casper

module
v0.0.0-...-0d8d854 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 25, 2024 License: MIT

README ΒΆ

Casper πŸ‘» v1.0

Casper is a comprehensive API security testing tool written in Go. It helps prevent incorrect API implementations by validating and testing APIs using OpenAPI specifications, domain crawling, or direct base URL testing.

Features

  • OpenAPI/Swagger specification validation
  • Domain-based API discovery and testing
  • Direct base URL testing support
  • Comprehensive security testing suite
  • Business logic validation
  • Detailed security reporting
  • GraphQL security testing
  • Static resource security
  • Export functionality testing

For detailed information about security tests, see TESTS.md.

Installation

# Clone the repository
git clone https://github.com/gregcmartin/casper.git

# Build the project
cd casper
go build -o casper ./cmd/casper

Usage

Spec-Based Testing
# Test using OpenAPI specification
./casper -input api-spec.yaml -base-url http://api.example.com

# Run with debug logging
./casper -input api-spec.yaml -base-url http://api.example.com -debug
Domain-Based Testing
# Test entire domain with automatic API discovery
./casper -input example.com

# Test with authentication
./casper -input example.com -auth your-token
Direct Base URL Testing
# Test specific API endpoint or base path
./casper -base-url http://api.example.com/v1

# Test with custom output file
./casper -base-url http://api.example.com/v1 -output custom-report.json

Project Structure

casper/
β”œβ”€β”€ cmd/casper/         # CLI implementation
β”œβ”€β”€ internal/
β”‚   β”œβ”€β”€ crawler/        # API discovery
β”‚   β”œβ”€β”€ validator/      # OpenAPI validation
β”‚   β”œβ”€β”€ security/       # Security testing
β”‚   β”‚   β”œβ”€β”€ core/      # Core security tests
β”‚   β”‚   β”œβ”€β”€ parameter/ # Parameter-based tests
β”‚   β”‚   β”œβ”€β”€ graphql/   # GraphQL-specific tests
β”‚   β”‚   β”œβ”€β”€ static/    # Static resource tests
β”‚   β”‚   β”œβ”€β”€ export/    # Export functionality tests
β”‚   β”‚   β”œβ”€β”€ specless/  # Spec-less testing
β”‚   β”‚   └── security.go # Main orchestrator
β”‚   β”œβ”€β”€ business/      # Business logic testing
β”‚   └── reporter/      # Report generation

Report Format

Casper generates detailed JSON reports containing:

  • Overall test summary
  • Issues by severity
  • Issues by category
  • Test coverage statistics
  • Detailed findings for each issue

Example report structure:

{
  "summary": {
    "total_issues": 5,
    "issues_by_severity": {
      "HIGH": 2,
      "MEDIUM": 3
    },
    "issues_by_category": {
      "SECURITY": 3,
      "BUSINESS_LOGIC": 2
    }
  },
  "issues": [
    {
      "id": "SEC001",
      "title": "SQL Injection Vulnerability",
      "description": "Endpoint vulnerable to SQL injection",
      "severity": "HIGH",
      "category": "SECURITY",
      "path": "/users",
      "method": "GET"
    }
  ]
}

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

License

This project is licensed under the MIT License - see the LICENSE file for details.

Directories ΒΆ

Path Synopsis
cmd
casper command
internal
business
crawler
reporter
security
security/bola
security/core
security/export
security/graphql
security/parameter
security/specless
security/static
security/vuln
validator

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.