A tool for analyzing the attack surface of an application.
-JAX-RS -Spring
-Django
Currently does simple checking on .Handle, .Post, and .Put function invocations. Very much a work in progress.
Maven is required for building.
mvn clean install| Arg | Description | Required |
|---|---|---|
| sourceDirectory | Directory containing source code for analysis | true |
| outputFile | File containing output with discovered routes | true |
| exclusions | Comma delimited regex pattern for excluding files from analysis | false |
| parser-stderr | Enable stderr logging from parsers. Off by defaultr | false |
| properties | Properties file to load. Use enabling/disabling analyzers | false |
| threads | Number of threads to use. Defaults to 1 | false |
The output JSON schema is as follows
{
"routes": [
{
"path": "my/app/route",
"fileName": "/path/to/associated/source/file",
"method": "GET",
"parameters": [
{
"dataType": "int",
"name": "id",
"category": "PathParam"
}
]
}
]
}Analyzers can be enabled/disabled via a properties file. If no properties file is provided, all analyzers will be enabled and be triggers if there is a relevant source file type.
visitor.golang=true
visitor.java.jaxrs=true
visitor.java.spring=true
visitor.js.express=true
visitor.python.django=true
visitor.java.frameworkdetection=trueAfter building the app you can build your container as such.
docker build -t <tag_of_your_choice> /path/to/attack-surface-analyzerYour docker container will need at least one mount point for the directory containing your app. Here is an example.
docker run --read-only -v /source/path/to/app:/path/to/app/in/container -it <tag_built_with> -sourceDirectory /path/to/app/in/container -outputFile output.json -exclusions .*test.*The --mount variant of mounting a volume can also be used if desired. If you want to write the output to a location outside of your container, then you will have to set a second mount point or re-use the existing one. If memory issues are encounterd, try running container with increased memory using the -m argument.