagger document using the --swaggerFile option.

The swagger must contain examples which sqlmap will use as parameter values to inject.

Addresses issue #3140

@stamparm
Copy link
Member

stamparm commented Nov 5, 2021

I appreciate your effort here, though, how realistic is the scenario where user gets a swagger.json with properly filled example(s)?

@donnd-t
Copy link
Author

donnd-t commented Nov 12, 2021

I appreciate your effort here, though, how realistic is the scenario where user gets a swagger.json with properly filled example(s)?

Hi @stamparm . Thanks for your comment. Examples(s) are not required by the swagger spec but it is generally good practice to add them. Adding them has other advantages e.g. Swagger UI will prefill requests from the examples for users browsing and trying your APIs.

It is a small sample size but of the two applications I'm working on in my company, one had full examples already and the other had a handful missing which I was able to add in a few minutes.

If an example is missing a warning is printed and that API is skipped. Other APIs with full examples will still be scanned.

@arnoldasr
Copy link

Please add this, it is very useful

@sahin52
Copy link

sahin52 commented Oct 18, 2022

Can you please add more description, I want to use it from your repo even though it is not merged

@sahin52
Copy link

sahin52 commented Oct 18, 2022

I tried this, it has bugs + there is no document or something that tells how it works + it doesn't directly work when a swagger is supplied + it doesn't run after doing everything(getting rid of bugs).
This needs a lot of improvements and testing.
Thanks for your effort.

@janmaterne
Copy link

While I think you shouldnt find such swagger files in production, I like the idea for security tests while development.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants