|
|
|
|
|
|
by ashekhawat
1350 days ago
|
|
|
Hey @freeqaz! We analyze trace data that we capture from production traffic to generate what the Open API Spec could be. Here is an example of an auto generated spec: https://demo.metlo.com/endpoint/2be9f63e-a436-4ffc-b85a-e421....
This is the code in our repo: https://github.com/metlo-labs/metlo/blob/master/backend/src/... To avoid noisy alerts we've tried very hard to focus on areas where we won't have high false positives. Also, unlike ZAP, since we analyze realtime production traffic we have more data to work with so we can make a more informed model. For example we would catch anomalies like high usage on endpoints that return sensitive data, endpoints that normally have authentication that where unauthenticated requests are succeeding, strange ordering of API requests by a single user, etc... |
|
|