Re: [sqlmap-users] w3af REST API recommendations
Brought to you by:
inquisb
From: Andres R. <and...@gm...> - 2014-03-21 17:30:27
|
Thank you so much for the comments, they are going to be very helpful when building our API :) Love to see open source projects helping themselves On Fri, Mar 21, 2014 at 9:32 AM, Bernardo Damele A. G. <ber...@gm...> wrote: > Hi Andres, > > The API is indeed "up and running for a while", but we haven't yet > properly documented yet so probably not as widely used as it could be. > > With regards to your questions: > > * Technology stack: we've decided to go with a RESTful API over > XML-RPC for simplicity of protocol, ease of definition of methods, > etc. I had researched a number of minimalistic web servers in Python > at the time and the one that was one-file only and proved to be solid > and maintained was and still is Bottle[1]. It's well documented, easy > to use and intuitive in my opinion. > > * We are happy with the technology we use and have no plans to change > it, but instead extend and maintain the API over time, check out its > source code if you're interested[2]. > > * Someone has tested it under load, the results were good, but I am > sure there is room for improvements here. > > * We have not implemented session management in the API (a front-end > would have so), instead we have the concept of tasks. A task[3] is an > object. You can create, edit, query, modify a task given the taskid. > Task ID is generated with a request to /task/new[4]. The task is a > series of independent sqlmap scans that modify the same sqlmap session > file and the data is stored in a local SQLite database. > Furthermore, when you run the sqlmappi.py, an admin ID is created. > This is the only privileged "user" and can request admin methods like > listing all tasks, deleting them, etc. > > * Recommendations: try to keep it simply, wrap all standard output and > error to a custom object that writes in a database[5] so these can be > retrieved via the API too. > > [1] http://bottlepy.org/docs/0.12/ > https://raw.githubusercontent.com/defnull/bottle/master/bottle.py > [2] https://github.com/sqlmapproject/sqlmap/blob/master/lib/utils/api.py > [3] https://github.com/sqlmapproject/sqlmap/blob/master/lib/utils/api.py#L91 > and https://github.com/sqlmapproject/sqlmap/blob/master/lib/utils/api.py#L103 > [4] https://github.com/sqlmapproject/sqlmap/blob/master/lib/utils/api.py#L339 > [5] https://github.com/sqlmapproject/sqlmap/blob/master/lib/utils/api.py#L202 > > Good luck! > > Bernardo > > On 20 March 2014 19:05, Miroslav Stampar <mir...@gm...> wrote: >> Great reply :) >> >> Bye >> >> On Mar 20, 2014 4:13 PM, "Brandon Perry" <bpe...@gm...> wrote: >>> >>> I can't comment on building the API, but I maintain C# bindings to the >>> sqlmap REST API and, programmatically, it works really well. >>> >>> There is no authentication, but I only ever run it on localhost anyway so >>> this isn't a big deal to me. >>> >>> I have tested it under relatively heavy load (one API instance testing >>> multiple applications) and it has been performant. I don't recall ever >>> saying "Man, I wish this were faster". >>> >>> JSON is totally the way to go for data requests/responses. >>> >>> One recommendation I have since I deal with many APIs on a daily basis is >>> please don't assume the programmers will be interacting with your API with >>> language X. The Metasploit MSGPACK API is a good example of this and is very >>> cumbersome to use from a strongly typed language. Arachni falls into a >>> similar field relying on Ruby-style marshalling or YAML which I simply can't >>> do from, say, C#. >>> >>> Aside from sqlmap, I also really like the cuckoo-sandbox API. >>> >>> >>> >>> On Thu, Mar 20, 2014 at 10:00 AM, Andres Riancho >>> <and...@gm...> wrote: >>>> >>>> List, >>>> >>>> I'm going to abuse the list a little bit, and poke your brains for >>>> a while, so be prepared :) >>>> >>>> The w3af project wants to implement its own REST API to expose the >>>> w3afCore and KnowledgeBase objects. The core allows users to configure >>>> the plugins and start the scan, and the knowledge base holds the >>>> vulnerabilities. >>>> >>>> You guys implemented a REST API for sqlmap, which has been up and >>>> running for a while now. >>>> >>>> What I wanted to know is: >>>> * What's the technology stack you guys used for creating the REST >>>> API? >>>> * Were you happy with it? Would you use something different if >>>> you had the chance? >>>> * Have you tested the API under heavy load? >>>> * Do you have the concept of sessions and users in the API? Why >>>> not? >>>> * Any recommendations on API design? (paths, results, hrefs, >>>> etc.) >>>> >>>> Thanks! >>>> >>>> Regards, >>>> -- >>>> Andrés Riancho >>>> Project Leader at w3af - http://w3af.org/ >>>> Web Application Attack and Audit Framework >>>> Twitter: @w3af >>>> GPG: 0x93C344F3 >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Learn Graph Databases - Download FREE O'Reilly Book >>>> "Graph Databases" is the definitive new guide to graph databases and >>>> their >>>> applications. Written by three acclaimed leaders in the field, >>>> this first edition is now available. Download your free book today! >>>> http://p.sf.net/sfu/13534_NeoTech >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >>> >>> >>> -- >>> http://volatile-minds.blogspot.com -- blog >>> http://www.volatileminds.net -- website >>> >>> >>> ------------------------------------------------------------------------------ >>> Learn Graph Databases - Download FREE O'Reilly Book >>> "Graph Databases" is the definitive new guide to graph databases and their >>> applications. Written by three acclaimed leaders in the field, >>> this first edition is now available. Download your free book today! >>> http://p.sf.net/sfu/13534_NeoTech >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >> >> ------------------------------------------------------------------------------ >> Learn Graph Databases - Download FREE O'Reilly Book >> "Graph Databases" is the definitive new guide to graph databases and their >> applications. Written by three acclaimed leaders in the field, >> this first edition is now available. Download your free book today! >> http://p.sf.net/sfu/13534_NeoTech >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > Bernardo Damele A. G. > > E-mail / Jabber: bernardo.damele (at) gmail.com > Mobile: +447788962949 (UK 07788962949) -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |