-
-
Notifications
You must be signed in to change notification settings - Fork 143
Added web-api-pentest prototype #47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from 12 commits
Commits
Show all changes
13 commits
Select commit
Hold shift + click to select a range
a98973f
Added basic implementation of SimpleWebAPITesting and PromptEngineer
DianaStrauss a03ea2c
Updated basic implementation of SimpleWebAPITesting and PromptEngineer
DianaStrauss 6a4d233
Added SimpleWebAPIDocumentation and updated SimpleWebAPITesting
DianaStrauss d123ab6
Simple openapi documentation procudes an openapi yaml specification
DianaStrauss 12cfe19
Adjusted chain of thought prompt engineering for chain of thought to …
DianaStrauss 868c9b9
changed max_turns back to 10
DianaStrauss fd6adcd
Merge remote-tracking branch 'upstream/main'
DianaStrauss 9351a8d
Refined simple testing
DianaStrauss 601d28f
Added documentation web-api-pentest.md
DianaStrauss 9c59828
Added documentation of web-api-pentest
DianaStrauss 5d1f7eb
Enhanced prompt for simple_web_api-testing.py
DianaStrauss 84c2e7e
Merge branch 'ipa-lab:main' into main
DianaStrauss 72de4a0
Added changes suggested by Code review
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| # UseCase: Web Page Hacking | ||
|
|
||
| The goal of this use-case is to explore REST API security. It is currently very much in the exploratory stage, but there are already very basic capabilities. | ||
|
|
||
| ## Current features | ||
|
|
||
| - Employ different prompt strategies: Chain-of-thought, Tree-of-thought, in-context learning | ||
| - Do HTTP requests | ||
| - Allow configuration and submission of flags | ||
| - Take some notes (this is experimental, the idea is to make the LLM be more explicit about the things it finds) | ||
| - Create a OpenAPI specification of a provided URI | ||
|
|
||
| ## Example run | ||
| This is a simple example run of the `simple_web_api_documenation` using GPT-3.5-turbo to test the REST API https://jsonplaceholder.typicode.com. | ||
|  | ||
|
|
||
| OpenAPI specifications that have been created with this can be found under [openapi_spec](../openapi_spec). | ||
|
|
||
| This is a simple example run of the `simple_web_api_testing` using GPT-3.5-turbo to test the REST API https://jsonplaceholder.typicode.com. | ||
|  | ||
|
|
||
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,97 @@ | ||
| info: | ||
| description: Automatically generated description of the API. | ||
| title: Generated API Documentation | ||
| version: '1.0' | ||
| openapi: 3.0.0 | ||
| paths: | ||
| /albums: | ||
| get: | ||
| responses: | ||
| '200': | ||
| content: | ||
| application/json: | ||
| schema: | ||
| type: object | ||
| description: Successful response | ||
| summary: GET operation on /albums | ||
| /albums/1: | ||
| get: | ||
| responses: | ||
| '200': | ||
| content: | ||
| application/json: | ||
| schema: | ||
| type: object | ||
| description: Successful response | ||
| summary: GET operation on /albums/1 | ||
| /comments: | ||
| get: | ||
| responses: | ||
| '200': | ||
| content: | ||
| application/json: | ||
| schema: | ||
| type: object | ||
| description: Successful response | ||
| summary: GET operation on /comments | ||
| /comments/1: | ||
| get: | ||
| responses: | ||
| '200': | ||
| content: | ||
| application/json: | ||
| schema: | ||
| type: object | ||
| description: Successful response | ||
| summary: GET operation on /comments/1 | ||
| put: | ||
| responses: | ||
| '200': | ||
| content: | ||
| application/json: | ||
| schema: | ||
| type: object | ||
| description: Successful response | ||
| summary: PUT operation on /comments/1 | ||
| /posts: | ||
| get: | ||
| responses: | ||
| '200': | ||
| content: | ||
| application/json: | ||
| schema: | ||
| type: object | ||
| description: Successful response | ||
| summary: GET operation on /posts | ||
| /todos: | ||
| get: | ||
| responses: | ||
| '200': | ||
| content: | ||
| application/json: | ||
| schema: | ||
| type: object | ||
| description: Successful response | ||
| summary: GET operation on /todos | ||
| /todos/1: | ||
| get: | ||
| responses: | ||
| '200': | ||
| content: | ||
| application/json: | ||
| schema: | ||
| type: object | ||
| description: Successful response | ||
