You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
Feature request, allowing users of sqlmap to read a JSON of OpenAPI 3.0 as source of endpoints and parameters.
I noticed there are other issues in the past that have been closed, not sure if this because of lack of contribution, I can provide the needed code to parse the OpenAPI JSON file and make it into a REQUESTFILE, but I feel this is a bit a long path - requires reading JSON, creating a file, then loading this file via the REQUESTFILE - maybe a "shortcut" can be made with some assistance (from other sqlmap devs).
==========
GET /api/testimonials/count?query=* HTTP/1.1
Host: brokencrystals.com:443
==========
==========
GET /api/products/views HTTP/1.1
Host: brokencrystals.com:443
x-product-name: *
==========
We can feed it into sqlmap, and it is able to test them and find sql-related vulnerabilities
Describe alternatives you've considered
Running a third-party python code such as (BaseParser seen here is from OFFAT project - which uses openapi_spec_validator to read the schema) which will generate the above test.rst output:
last time i checked, the main problem i found was how to properly fill the parameter values. putting dumb * will not help. not sure if you are aware, but web applications actually like valid values. another approach would be to lean on "examples", but i can see problems here too - user will provide a dummy schema, without examples, and will immediately open issues here
I agree with your statement - though I think at the moment asking for the user to provide valid values interactively, or by editing a REQUESTFILE file would allow end-users to have a better chance of testing their openapi interface comprehensively than without using the openapi json file
Maybe if you can tell me what you are most worried about, I can think of a solution, if it is lack of valid values for fields - I can think about how to give a solution to this
Is your feature request related to a problem? Please describe.
Feature request, allowing users of sqlmap to read a JSON of OpenAPI 3.0 as source of endpoints and parameters.
I noticed there are other
issues
in the past that have been closed, not sure if this because of lack of contribution, I can provide the needed code to parse the OpenAPI JSON file and make it into aREQUESTFILE
, but I feel this is a bit a long path - requires reading JSON, creating a file, then loading this file via theREQUESTFILE
- maybe a "shortcut" can be made with some assistance (from other sqlmap devs).Describe the solution you'd like
If we take for example: https://brokencrystals.com/swagger-json - this JSON has enough information to build endpoints
If we make them into something like this:
We can feed it into sqlmap, and it is able to test them and find sql-related vulnerabilities
Describe alternatives you've considered
Running a third-party python code such as (BaseParser seen here is from OFFAT project - which uses
openapi_spec_validator
to read the schema) which will generate the abovetest.rst
output:Additional context
The text was updated successfully, but these errors were encountered: