💭 Introduction:

🎯 Requirements:

✅ Task summary:
Write an API test to check if GraphQL introspection query is enabled. Please provide the following -

1. Reference URL - where you took the inspiration
2. A Nuclei template similar to this or a Java template similar to this

✌🏻 Hints:

1. Write a level-1 test to just fetch query names using query {__schema{queryType{fields{name}}}}
2. Write a ninja-query to fetch everything

"fragment FullType on __Type {\n kind\n name\n fields(includeDeprecated: true) {\n name\n args {\n ...InputValue\n }\n type {\n ...TypeRef\n }\n isDeprecated\n deprecationReason\n }\n inputFields {\n ...InputValue\n }\n interfaces {\n ...TypeRef\n }\n enumValues(includeDeprecated: true) {\n name\n isDeprecated\n deprecationReason\n }\n possibleTypes {\n ...TypeRef\n }\n}\nfragment InputValue on __InputValue {\n name\n type {\n ...TypeRef\n }\n defaultValue\n}\nfragment TypeRef on __Type {\n kind\n name\n ofType {\n kind\n name\n ofType {\n kind\n name\n ofType {\n kind\n name\n ofType {\n kind\n name\n ofType {\n kind\n name\n ofType {\n kind\n name\n ofType {\n kind\n name\n }\n }\n }\n }\n }\n }\n }\n}\nquery IntrospectionQuery {\n __schema {\n queryType {\n name\n }\n mutationType {\n name\n }\n types {\n ...FullType\n }\n directives {\n name\n locations\n args {\n ...InputValue\n }\n }\n }\n}\n"

🙋🏼‍♂️ Questions:
If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

💭 Introduction

Akto allows users to find sensitive params in request and response of APIs. These sensitive params include PII data such as SSN, Credit card number, phone number etc. You can check how it works in the docs.

Your task is to add sensitive params related to Insurance.

👀 Impact

Your task will give users the ability to detect insurance related sensitive data types.

🎯 Requirements

• Understanding of regex
• Understanding of unit test

✅ Task summary

• Ask to be assigned to the issue.
• Wait to be assigned. We will try to assign in less than 2 hours.
• Make regular expressions for below 7 insurance-related types. Feel free to add your own too.
• Please mention reference URL for each pattern (where it clearly mentions the nature of the identification number)
• Add an entry in fintech.json file
• Add a test case entry in TestFintechTypes.java
• Submit a pull request here

US Medicare Health insurance claim number (HICN)
Indian Unique Health Identification (UHID) . Reference [example](https://www.bajajfinservhealth.in/articles/uhid-number)
United Kingdom National Insurance number
Finnish personal identity number for health insurance
Canadian Social Insurance Number (SIN) number
German insurance identity numbers
Japanese social insurance number

✌🏻 Hints

Example for Indian Unique Health Identification (UHID) .

• Reference example

🙋🏼‍♂️ Questions:

If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

💭 Introduction:
Currently we are in process of adding more and more documentation for each of our features. We would be happy to get feedbacks on the features/sections which users are finding hard to understand, and need more documentation. Akto Documentation - https://docs.akto.io/

🎯 Requirements:
Trying out Akto features.

✅ Task summary:

• Ask to be assigned to the issue.
• Wait to be assigned. We will try to assign in less than 2 hours.
• Raise out the parts which you feel miss documentation and would like us to add the same.
• Propose the changes in our documentation repo https://github.com/akto-api-security/Documentation and submit a pull request here.

🙋🏼‍♂️ Questions:
If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

💭 Introduction:
Report: CSRF on /api/graphql allows executing mutations through GET requests https://0xn3va.gitbook.io/cheat-sheets/web-application/graphql-vulnerabilities#bypass-of-csrf-protection

🎯 Requirements:

1. Filters - The should run only for GraphQL-related endpoints. eg here
2. Execute - Modify headers and payload according to blog link
3. Validate - If response contains 2xx response.

📚 Reading
You can find a detailed documentation of test editor rules here
Find 100+ examples of YAML tests here

✅ Task summary:

• Ask to be assigned to the issue.
• Wait to be assigned. We will try to assign in less than 2 hours.
• Signup for Akto
• Fork the tests-library repository, create a new branch and commit the yaml file which will be called in your test.
• Submit the PR here.

🙋🏼‍♂️ Questions:
If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

💭 Introduction

Akto allows users to find sensitive params in request and response of APIs. These sensitive params include PII data such as SSN, Credit card number, phone number etc. You can check how it works in the docs.

Your task is to add Europe specific sensitive params.

👀 Impact

Your task will give users the ability to detect Europe specific sensitive data types.

🎯 Requirements

• Understanding of regex
• Understanding of unit test

✅ Task summary:

• Ask to be assigned to the issue.
• Wait to be assigned. We will try to assign in less than 2 hours.
• Add regular expressions for below Europe related PII types. Feel free to add your own too.
• Please provide the reference URL that mentions the nature of the number.
• Add an entry in fintech.json file
• Add a test case entry in TestFintechTypes.java
• Submit a pull request here

🙋🏼‍♂️ Questions:

If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

💭 Introduction:
https://0xn3va.gitbook.io/cheat-sheets/web-application/graphql-vulnerabilities#bypass-of-rate-limits

📚 Reading
You can find a detailed documentation of test editor rules here
Find 100+ examples of YAML tests here

✅ Task summary:

• Ask to be assigned to the issue.
• Wait to be assigned. We will try to assign in less than 2 hours.
• Fork the tests-library repository, create a new branch and commit the yaml file which will be called in your test.
• Signup for Akto
• Check in the Attempt tab, if the payload changes, then task is done.
• Submit the PR here.

✌🏻 Hints:
You can build the yaml template by referring this link

🙋🏼‍♂️ Questions:
If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

Please add the Compose and env files of the docker to the repo, so that it will be easy to clone the entire project and run the docker compose-up command to run the application.

I'm raising a PR for the same.

Is there any particular reason why your team didn't add compose and env files along with the repo?

💭 Introduction:

🎯 Requirements:

✅ Task summary:
Write a test to check if server reflection is switched on a gRPC server. Read more about gRPC Server reflection here.

Please mention

• Reference URL - where you took the inspiration
• A Nuclei template similar to this or a Java template similar to this

🙋🏼‍♂️ Questions:
If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

💭 Introduction

Akto allows users to find sensitive params in request and response of APIs. These sensitive params include PII data such as SSN, Credit card number, phone number etc. You can check how it works in the docs.

Your task is to add file extension types in sensitive params.

👀 Impact

Your task will give users the ability to detect file extension types related sensitive data types.

🎯 Requirements

• Understanding of regex
• Understanding of unit test

✅ Task summary:

• Ask to be assigned to the issue.
• Wait to be assigned. We will try to assign in less than 2 hours.
• Make regular expressions for below file types.
• Add an entry in fintech.json file
• Add a test case entry in TestFintechTypes.java
• Submit a pull request here

images - png/jpg/jpeg/svg, filetype: pdf/js/css/woff/txt

✌🏻 Hints

🙋🏼‍♂️ Questions:

If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

💭 Introduction:
https://wundergraph.com/blog/the_complete_graphql_security_guide_fixing_the_13_most_common_graphql_vulnerabilities_to_make_your_api_production_ready#8.-relay-global-object-identification-vulnerability

📚 Reading
You can find a detailed documentation of test editor rules here
Find 100+ examples of YAML tests here

✅ Task summary:

• Ask to be assigned to the issue.
• Wait to be assigned. We will try to assign in less than 2 hours.
• Fork the tests-library repository, create a new branch and commit the yaml file which will be called in your test.
• Signup for Akto
• Check in the Attempt tab, if the payload changes, then task is done.
• Submit the PR here.

✌🏻 Hints:
You can build the yaml template by referring this link

🙋🏼‍♂️ Questions:
If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

💭 Introduction:
Users can send data from Burpsuite to Akto via Akto's burp integration. A user can generate a new token in akto dashboard and use that token inside Burpsuite to enable this integartion. As a result of this task, User should be able to copy the Burp token generated in Akto dashboard via copy button, instead to selecting manually.

A User can click on Settings tab at the bottom left and go to settings. On clicking on integrations tab in the left nav bar, you will see the first option Burpsuite. Click on configure to generate a new burpsuite token. User can now click on generate token to create a new token. The task requires to add a new copy button, which on being clicked will copy the generated token.

🎯 Requirements:
React

✅ Task summary:

• Ask to be assigned to the issue.
• Wait to be assigned. We will try to assign in less than 2 hours.
• Go to https://polaris.shopify.com/components/deprecated/legacy-card
• See how legacy card primary action works
• Add the required primary action in TokensLayout.jsx. (You can view the existing 'Delete' action)
• Submit a pull request here.

🙋🏼‍♂️ Questions:
If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

💭 Introduction:

Akto's tables offer a filtering and sorting feature, allowing users to organise table content. However, the current string-based sorting method can cause issues when attempting to sort time-based parameters, like last_seen

🎯 Requirements:

• Experience with Vue.js

✅ Task summary:

• Ask to be assigned to the issue.
• Wait to be assigned. We will try to assign in less than 2 hours.
• Understand how we do it for Observe > API Changes > New parameters > Discovered column. You can find the relevant code in Changes.vue. We should pass a type for integer headers and a min-max pair.
• Implement a similar change for New endpoints table in the same file at line 223. Note that this doesn't use ServerTable directly. SimpleTable is for creating tables when you have all the data in the UI. ServerTable is for creating tables where only 1 page is fetched from backend. Any changes in filters/sort triggers a backend query for ServerTable.
• You will have to understand how SimpleTable uses ServerTable for its implementation.
• To sort columns based on time, sort them according to epochs instead of treating them as strings.
• Submit a pull request in

🙋🏼‍♂️ Questions:
If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

Add detailed steps on readme to run Akto on windows machines.

The link that tells us how the data is handled in the quick start guide is broken.

This page doesn't exist:

https://docs.akto.io/what-is-akto/faqs#i-dont-want-the-data-to-leave-my-vpn.-does-akto-support-on-premise-deployment

Currently there is no way to mask sensitive data collected.
It would be a bad practice to save sensitive data like credit card, passwords etc to be saved in to mongo.

Is there a workout to mask those details before saving and just keeping the sensitive data tag ?

💭 Introduction

Akto allows users to find sensitive params in request and response of APIs. These sensitive params include PII data such as SSN, Credit card number, phone number etc. You can check how it works in the docs.

Your task is to add secret types sensitive params.

👀 Impact

Your task will give users the ability to detect secret types sensitive data types.

🎯 Requirements

• Understanding of regex
• Understanding of unit test

✅ Task summary:

• Ask to be assigned to the issue.
• Wait to be assigned. We will try to assign in less than 2 hours.
• Make regular expressions for secret types for below products. Feel free to add your own too.
• Please provide the reference URL that mentions the nature of the number.
• Add an entry in fintech.json file
• Add a test case entry in TestFintechTypes.java
• Submit a pull request here

Github, 
AWS, 
GCP, 
Docker

🙋🏼‍♂️ Questions:

If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

gRPC is a popular approach to building API's these days practiced by big tech and fintech companies, but it's not supported in the current Akto implementation. To reproduce:

1. Install Akto plugin in BurpSuite with automatic export enabled
2. Install Akto Dashboard
3. Run a REST API with JSON payload in Burp's Repeater and observe that the export from Burp to Akto Dashboard works
4. Run an gRPC API with protobuf payload in Burp's repeater and observe that export to Dashboard doesn't work
5. Try exporting gRPC payload to HAR file in Burp's Akto Plugin and observe that 'entries' field is empty:

{"log":{"version":"1.2","creator":{"name":"Akto","version":"3.19.2"},"pages":[],"entries":[]}}

💭 Introduction:
GraphQL has gained a lot of popularity and love from the dev world. Its flexibility is one of the most powerful features. At the same time, it makes it very easy for devs to understand the root cause for any API-related problem. The excessive error description should NOT be available in prod mode.

