OWASP Noir is an open-source attack surface detector designed for white-box security testing and DevSecOps pipelines. It identifies potential entry points like API and web endpoints within source code, aiding in security analysis and enabling more accurate dynamic application security testing (DAST).

How It Works

Noir performs static analysis on source code to extract API endpoints, parameters, and associated security vulnerabilities. It supports multiple languages and frameworks, employing rule-based passive scanning and AI for enhanced discovery of unfamiliar or hidden APIs. Results are provided in actionable formats like JSON and YAML, facilitating integration with security tools.

Quick Start & Requirements

• Primary install: bash noir -b <source_dir>
• Prerequisites: None explicitly mentioned beyond a shell environment.
• Documentation: https://owasp.org/www-project-noir/

Highlighted Details

• Extracts API endpoints and parameters from source code.
• Supports multiple languages and frameworks.
• Uncovers security issues via rule-based passive scanning.
• Integrates with DevOps pipelines and tools like curl, ZAP, and Caido.
• Enhances endpoint discovery with AI for unfamiliar frameworks.

Maintenance & Community

The project is open-source and welcomes contributions. Further community engagement details are not provided in the README.

Licensing & Compatibility

The project is licensed under the OWASP Software Foundation License (OSF). This license is permissive and generally compatible with commercial use and closed-source linking.

Limitations & Caveats

The project is in active development with plans to expand language support and accuracy. While AI is mentioned for enhancing discovery, its specific implementation and effectiveness are not detailed.