| summary: GET operation on /todos/1 | ||
| /users: | ||
| get: | ||
| responses: | ||
| '200': | ||
| content: | ||
| application/json: | ||
| schema: | ||
| type: object | ||
| description: Successful response | ||
| summary: GET operation on /users | ||
| servers: | ||
| - url: https://jsonplaceholder.typicode.com |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,166 @@ | ||
| info: | ||
| description: Automatically generated description of the API. | ||
| title: Generated API Documentation | ||
| version: '1.0' | ||
| openapi: 3.0.0 | ||
| paths: | ||
| /albums: | ||
| get: | ||
| responses: | ||
| '200': | ||
| content: | ||
| application/json: | ||
| schema: | ||
| type: object | ||
| description: Successful response | ||
| summary: GET operation on /albums | ||
| /albums/1: | ||
| get: | ||
| responses: | ||
| '200': | ||
| content: | ||
| application/json: | ||
| schema: | ||
| type: object | ||
| description: Successful response | ||
| summary: GET operation on /albums/1 | ||
| /comments: | ||
| get: | ||
| responses: | ||
| '200': | ||
| content: | ||
| application/json: | ||
| schema: | ||
| type: object | ||
| description: Successful response | ||
| summary: GET operation on /comments | ||
| /comments/1: | ||
| get: | ||
| responses: | ||
| '200': | ||
| content: | ||
| application/json: | ||
| schema: | ||
| type: object | ||
| description: Successful response | ||
| summary: GET operation on /comments/1 | ||
| /photos: | ||
| get: | ||
| responses: | ||
| '200': | ||
| content: | ||
| application/json: | ||
| schema: | ||
| type: object | ||
| description: Successful response | ||
| summary: GET operation on /photos | ||
| /photos/1: | ||
| get: | ||
| responses: | ||
| '200': | ||
| content: | ||
| application/json: | ||
| schema: | ||
| type: object | ||
| description: Successful response | ||
| summary: GET operation on /photos/1 | ||
| /posts: | ||
| get: | ||
| responses: | ||
| '200': | ||
| content: | ||
| application/json: | ||
| schema: | ||
| type: object | ||
| description: Successful response | ||
| summary: GET operation on /posts | ||
| /posts/1: | ||
| delete: | ||
| responses: | ||
| '200': | ||
| content: | ||
| application/json: | ||
| schema: | ||
| type: object | ||
| description: Successful response | ||
| summary: DELETE operation on /posts/1 | ||
| get: | ||
| responses: | ||
| '200': | ||
| content: | ||
| application/json: | ||
| schema: | ||
| type: object | ||
| description: Successful response | ||
| summary: GET operation on /posts/1 | ||
| put: | ||
| responses: | ||
| '200': | ||
| content: | ||
| application/json: | ||
| schema: | ||
| type: object | ||
| description: Successful response | ||
| summary: PUT operation on /posts/1 | ||
| /posts/1/comments: | ||
| get: | ||
| responses: | ||
| '200': | ||
| content: | ||
| application/json: | ||
| schema: | ||
| type: object | ||
| description: Successful response | ||
| summary: GET operation on /posts/1/comments | ||
| /todos: | ||
| get: | ||
| responses: | ||
| '200': | ||
| content: | ||
| application/json: | ||
| schema: | ||
| type: object | ||
| description: Successful response | ||
| summary: GET operation on /todos | ||
| /todos/1: | ||
| get: | ||
| responses: | ||
| '200': | ||
| content: | ||
| application/json: | ||
| schema: | ||
| type: object | ||
| description: Successful response | ||
| summary: GET operation on /todos/1 | ||
| /users: | ||
| get: | ||
| responses: | ||
| '200': | ||
| content: | ||
| application/json: | ||
| schema: | ||
| type: object | ||
| description: Successful response | ||
| summary: GET operation on /users | ||
| /users/1: | ||
| get: | ||
| responses: | ||
| '200': | ||
| content: | ||
| application/json: | ||
| schema: | ||
| type: object | ||
| description: Successful response | ||
| summary: GET operation on /users/1 | ||
| /users/1/albums: | ||
| get: | ||
| responses: | ||
| '200': | ||
| content: | ||
| application/json: | ||
| schema: | ||
| type: object | ||
| description: Successful response | ||
| summary: GET operation on /users/1/albums | ||
| servers: | ||
| - url: https://jsonplaceholder.typicode.com |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would move
openapi_specinto the docs directory to make it clear, that this is just an example