🎯 Requirements:

• Basic experience with Java
• Basic experience with GraphQL

✅ Task summary:

• Ask to be assigned to the issue.
• Wait to be assigned. We will try to assign in less than 2 hours.
• Read more about batching attacks here.
• The task is to detect if we can batch multiple otp-verification queries in the same API call successfully
• Create a file BruteForceOtpGraphQLTest.java. You should write a test based on an already existing GraphQL test (yet to be added here by @ankush-jain-akto).
• Run for only those APIs which have "otp" as a param in the request and the value as a number (<= 6 digits).
• The test should take the request and add 199 similar requests in the same query array - each with a diff number.
• Check if the all responses contain the same error. If yes, server actually tried to verify each of the 200 requests and this is a vuln.

🙋🏼‍♂️ Questions:
If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

💭 Introduction:
GraphQL has gained a lot of popularity and love from the dev world. Its flexibility is one of the most powerful features. At the same time, it makes it very easy for devs to understand the root cause for any API-related problem. The excessive error description should NOT be available in prod mode.

🎯 Requirements:

• Basic experience with Java
• Basic experience with GraphQL

✅ Task summary:

• Ask to be assigned to the issue.
• Wait to be assigned. We will try to assign in less than 2 hours.
• Read more about excessive errors here. A good example can be found here too
• The task is to detect if Did you mean comes in the output
• Create a file ExcessiveErrorGraphQLTest.java. You should write a test based on an already existing GraphQL test (yet to be added here by @ankush-jain-akto).
• Pick any property more than 4 letters and delete the last letter.
• Check if the response contains "did you mean" phrase (case insensitive search).

🙋🏼‍♂️ Questions:
If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

💭 Introduction:
add tests to find signatures for common servers such as (Apache, Django Flask, Struts, Springboot etc)

📚 Reading
You can find a detailed documentation of test editor rules here
Find 100+ examples of YAML tests here

✅ Task summary:

• Ask to be assigned to the issue.
• Wait to be assigned. We will try to assign in less than 2 hours.
• Fork the tests-library repository, create a new branch and commit the yaml file which will be called in your test.
• Signup for Akto
• Check in the Attempt tab, if the payload changes, then task is done.
• Submit the PR here.

✌🏻 Hints:
You can build the yaml template by referring this link

🙋🏼‍♂️ Questions:
If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

The ability to customize what endpoints are in a collection will help a user properly scope their testing and keep the collections organized.

💭 Introduction:

🎯 Requirements:

✅ Task summary:
Write test to change the Content-Type header to get CSRF https://0xn3va.gitbook.io/cheat-sheets/web-application/graphql-vulnerabilities#bypass-of-csrf-protection

🙋🏼‍♂️ Questions:
If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

💭 Introduction
This task involves using Akto to run tests on vulnerable apps like juice-shop, rest-api-goat etc. Users can view the test results and check the vulnerabilities. You can also check and report if we are detecting any false positives, i.e. vulnerabilities that are wrongly detected by Akto. You can add data to Akto dashboard using burp suite, postman etc. For ex - Refer to burp documentation - https://docs.akto.io/add-api-data/integrations/burp-suite.

🎯 Requirements
Setting up a vulnerable application locally and using applications like BurpSuite/Postman etc to send data to Akto

✅ Task summary:

• Ask to be assigned to the issue.
• Wait to be assigned. We will try to assign in less than 2 hours.
• Setup any vulnerable application locally. For ex - Refer https://github.com/juice-shop/juice-shop#docker-container
• Use web interface of application, or hit api's yourself, and add data to akto dashboard. For ex - Refer https://docs.akto.io/add-api-data/integrations/burp-suite on how to send data using Burpsuite.
• Add an attacker token before running tests. Refer - https://docs.akto.io/testing/create-user-config#method-1-adding-token-manually
• Go to your api collection, and click on run tests after selecting what all tests you want to trigger
• View test results. Refer - https://docs.akto.io/testing/test-results

🙋🏼‍♂️ Questions:
If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

💭 Introduction

Akto allows users to find sensitive params in request and response of APIs. These sensitive params include PII data such as SSN, Credit card number, phone number etc. You can check how it works in the docs.

Your task is to add sensitive params related to fintech.

👀 Impact:

Your task will give users the ability to detect sensitive data types related to fintech.

