Home

Awesome

AuthzAI

An automated tool to test and analyze API endpoints for potential permission model violations using OpenAI structured outputs.

Introduction

AuthzAI is a Python script designed to automate the process of testing API endpoints with various user authentications and analyzing the responses to detect any violations of the intended permission model. It will interpret API responses and identify potential security issues related to permissions.

This tool is especially useful for developers and bug bounty hunters who want to ensure that automate the process of permission testing.

Features

Installation

Prerequisites

Clone the Repository

git clone https://github.com/ngalongc/AuthzAI
cd AuthzAI

Install Dependencies

Install the required Python packages using pip:

pip install -r requirements.txt

Contents of requirements.txt:

requests
openai
pydantic
tqdm

Set Up OpenAI API Key

Set your OpenAI API key as an environment variable:

Replace 'your-api-key-here' with your actual OpenAI API key.

Configuration

Create a configuration.json file in the root directory to define your API host, user authentications, and endpoints to test.

Sample configuration.json:

{
  "host": "https://api.example.com",
  "user_auth": [
    {
      "headers": {
        "Authorization": "Bearer admin_token"
      },
      "description": "Admin user with full permissions."
    },
    {
      "headers": {
        "Authorization": "Bearer read_only_token"
      },
      "description": "Read-only user with limited permissions."
    }
  ],
  "endpoints": [
    {
      "method": "GET",
      "path": "/v1/account/details"
    },
    {
      "method": "POST",
      "path": "/v1/account/update"
    },
    {
      "method": "GET",
      "path": "/v1/billing/info"
    }
  ]
}

Configuration Parameters

Usage

Run the script using Python:

python authz_ai.py

What Happens When You Run the Script

  1. Database Initialization: Sets up a SQLite database (progress.db) to store progress.
  2. Configuration Loading: Reads the configuration.json file.
  3. API Requests: Makes requests to each endpoint with each user authentication.
  4. Response Saving: Saves responses to the database.
  5. Response Analysis: Analyzes responses using OpenAI's GPT models to detect permission violations.
  6. Result Saving: Saves analysis results back to the database.
  7. Report Generation: Creates a report.txt file summarizing the findings.

Adjusting the Request Delay

By default, the script waits for 0.1 seconds between requests. You can adjust this by changing the second variable in the script:

second = 0.1  # Adjust the delay as needed

Output

Sample report.txt:

Total Requests Analyzed: 6

Details of Analysis:
- User: Admin user with full permissions.
  Endpoint: GET /v1/account/details
  Analysis: No permission violations detected.

- User: Read-only user with limited permissions.
  Endpoint: POST /v1/account/update
  Analysis:
  {
    "violatesIntendedPermission": true,
    "violatedPermission": "Modification of account details by a read-only user.",
    "analysis": "The read-only user should not be able to update account details, but the response indicates success."
  }

...

Troubleshooting

Contributing

Contributions are welcome! Please open an issue or submit a pull request on GitHub.

License

This project is licensed under the GNU Affero General Public License v3.0.

Acknowledgments

Contact

For any questions or suggestions, feel free to open an issue or DM me on X @ngalongc.