Hi Andres, The API is indeed "up and running for a while", but we haven't yet properly documented yet so probably not as widely used as it could be.
With regards to your questions: * Technology stack: we've decided to go with a RESTful API over XML-RPC for simplicity of protocol, ease of definition of methods, etc. I had researched a number of minimalistic web servers in Python at the time and the one that was one-file only and proved to be solid and maintained was and still is Bottle[1]. It's well documented, easy to use and intuitive in my opinion. * We are happy with the technology we use and have no plans to change it, but instead extend and maintain the API over time, check out its source code if you're interested[2]. * Someone has tested it under load, the results were good, but I am sure there is room for improvements here. * We have not implemented session management in the API (a front-end would have so), instead we have the concept of tasks. A task[3] is an object. You can create, edit, query, modify a task given the taskid. Task ID is generated with a request to /task/new[4]. The task is a series of independent sqlmap scans that modify the same sqlmap session file and the data is stored in a local SQLite database. Furthermore, when you run the sqlmappi.py, an admin ID is created. This is the only privileged "user" and can request admin methods like listing all tasks, deleting them, etc. * Recommendations: try to keep it simply, wrap all standard output and error to a custom object that writes in a database[5] so these can be retrieved via the API too. [1] http://bottlepy.org/docs/0.12/ https://raw.githubusercontent.com/defnull/bottle/master/bottle.py [2] https://github.com/sqlmapproject/sqlmap/blob/master/lib/utils/api.py [3] https://github.com/sqlmapproject/sqlmap/blob/master/lib/utils/api.py#L91 and https://github.com/sqlmapproject/sqlmap/blob/master/lib/utils/api.py#L103 [4] https://github.com/sqlmapproject/sqlmap/blob/master/lib/utils/api.py#L339 [5] https://github.com/sqlmapproject/sqlmap/blob/master/lib/utils/api.py#L202 Good luck! Bernardo On 20 March 2014 19:05, Miroslav Stampar <miroslav.stam...@gmail.com> wrote: > Great reply :) > > Bye > > On Mar 20, 2014 4:13 PM, "Brandon Perry" <bperry.volat...@gmail.com> wrote: >> >> I can't comment on building the API, but I maintain C# bindings to the >> sqlmap REST API and, programmatically, it works really well. >> >> There is no authentication, but I only ever run it on localhost anyway so >> this isn't a big deal to me. >> >> I have tested it under relatively heavy load (one API instance testing >> multiple applications) and it has been performant. I don't recall ever >> saying "Man, I wish this were faster". >> >> JSON is totally the way to go for data requests/responses. >> >> One recommendation I have since I deal with many APIs on a daily basis is >> please don't assume the programmers will be interacting with your API with >> language X. The Metasploit MSGPACK API is a good example of this and is very >> cumbersome to use from a strongly typed language. Arachni falls into a >> similar field relying on Ruby-style marshalling or YAML which I simply can't >> do from, say, C#. >> >> Aside from sqlmap, I also really like the cuckoo-sandbox API. >> >> >> >> On Thu, Mar 20, 2014 at 10:00 AM, Andres Riancho >> <andres.rian...@gmail.com> wrote: >>> >>> List, >>> >>> I'm going to abuse the list a little bit, and poke your brains for >>> a while, so be prepared :) >>> >>> The w3af project wants to implement its own REST API to expose the >>> w3afCore and KnowledgeBase objects. The core allows users to configure >>> the plugins and start the scan, and the knowledge base holds the >>> vulnerabilities. >>> >>> You guys implemented a REST API for sqlmap, which has been up and >>> running for a while now. >>> >>> What I wanted to know is: >>> * What's the technology stack you guys used for creating the REST >>> API? >>> * Were you happy with it? Would you use something different if >>> you had the chance? >>> * Have you tested the API under heavy load? >>> * Do you have the concept of sessions and users in the API? Why >>> not? >>> * Any recommendations on API design? (paths, results, hrefs, >>> etc.) >>> >>> Thanks! >>> >>> Regards, >>> -- >>> Andrés Riancho >>> Project Leader at w3af - http://w3af.org/ >>> Web Application Attack and Audit Framework >>> Twitter: @w3af >>> GPG: 0x93C344F3 >>> >>> >>> ------------------------------------------------------------------------------ >>> Learn Graph Databases - Download FREE O'Reilly Book >>> "Graph Databases" is the definitive new guide to graph databases and >>> their >>> applications. Written by three acclaimed leaders in the field, >>> this first edition is now available. Download your free book today! >>> http://p.sf.net/sfu/13534_NeoTech >>> _______________________________________________ >>> sqlmap-users mailing list >>> sqlmap-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> >> >> >> -- >> http://volatile-minds.blogspot.com -- blog >> http://www.volatileminds.net -- website >> >> >> ------------------------------------------------------------------------------ >> Learn Graph Databases - Download FREE O'Reilly Book >> "Graph Databases" is the definitive new guide to graph databases and their >> applications. Written by three acclaimed leaders in the field, >> this first edition is now available. Download your free book today! >> http://p.sf.net/sfu/13534_NeoTech >> _______________________________________________ >> sqlmap-users mailing list >> sqlmap-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