🎯 Requirements:

• Understanding of regex
• Understanding of unit test

✅ Task summary:

• Ask to be assigned to the issue.
• Wait to be assigned. We will try to assign in less than 2 hours.
• Make regular expressions for below fintech-related types. Feel free to add your own too.
• Please mention reference URL in the comments for each pattern (where it clearly mentions the nature of the identification number)
• Add an entry in fintech.json file
• Add a test case entry in TestFintechTypes.java
• Submit a pull request here

International bank account number (IBAN).
Bank routing number.
United Kingdom individual taxpayer identification number (UTR).
United States bank account number.
United States individual taxpayer identification number (ITIN).
Indian permanent account number (PAN) assigned by the Income Tax Department.
Indian tax deduction account number or tax collection account number (TAN) assigned by the Income Tax Department.
Australian bank account number.
Australian bank branch (BSB) number.
Australian tax file number (TFN).
Austrian individual taxpayer identification number.
Austrian value added tax number (MWSt).
Brazilian individual taxpayer identification number.
Canadian bank routing number.
French value added tax number (VAT).
Debit card number used by major banks in the European Union.
German tax identity numbers (Steuer-ID).
German value added tax number (MWSt).
Israeli bank account number.
Italian value added tax number (IVA).
Japanese bank account number.
New Zealander bank account number.
New Zealander taxpayer identification number (IRD).
Portuguese individual taxpayer identification number (NIF).
Spanish individual taxpayer identification number (NIF).

🙋🏼‍♂️ Questions:

If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

💭 Introduction:
On API Collection page (API Inventory > API Collections) we show a list of all API collections. Clicking on any row opens the page for that specific API Collection. We want to allow users to open it in a new tab using Cmd+Click or right-click.

🎯 Requirements:

• Experience with React
• Basic understanding of HTML

✅ Task summary:

• Ask to be assigned to the issue.
• Wait to be assigned. We will try to assign in less than 2 hours.
• API Collections, uses a Simpletable, which then uses SimpleRow. It would be nice to implement this feature on the component level itself, as then, it would be accessible on all pages using the table.
• You can pass the event object in the onClick function in the row component and then handle the event object in the implementation for the nextPage function.
• You can see the handling of the event for Cmd/Ctrl click here and implement a simillar function in the function given above.
• Submit a pull request here

🙋🏼‍♂️ Questions:
If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.
🎯 Requirements:

✅ Task summary:
When users open an API Collection, they can see a list of APIs for that collection. Clicking any API opens API details in the same window. We want to enable Cmd+click (or Ctrl-click for windows/linux) so that users can also open it in a new window.

🙋🏼‍♂️ Questions:
If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

💭 Introduction:
When users open an API Collection, they can see a list of APIs for that collection. Clicking any API opens API details in the same window. Selected Url is also displayed at the top along with the api details like request, response params.

On api details page, a user cannot copy the url apart from manually selecting it. User should be able to copy the api url by just clicking on it.

🎯 Requirements:
React

✅ Task summary:

• Ask to be assigned to the issue.
• Wait to be assigned. We will try to assign in less than 2 hours.
• Go to ApiDetails.jsx
• Pass a new prop in GithubCell to copy the url on click (pass onclick func) and handle this prop in Githubcell.js
• Try not to use lots of conditional operators
• Submit a pull request here.

🙋🏼‍♂️ Questions:
If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

💭 Introduction:
https://wundergraph.com/blog/the_complete_graphql_security_guide_fixing_the_13_most_common_graphql_vulnerabilities_to_make_your_api_production_ready#7.-graphql-authorization-traversal-attack-vulnerability

📚 Reading
You can find a detailed documentation of test editor rules here
Find 100+ examples of YAML tests here

✅ Task summary:

• Ask to be assigned to the issue.
• Wait to be assigned. We will try to assign in less than 2 hours.
• Fork the tests-library repository, create a new branch and commit the yaml file which will be called in your test.
• Signup for Akto
• Check in the Attempt tab, if the payload changes, then task is done.
• Submit the PR here.

✌🏻 Hints:
You can build the yaml template by referring this link

🙋🏼‍♂️ Questions:
If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

💭 Introduction:

🎯 Requirements:

✅ Task summary:
A Slow POST attack sends partial requests in the gRPC header. Anticipating the arrival of the remainder of the request, the application or server keep the connection open. The concurrent connection pool might become full, causing rejection of additional connection attempts from clients.

