Awesome
AuthzAI
An automated tool to test and analyze API endpoints for potential permission model violations using OpenAI structured outputs.
Introduction
AuthzAI is a Python script designed to automate the process of testing API endpoints with various user authentications and analyzing the responses to detect any violations of the intended permission model. It will interpret API responses and identify potential security issues related to permissions.
This tool is especially useful for developers and bug bounty hunters who want to ensure that automate the process of permission testing.
Features
- Automated API Requests: Sends requests to specified endpoints using different user authentication headers.
- Permission Analysis: Uses OpenAI's GPT models to analyze API responses for permission violations.
- Progress Tracking: Stores request and analysis progress in a SQLite database (
progress.db
). - Comprehensive Reporting: Generates a basic report (
report.txt
) summarizing the analysis results. - Customizable Configuration: Easily configure hosts, user authentications, and endpoints via a JSON file.
Installation
Prerequisites
- Python 3.7 or higher
- An OpenAI API key (sign up here)
Clone the Repository
git clone https://github.com/ngalongc/AuthzAI
cd AuthzAI
Install Dependencies
Install the required Python packages using pip
:
pip install -r requirements.txt
Contents of requirements.txt
:
requests
openai
pydantic
tqdm
Set Up OpenAI API Key
Set your OpenAI API key as an environment variable:
-
On Unix/Linux:
export OPENAI_API_KEY='your-api-key-here'
-
On Windows:
set OPENAI_API_KEY='your-api-key-here'
Replace 'your-api-key-here'
with your actual OpenAI API key.
Configuration
Create a configuration.json
file in the root directory to define your API host, user authentications, and endpoints to test.
Sample configuration.json
:
{
"host": "https://api.example.com",
"user_auth": [
{
"headers": {
"Authorization": "Bearer admin_token"
},
"description": "Admin user with full permissions."
},
{
"headers": {
"Authorization": "Bearer read_only_token"
},
"description": "Read-only user with limited permissions."
}
],
"endpoints": [
{
"method": "GET",
"path": "/v1/account/details"
},
{
"method": "POST",
"path": "/v1/account/update"
},
{
"method": "GET",
"path": "/v1/billing/info"
}
]
}
Configuration Parameters
- host: The base URL of your API.
- user_auth: A list of user authentication objects.
- headers: A dictionary of HTTP headers (e.g.,
Authorization
tokens). - description: A description of the user's permissions.
- headers: A dictionary of HTTP headers (e.g.,
- endpoints: A list of API endpoints to test.
- method: The HTTP method (currently only supports
GET
) - path: The endpoint path relative to the host.
- method: The HTTP method (currently only supports
Usage
Run the script using Python:
python authz_ai.py
What Happens When You Run the Script
- Database Initialization: Sets up a SQLite database (
progress.db
) to store progress. - Configuration Loading: Reads the
configuration.json
file. - API Requests: Makes requests to each endpoint with each user authentication.
- Response Saving: Saves responses to the database.
- Response Analysis: Analyzes responses using OpenAI's GPT models to detect permission violations.
- Result Saving: Saves analysis results back to the database.
- Report Generation: Creates a
report.txt
file summarizing the findings.
Adjusting the Request Delay
By default, the script waits for 0.1 seconds between requests. You can adjust this by changing the second
variable in the script:
second = 0.1 # Adjust the delay as needed
Output
- progress.db: A SQLite database file storing requests and analysis progress.
- report.txt: A text file summarizing the analysis results.
Sample report.txt
:
Total Requests Analyzed: 6
Details of Analysis:
- User: Admin user with full permissions.
Endpoint: GET /v1/account/details
Analysis: No permission violations detected.
- User: Read-only user with limited permissions.
Endpoint: POST /v1/account/update
Analysis:
{
"violatesIntendedPermission": true,
"violatedPermission": "Modification of account details by a read-only user.",
"analysis": "The read-only user should not be able to update account details, but the response indicates success."
}
...
Troubleshooting
- OpenAI API Errors: Ensure your OpenAI API key is correct and you have sufficient quota.
- Configuration Errors: Double-check your
configuration.json
for correct syntax and valid endpoints. - Database Issues: If you encounter database errors, delete
progress.db
to reset.
Contributing
Contributions are welcome! Please open an issue or submit a pull request on GitHub.
License
This project is licensed under the GNU Affero General Public License v3.0.
Acknowledgments
- OpenAI for providing the GPT models.
- Pydantic for data validation.
- tqdm for the progress bars.
- SQLite for the database.
Contact
For any questions or suggestions, feel free to open an issue or DM me on X @ngalongc.