Swurg - a Burp Suite extension for automating OpenAPI-based APIs security assessments

(420 views)

Swurg is a Burp Suite extension designed for OpenAPI testing.

The OpenAPI Specification (OAS) defines a standard, programming language-agnostic interface description for REST APIs, which allows both humans and computers to discover and understand the capabilities of a service without requiring access to source code, additional documentation, or inspection of network traffic. When properly defined via OpenAPI, a consumer can understand and interact with the remote service with a minimal amount of implementation logic. Similar to what interface descriptions have done for lower-level programming, the OpenAPI Specification removes guesswork in calling a service.

Use cases for machine-readable API definition documents include, but are not limited to: interactive documentation; code generation for documentation, clients, and servers; and automation of test cases. OpenAPI documents describe an API's services and are represented in either YAML or JSON formats. These documents may either be produced and served statically or be generated dynamically from an application.

OpenAPI Initiative

Performing security assessment of OpenAPI-based APIs can be a tedious task due to Burp Suite (industry standard) lacking native OpenAPI parsing capabilities. A solution to this situation, is to use third-party tools (e.g. SOAP-UI) or to implement custom scripts (often on a per engagement basis) to handle the parsing of OpenAPI documents and integrate/chain the results to Burp Suite to use its first class scanning capabilities.

Swurg is an OpenAPI parser that aims to streamline this entire process by allowing security professionals to use Burp Suite as a standalone tool for security assessment of OpenAPI-based APIs.


Supported Features

  • OpenAPI documents can be parsed either from a supplied file or URL. The extension can fetch OpenAPI documents directly from a URL using the Send to Swagger Parser feature under the Target -> Site map context menu.
  • Parse OpenAPI documents, formerly known as the Swagger specification, fully compliant with OpenAPI 2.0/3.0 Specifications (OAS).
  • Requests can be directly viewed/edited within the extension prior to sending them to other Burp tools.
  • Requests can be sent to the Comparer, Intruder, Repeater, Scanner, Site map and Scope Burp tools.
  • Requests matching specific criterias (detailed in the 'Parameters' tab) can be intercepted to automatically match and replace the parsed parameters default values defined in the 'Parameters' tab. This feature allows for fine-tuning of the requests prior to sending them to other Burp tools (e.g., scanner). Edited requests can be viewed within the 'Modified Request (OpenAPI Parser)' tab of Burp's message editor.
  • Row highlighting allowing pentesters to highlight "interesting" API calls and/or colour code them for reporting purposes.
  • Supports both JSON and YAML formats.

Installation

Compilation

Windows & Unix

  1. Install and configure Gradle (https://gradle.org/) on your system.
  2. Download/clone this repository.
$ git clone https://github.com/aress31/swurg
$ cd .\swurg\
  1. Create the standalone jar:
$ gradle fatJar

Loading the extension into the Burp Suite

In Burp Suite, under the Extender/Options tab, click on the Add button and load the swurg-all jar file located in the .\build\libs folder.

Alternatively, you can now directly install/load this extension from the BApp Store.

Note: The version distributed on the BApp Store might be behind the version available on this repository.


Possible Improvements

 Beautify the graphical user interface.

 Deep parsing of OpenAPI schemas to collect all nested parameters along with their example/type.

 Code simplification/refactoring.

 Enable cells editing to change API calls directly from the GUI.

 Further optimise the source code.

 Implement support for authenticated testing (via user-supplied API-keys).

 Improve the Param column by adding the type of parameters (e.g. inquery, inbody, etc.).

 Implement the tables and context menus.

 Increase the extension verbosity (via the bottom panel).


Dependencies

Third-party libraries

Swagger Parser:

The Swagger Parser library is required and automatically imported in this project.


Project information

In July 2016, after posting a request for improvement on the PortSwigger support forum, I decided to take the initiative and to implement a solution myself.

The extension is still in development, feedback, comments and contributions are therefore much appreciated.


Sponsor ♥

If you use and like the Swurg/OpenAPI Parser Burp's extension, please consider donating as a lot of time and efforts went into building and maintaining this project.

To do so, simply click the "Sponsor" button at the top of this page and select your preferred method of payment.


License

Copyright (C) 2016 - 2021 Alexandre Teyar

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.


Original repository: https://github.com/aress31/swurg

December 10, 2021
Subscribe
Notify of
guest
4 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
1 month ago

Have you ever wanted to spy on your spouse’s phone or wanted to monitor their phone? you may want to know what is happening in their life or how they are communicating with someone else. or maybe you want to protect them from ex either way. you can contact ([email protected]), talk about it with kelvin. you want to hack your husband’s whatsapp account text messages on iphone or android phone remotely and provide ways of doing it without installing any software on the target device. you will get complete access to whatsapp, facebook, kik, viber, messenger, text messages and other… Read more »

Lizzy Agnes
6 months ago

A great hacker is really worthy of good recommendation , Henry
really help to get all the evidence i needed against my husband and
and i was able to confront him with this details from this great hacker
to get an amazing service done with the help ,he is good with what he does and the charges are affordable, I think all I owe him is publicity for a great work done via, Henryclarkethicalhacker at gmail com, and you can text, call him on whatsapp him on +12014305865, or +17736092741, 

Mathiau
Mathiau
2 years ago

So many great tools to try and deep dive into, but I have a very basic question…what is the preferred OS these days to run as the base for all these great tools? Ubuntu, Kali, Arc ?

Hakin9 TEAM
Admin
2 years ago
Reply to  Mathiau

That’s a very problematic question ;) Truth be told it depends on the user preferences. Kali Linux is definitely the most popular one, and many use it. However, Ubunut, Parrot, are very close on the popularity list.

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023
What certifications or qualifications do you hold?
Max. file size: 150 MB.
What level of experience should the ideal candidate have?
What certifications or qualifications are preferred?

Download Free eBook

Step 1 of 4

Name(Required)

We’re committed to your privacy. Hakin9 uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.