🙋🏼‍♂️ Questions:
If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

💭 Introduction:
To re-run tests, a user has to re-create the entire test config again. ☹️
We want a simple re-run test button for each test on Testing > Test Results > Select any test page

🎯 Requirements:

• Experience with Vue.js
• Basic understanding of Java
• Basic understanding of Struts2 or simply just search for startTest and do the same thing to implement any new API.

✅ Task summary:

• Ask to be assigned to the issue.
• Wait to be assigned. We will try to assign in less than 2 hours.
• On the test results page, currently there is no way to re-run a test. We should provide a re-run button on top right of the page. This should trigger an API call named rerunTest to the backend with single param = testingRunId.
• This API call in the backend should fetch the current testingRun object using TestingRunDao.instance.findOne(Filters.eq("_id", testingRunId));
• Remove the id field from this object and save a new entry TestingRunDao.instance.insertOne(...)
• Return the id of this new entry as a response
• In the UI, once the API call succeeds, do a this.$router.push to switch the page to the new id.
• Submit a PR here.

🙋🏼‍♂️ Questions:
If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

💭 Introduction

Akto allows users to find sensitive params in request and response of APIs. These sensitive params include PII data such as SSN, Credit card number, phone number etc. You can check how it works in the docs.

Your task is to add US addresses as sensitive params.

👀 Impact

Your task will give users the ability to detect US addresses sensitive data types.

🎯 Requirements

• Understanding of regex
• Understanding of unit test

✅ Task summary:

• Ask to be assigned to the issue.
• Wait to be assigned. We will try to assign in less than 2 hours.
• Make regular expressions for US address.
• Please provide the reference URL that mentions the nature of the address.
• Add an entry in fintech.json file
• Add a test case entry in TestFintechTypes.java
• Submit a pull request here

🙋🏼‍♂️ Questions:

If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

💭 Introduction:
We want to test whether api's which take in url as a param are vulnerable to port scanning attack using SSRF. You can refer this blog for more details about the attack.

🎯 Requirements:
This test should only run for APIs which are taking url as a parameter in input.
The test should correctly detect whether the port scanning vulnerability can be exploited.

✅ Task summary:

• Ask to be assigned to the issue.
• Wait to be assigned. We will try to assign in less than 2 hours.
• Fork the tests-library repository, create a new branch and commit the yaml file which will be called in your test.
• Fork the akto repo, create a new branch and commit changes related to running test via the yaml template created in the previous step.
• Write unit tests to test your changes.
• Submit both the PRs here.

✌🏻 Hints:
You can build the yaml template by referring this link
You can refer the PR here for changes to be done in akto repo: link

🙋🏼‍♂️ Questions:
If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

💭 Introduction:

🎯 Requirements:

✅ Task summary:
Write test to find objects or add keys on GraphQL APIs find objects and add keys that were in create-obj request or add keys which are in response of some other API call

🙋🏼‍♂️ Questions:
If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

💭 Introduction

Akto allows users to find sensitive params in request and response of APIs. These sensitive params include PII data such as SSN, Credit card number, phone number etc. You can check how it works in the docs.

Your task is to add sensitive params related to Database URL patterns.

👀 Impact:

Your task will give users the ability to detect sensitive data types related to database url patterns.

🎯 Requirements:

• Understanding of regex
• Understanding of unit test

✅ Task summary

• Ask to be assigned to the issue.
• Wait to be assigned. We will try to assign in less than 2 hours.
• Make regular expressions for database-related URLs. [SQL, Mongo, S3, RDS, Prometheus, Redis)
• Add an entry in fintech.json file
• Add a test case entry in TestFintechTypes.java
• Submit a pull request here

✌🏻 Hints

Example for Redis :

• Regex: redis(s|-sentinel|-socket)?:\/\/(.*):(\d*)
• Reference: https://github.com/lettuce-io/lettuce-core/wiki/Redis-URI-and-connection-details

🙋🏼‍♂️ Questions

If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

💭 Introduction:
The GraphQL Development Console Exposed vulnerability arises when the GraphQL development console, such as GraphiQL, GraphQL Playground, or GraphQL Console, allows type introspection.Type introspection enables clients to retrieve detailed information about the GraphQL schema, including available types, fields, and their relationships. Exposing this feature in a production environment can lead to security vulnerabilities by providing unauthorized users with insights into the data model and potentially sensitive information. The impact includes an increased risk of unauthorized access and potential data exposure through the exposed GraphQL development console, necessitating proper configuration and access control measures.

