WStalker – an easy proxy to support Web API assessments

submited by
Style Pass
2020-06-30 17:23:04

Have you ever faced a situation where you have a number of web services to test but no one is able to provide full working examples of each API call? WStalker is a work aid to help developers / functional testers record API traffic to help facilitate security assessments by security testers and other tooling.

We have all received a text file with a list of endpoints or a screenshot of the request that should be issued to a web API endpoint.

Sometimes we may receive the information using Postman or Swagger, which is a far better alternative, but these still rarely include working examples of the parameters to be used.

These situations may cause us to spend a lot of time trying to guess the content of some non-obvious parameters and the sequence of requests. Especially when the development team isn’t around and in situations when application state requires that the information obtained from one request is used in further request.

Developers can configure the same tools they use for functional testing and run their benchmarks using WStalker as a proxy and it will create a wstalker.csv file with all the information recorded. Developers can use the already compiled binaries for Windows, Linux and macOS or they can compile it themselves. Both options are already available from NCC Group’s Github.com page.

Leave a Comment