Coldsalt is a simple Python program to speed up ingesting API data for penetration testing.
Written and tested with Python 2.7.10. Not tested under Python 3.
Coldsalt uses the Requests library.
To see if you have Requests installed, use the following command (assuming you use pip):
pip show requests
To install Requests with pip, use the following command:
pip install requests
Coldsalt has hooks to use BurpBuddy to automatically populate Intruder and Repeater.
You can get BurpBuddy here: https://github.com/tomsteele/burpbuddy/releases
Coldsalt was developed and tested with BurpBuddy v3.0.0-BETA.
Usage example:
python coldsalt.py --mode swagger -i swagger_example.json --checkonly
python coldsalt.py --mode postman -i postman_example.json -e environment.json --output awesome.csv
-h, --help show this help message and exit
-a, --allmethods Make API calls for all HTTP methods including state
change related methods.
--burpbuddy BURPBUDDY
IP:port of Burp Budy instance. Defaults to
localhost:8081.
--checkonly enable debug mode. No requests will be sent
-c CONTENTTYPE, --contenttype CONTENTTYPE
Force or override Content-Type on requests
-e ENVIRONMENT, --environment ENVIRONMENT
The environment.json file to parse.
--headers HEADERS The headers.json file to parse.
-i INPUT, --input INPUT
The JSON collection file, Postman or Swagger, to
parse.
--mode {curl,postman,swagger}
Which mode, or collection type, to use. Choices are
'curl', 'postman', or 'swagger'
--output OUTPUT write output/audit log to a csv
--proxy PROXY IP:Port of proxy to use. Defaults to localhost:8080.
-v, --verbose Enable verbose output.
-x, --xperimental enable Xperimental Burp mode
By default, Coldcalt will only send GET, HEAD, and OPTION requests. You can override this with the -a and --allmethods flags.
If you're unsure about the quality of the documentation provided to you by the project team, start with the --checkonly flag. This will run the "parser" "engine" and look for missing parameters.
If you do not have an environment file, COLDSALT will create a file stub for you. You can copypasta the output into your file editor of choice. Be sure to clean up errant line breaks and update the values.
Even if you have an environment file, if there are placeholders/variables defined in your collection file that are not defined in your environment file, COLDSALT will still output templated key value pairs for the missing parameters.
Once all the things check out, make sure you have Burp running on 8080 and run the script again.
- Postman v2
- Swagger
- curl
If you are using a Postman file, make sure it is Postman v2.
To use curl requests, make sure they are in a text file, one request per line with the host at the end of the command. Generally, you can get a file ready with a combo of grep and awk.
Suppose you have a Swagger or Postman file that doesn't have any placeholders for required headers, what then?
Coldsalt gives you two options.
-c CONTENTTYPE, --contenttype CONTENTTYPE
can be used to set an arbitrary Content-Type header.
--headers HEADERS
lets you specify a json file that can contain any number of headers in the following format:
{"name": "generic header file",
"values": [{"key": "foo", "value": "bar"},
{"key": "X-Test", "value": "true"}
]}
Headers specified with --headers
will override any duplicated headers from within the Swagger or Postman files.
Content-Type set by -c
will override all other Content-Type values.
Please see Contributing.
This project is licensed under the Apache License v2. Please see License for more details.