14. Enter Syntribos
• THE DAIMONES KERAMIKOI were five malevolent
spirits which plagued the craftsman potter
– Syntribos (the Shatterer)
– Smaragos (the Smasher)
– Asbetos (Charrer)
– Sabaktes (Destroyer)
– Omodamos (Crudebake).
15. API Test Automation!
• Automatic fuzzer for HTTP requests
– Currently Based on FuzzDB Test Strings
• Fully customizable
• Open source!
20. Syntribos Payload
• Data can be generated based on the test
• Data generation supports HTTP protocol
• Automated replacement
– URL Path
– URL Parameters
– HTTP Headers
– Body JSON, XML
22. Syntribos Extensions
• Used to supply supplementary data
• Any data source can be referenced
• Can be stored external to Syntribos
• Returns a string or generator of strings
Automation tools exist for infrastructure/network (Nessus, Nexpose, Metasploit, Nikto), WebApp/UI (AppScan, Veracode, Zap dynamic scan), Code (Veracode, Bandit). Not fire and forget, but can help find low hanging fruit and points of interest.
But what about API testing?
3rd Party Vendors, Manual Testing – curl, custom code Tedious; repeatable but not scalable or transferrable, Hard to audit
Partial Automation - Zap, Burp
No standard format or contract definition
No schema (SOAP, etc.)
Authentication methods vary widely