|
|
|
|
|
|
by freeqaz
1347 days ago
|
|
|
How do you generate an API Spec is there isn't one? (I've spent time working on this problem before, so I'm curious.) Also, how to prevent this tool from spamming everybody with alerts? I've used various DAST tools like OWASP ZAP before and ultimately they end up getting turned off because of anger fatigue. (At Uber we trained an entire ML model to hide noisy alerts based on us upvoting/downvoting them.) |
|
|
Here is an example of an auto generated spec: https://demo.metlo.com/endpoint/2be9f63e-a436-4ffc-b85a-e421.... This is the code in our repo: https://github.com/metlo-labs/metlo/blob/master/backend/src/...
To avoid noisy alerts we've tried very hard to focus on areas where we won't have high false positives. Also, unlike ZAP, since we analyze realtime production traffic we have more data to work with so we can make a more informed model. For example we would catch anomalies like high usage on endpoints that return sensitive data, endpoints that normally have authentication that where unauthenticated requests are succeeding, strange ordering of API requests by a single user, etc...