🎯 Requirements:
Improve the template by adding more subpaths.

📚 Reading
You can find a detailed documentation of test editor rules here
Find 100+ examples of YAML tests here

✅ Task summary:

• Ask to be assigned to the issue.
• Wait to be assigned. We will try to assign in less than 2 hours.
• Fork the tests-library repository, create a new branch and commit the yaml file which will be called in your test.
• Signup for Akto
• Check in the Attempt tab, if the payload changes, then task is done.
• Submit the PR here.

✌🏻 Hints:
You can build the yaml template by referring this link

🙋🏼‍♂️ Questions:
If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

💭 Introduction

Akto allows users to find sensitive params in request and response of APIs. These sensitive params include PII data such as SSN, Credit card number, phone number etc. You can check how it works in the docs.

Your task is to add US specific sensitive params.

👀 Impact

Your task will give users the ability to detect US specific sensitive data types.

🎯 Requirements

• Understanding of regex
• Understanding of unit test

✅ Task summary:

• Ask to be assigned to the issue.
• Wait to be assigned. We will try to assign in less than 2 hours.
• Make regular expressions for below US-related types. Feel free to add your own too.
• Please provide the reference URL that mentions the nature of the number.
• Add an entry in fintech.json file
• Add a test case entry in TestFintechTypes.java
• Submit a pull request here

US Bank Account Number
US Individual Taxpayer Identification Number (ITIN).
US DEA Number - Federally authorized number assigned to health care providers.
US Health Insurance Claim Number - Medicare Health insurance claim number (HICN).
US Medicare Beneficiary Identifier - Medicare beneficiary identifier (MBI) number.
United States driver's license number.
United States passport number.
United States social security number (SSN).

🙋🏼‍♂️ Questions:

If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

💭 Introduction:

🎯 Requirements:

✅ Task summary:
Write a test to exploit recursive query vulnerability. Read more about the vulnerability here

As part of this test, you will have to do the following

• Find the recursive objects by understanding all the query.
• If the query doesn't have a recursion, then skip
• Else, write a new query this time exploiting recursion with depth 10, 50, 100
• Write a matching criteria to check if server threw 4xx (not vulnerable) or 5xx/timeout (vulnerable)

Please mention

• Reference URL - where you took the inspiration
• A Nuclei template similar to this or a Java template similar to this

✌🏻 Hints:

🙋🏼‍♂️ Questions:
If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

💭 Introduction

Akto allows users to find sensitive params in request and response of APIs. These sensitive params include PII data such as SSN, Credit card number, phone number etc. You can check how it works in the docs.

Your task is to add cookie types as sensitive params.

👀 Impact

Your task will give users the ability to detect cookie types sensitive data types.

🎯 Requirements

• Understanding of regex
• Understanding of unit test

✅ Task summary:

• Ask to be assigned to the issue.
• Wait to be assigned. We will try to assign in less than 2 hours.
• Make regular expressions for below cookie types. Feel free to add your own too.
• Please provide the reference URL that mentions the nature of the cookie.
• Add an entry in fintech.json file
• Add a test case entry in TestFintechTypes.java
• Submit a pull request here

facebook, intercom, google ads, hotjar, fullstory, mixpanel, appsflyer)

🙋🏼‍♂️ Questions:

If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

💭 Introduction:
mass assignment - https://blog.yeswehack.com/yeswerhackers/how-exploit-graphql-endpoint-bug-bounty/

📚 Reading
You can find a detailed documentation of test editor rules here
Find 100+ examples of YAML tests here

✅ Task summary:

• Ask to be assigned to the issue.
• Wait to be assigned. We will try to assign in less than 2 hours.
• Fork the tests-library repository, create a new branch and commit the yaml file which will be called in your test.
• Signup for Akto
• Check in the Attempt tab, if the payload changes, then task is done.
• Submit the PR here.

