Inquiry Regarding Vulnerability Report and Authentication Error Handling in OFFAT

[AkshayBide]

Dear Support Team,

I hope this email finds you well.

I’m currently using your tool, OFFAT, for API security testing, and I’ve been very pleased with its performance overall. It’s an effective tool that suits my needs quite well. However, I do have some concerns regarding the vulnerability report it generates.

Specifically, when I run a scan using either a correct bearer token or an incorrect one, the resulting report appears identical in both cases. As a result, I’m having difficulty distinguishing between a valid scan and one based on an incorrect token. Additionally, the tool doesn’t seem to provide any error message when authentication fails.

I understand that OFFAT still performs checks for authentication bypass even when credentials are incorrect, but it would be greatly beneficial if the tool could provide an error message, similar to the one shown when a file is unavailable, whenever there’s an issue with the bearer token or another authentication failure during a scan.

Any insights or guidance you can provide on this would be greatly appreciated. Thank you for your attention to this matter, and I look forward to your response.

Best regards,
Akshay.

[dmdhrumilmistry]

Hi Akshay,

Thanks for using the tool and It's nice that you found it useful. Currently, we're migrating it to golang to enhance it's performance and refactor code. We'll consider your feedback while implementing it in golang.

[AkshayBide]

Thank you for your response. I noticed that the tool isn't scanning for all OWASP Top 10 API issues. Could you please explain why that might be?

[dmdhrumilmistry]

Both the tools are currently WIP. Python version will be deprecated soon and only golang version will be maintained. Hopefully, we'll add all the new checks soon. Also, it might be worth noting that It'll be difficult to implement all the checks in generalized way because developers usually write APIs in different ways, so each APIs might behave differently as there's no common standard being used by teams universally.

[AkshayBide]

Thanks for the update, @dmdhrumilmistry! Understood that the Python version will be deprecated and only the Go version will be maintained. Looking forward to the new checks as they get added. I agree that implementing all checks in a generalized way is challenging due to the lack of a universal API standard. Appreciate the effort you’re putting into this!

Additionally, I’m facing a few issues:

1. When trying to open a generated output report with a larger file size, I’m getting an 'unable to open: invalid string length' error.
2. I’m unable to generate reports in formats other than JSON.
3. When re-scanning the same file, JSON, or APIs after some time, the number of vulnerabilities changes inconsistently. For example, in the first scan, it shows 50 vulnerabilities, but in the second scan, it fluctuates (e.g., 49 or 51).

Would appreciate any insights on these!"

[dmdhrumilmistry]

1 and 2 > In which format are you trying to create report?
3. Most of the tests generated are fuzzed i.e payloads are generated randomly on each run, so APIs might be acting differently for different payloads hence the flakiness in tests.

[AkshayBide]

I tired to create in html and yaml format.

[dmdhrumilmistry]

ohh, it could be buggy as we're dumping result obj directly into the reports. I would suggest to use JSON format for now as it's well supported and it can be used with other tools.