Astra - Automated Security Testing For REST API's

Astra – Automated Security Testing For REST API’s

REST API penetration testing is complex due to continuous changes in existing APIs and newly added APIs. Astra can be used by security engineers or developers as an integral part of their process, so they can detect and patch vulnerabilities early during development cycle. Astra can automatically detect and test login & logout (Authentication API), so it’s easy for anyone to integrate this into CICD pipeline. Astra can take API collection as an input so this can also be used for testing apis in standalone mode.

  • SQL injection
  • Cross site scripting
  • Information Leakage
  • Broken Authentication and session management
  • CSRF (including Blind CSRF)
  • Rate limit
  • CORS misconfiguration (including CORS bypass techniques)
  • JWT attack
  • CRLF detection
  • Blind XXE injection



  • Linux or MacOS
  • Python 2.7
  • mongoDB


$ git clone

$ cd Astra

$ sudo pip install -r requirements.txt

Docker Installation

Run Mongo Container:

$ docker pull mongo
$ docker run --name astra-mongo -d mongo

Installing GUI Docker:

$ git clone
$ cd Astra
$ docker build -t astra .
$ docker run --rm -it --link astra-mongo:mongo -p 8094:8094 astra

Installing CLI Docker :

$ git clone -b docker-cli
$ cd Astra
$ docker build -t astra-cli .
$ docker run --rm -it --link astra-mongo:mongo astra-cli


- requests
- logger
- pymongo
- ConfigParser
- pyjwt
- flask
- sqlmap


Usage: CLI

$ python --help

/ | |
/ ___| |_ _ __ __ _
/ / / __| __| '__/ _` |
/ ____ __ |_| | | (_| |
/_/ ____/__|_| __,_|

usage: [-h] [-c {Postman,Swagger}] [-n COLLECTION_NAME] [-u URL]
[-headers HEADERS] [-method {GET,POST}] [-b BODY]

REST API Security testing Framework

optional arguments:
-h, --help show this help message and exit
-c {Postman,Swagger}, --collection_type {Postman,Swagger}
Type of API collection
Type of API collection
-u URL, --url URL URL of target API
-headers HEADERS, --headers HEADERS
Custom headers.Example: {"token" : "123"}
-met hod {GET,POST}, --method {GET,POST}
HTTP request method
-b BODY, --body BODY Request body of API
-l LOGINURL, --loginurl LOGINURL
URL of login API
Headers should be in a dictionary format. Example:
{"accesstoken" : "axzvbqdadf"}
login data of API

Usage: Web interface
Run the and access the web interface at

$ cd API
$ python


New scan

Scan Reports

Detailed Report

Lead Developer

  • Sagar Popat (@popat_sagar)


  • Ankur Bhargava
  • Harsh Grover
  • Flipkart security team
  • Pardeep Battu

Leave a Reply

Your email address will not be published. Required fields are marked *

Special Offer for Hackers!Sign up to get your $5 Coupon code, weekly deals and latest hacking tools straight to your inbox!