✌🏻 Hints:
You can build the yaml template by referring this link

🙋🏼‍♂️ Questions:
If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

When a user runs test for the first time (usually without setting attacker token), it throws error "Please set authentication mechanism". Not sure where to do this.

💭 Introduction:
GraphQL has gained a lot of popularity and love from the dev world. Its flexibility is one of the most powerful features. At the same time, it makes it very easy for devs to understand the root cause for any API-related problem. The excessive error description should NOT be available in prod mode.

🎯 Requirements:

• Basic experience with Java
• Basic experience with GraphQL

✅ Task summary:

• Ask to be assigned to the issue.
• Wait to be assigned. We will try to assign in less than 2 hours.
• Search for Mask errors here.
• The task is to detect if stacktrace comes in the output because of a malformed query
• Create a file ExceptionTracesGraphQLTest.java. You should write a test based on an already existing GraphQL test (yet to be added here by @ankush-jain-akto).
• Malform the query. For example, add "aktoXYZ" as a property.
• Check if the response contains stacktrace in the output (case insensitive search).

🙋🏼‍♂️ Questions:
If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

💭 Introduction:

🎯 Requirements:

✅ Task summary:

🙋🏼‍♂️ Questions:
If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

💭 Introduction:

🎯 Requirements:

✅ Task summary:

🙋🏼‍♂️ Questions:
If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

💭 Introduction:
Users can go to test libraries section and search for specific test categories by specifying keywords in search categories section.
This task involves adding ability to search tests using keywords instead of searching categories.

🎯 Requirements:
Understanding of Vue js.

✅ Task summary:

• Ask to be assigned to the issue.
• Wait to be assigned. We will try to assign in less than 2 hours.
• Build filtering logic on test data instead of category data.
• Submit a pull request here.

✌🏻 Hints
Currently the logic resides in filterOnSearchText method inside PageMarketplace.vue. It uses filter method for filtering out data given a search text.

🙋🏼‍♂️ Questions:
If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

It would be really useful for giving an option to select specific ports or selecting specific hosts for mirroring or saving data.
Currently there is no way to select specific hosts or port for traffic from load balancer and entire traffic from load balancer gets saved.

💭 Introduction:
https://wundergraph.com/blog/the_complete_graphql_security_guide_fixing_the_13_most_common_graphql_vulnerabilities_to_make_your_api_production_ready#9.-graphql-gateway-/-proxying-vulnerability

📚 Reading
You can find a detailed documentation of test editor rules here
Find 100+ examples of YAML tests here

✅ Task summary:

• Ask to be assigned to the issue.
• Wait to be assigned. We will try to assign in less than 2 hours.
• Fork the tests-library repository, create a new branch and commit the yaml file which will be called in your test.
• Signup for Akto
• Check in the Attempt tab, if the payload changes, then task is done.
• Submit the PR here.

✌🏻 Hints:
You can build the yaml template by referring this link

🙋🏼‍♂️ Questions:
If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

deselecting of load balancer from dashboard isn't supported.
Once the load balancer is selected there is no option in dashboard to remove it from mirroring.

One have to remove it from AWS lambda as well as mongo.

Better if it can be done through dashboard itself.

Your readme states:

Akto offers tests for all OWASP top 10

Can you explain how you test for these two issues:

A04:2021-Insecure Design
A09:2021-Security Logging and Monitoring Failures

💭 Introduction:
test to exploit invalid access control on APIs if API responses are cached

📚 Reading
You can find a detailed documentation of test editor rules here
Find 100+ examples of YAML tests here

✅ Task summary:

• Ask to be assigned to the issue.
• Wait to be assigned. We will try to assign in less than 2 hours.
• Fork the tests-library repository, create a new branch and commit the yaml file which will be called in your test.
• Signup for Akto
• Check in the Attempt tab, if the payload changes, then task is done.
• Submit the PR here.

✌🏻 Hints:
You can build the yaml template by referring this link

🙋🏼‍♂️ Questions:
If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

Hi There,

Hope everything is okay. I've installed akto docker app and installed burp extension. Any traffic isn't showing in akto UI. When I checked akto burp plugin I didn't faced HTTP responses just there are requests but no response to these requests.