Listen to this Post
Introduction:
Modern applications are riddled with undocumented endpoints, deprecated routes, and “shadow APIs” that evade traditional security scans. OWASP Noir bridges the gap between static and dynamic analysis (SAST/DAST) by parsing source code to build an authenticated, accurate inventory of every endpoint—including those your developers forgot to document. This article explores how to deploy Noir, hunt hidden attack surfaces, and harden your API landscape with actionable commands and workflows.
Learning Objectives:
- Install and configure OWASP Noir to analyze source code repositories for hidden endpoints and shadow APIs.
- Execute endpoint discovery and attack surface mapping using both automated and manual verification techniques.
- Apply mitigation strategies against exposed internal routes, deprecated functions, and misconfigured API gateways.
You Should Know:
1. Deploying OWASP Noir for Source Code Analysis
Noir reads your application’s source tree (JavaScript, Python, Java, Go, etc.) and extracts every possible route definition, including dynamic parameters, HTTP methods, and authentication requirements. It outperforms simple grep by understanding framework-specific routing (e.g., Express.js, Flask, Spring Boot).
Step‑by‑step guide (Linux/macOS):
Clone the official repository (replace with actual OWASP Noir URL) git clone https://github.com/OWASP/Noir.git cd Noir Install dependencies (Python 3.9+ required) python3 -m venv venv source venv/bin/activate pip install -r requirements.txt Run Noir against a target source code directory python noir.py -t /path/to/your/app/source -o noir_report.json
For Windows (PowerShell):
git clone https://github.com/OWASP/Noir.git cd Noir python -m venv venv .\venv\Scripts\Activate.ps1 pip install -r requirements.txt python noir.py -t C:\path\to\source -o noir_report.json
What it does:
Noir recursively scans files, builds an abstract syntax tree (AST) for supported languages, and extracts routes along with their HTTP verbs, middleware, and any hardcoded authentication tokens. Use the JSON output to feed downstream tools like Postman, Burp Suite, or custom fuzzers.
2. Exposing Shadow APIs via Endpoint Inventory
Shadow APIs are endpoints that exist in the codebase but are not listed in any OpenAPI/Swagger spec or internal documentation. Noir’s “diff” mode compares discovered endpoints against a known specification file.
Step‑by‑step guide:
Generate a baseline spec (e.g., from an existing Swagger file) Assume you have swagger.yaml from your API gateway Run Noir and compare python noir.py -t ./source --compare swagger.yaml --output-diff shadow_endpoints.txt View only endpoints missing from the spec grep "MISSING" shadow_endpoints.txt For authenticated endpoints, provide a sample config python noir.py -t ./source --auth-config auth_config.json --verbose
Example `auth_config.json`:
{
"headers": { "Authorization": "Bearer $TOKEN" },
"cookies": { "sessionid": "value" },
"rate_limit": 5
}
After discovery, manually test each shadow endpoint with `curl` or a fuzzer:
curl -X GET https://target.com/api/v2/internal/debug/config -H "Authorization: Bearer $TOKEN"
If a shadow API returns sensitive data (e.g., internal IPs, database credentials), it becomes a high‑severity finding.
- Mapping Attack Surface with Noir + OWASP ZAP Integration
Combine Noir’s static inventory with ZAP’s dynamic scanning to achieve full coverage. Noir provides the “what” (endpoints), ZAP provides the “how” (exploitation).
Step‑by‑step guide:
1. Export Noir endpoints as a ZAP script python noir.py -t ./source --export-zap noir_endpoints.zap <ol> <li>Launch ZAP in daemon mode zap.sh -daemon -port 8080 -config api.disablekey=true</p></li> <li><p>Import the script via ZAP API curl -X POST http://localhost:8080/JSON/script/action/load/ \ -d "scriptName=noir_endpoints&scriptType=active&scriptEngine=ECMAScript&fileName=noir_endpoints.zap"</p></li> <li><p>Run an active scan against all discovered endpoints curl "http://localhost:8080/JSON/ascan/action/scan/?url=https://target.com&recurse=true&inScopeOnly=false&method=GET&postData="
For Windows, use the ZAP desktop UI or PowerShell equivalent. This workflow uncovers injection flaws, IDORs, and misconfigured CORS on endpoints that traditional crawlers would miss because they lack authentication context or route definitions.
4. Mitigating Exposed Deprecated Endpoints
Noir identifies endpoints marked with `@Deprecated` (Java), ` deprecated` (Python), or routes under /old/, /v1/, /test/. Once discovered, you must either remove them or strictly enforce network controls.
Linux command to find all deprecated endpoints from Noir report:
jq '.endpoints[] | select(.deprecated==true) | .path' noir_report.json
Mitigation steps:
- Immediate: Block access at the reverse proxy level (Nginx example):
location ~ ^/(old|deprecated|test)/ { deny all; return 403; } - Medium term: Implement API versioning with sunset headers. Add a middleware that responds with `Deprecation: true` and
Sunset: Wed, 31 Dec 2025 23:59:59 GMT. - Long term: Run Noir in CI/CD to prevent reintroduction of deprecated routes. Use a `.noirignore` file to whitelist known legacy endpoints temporarily.
5. Hardening API Authentication & Authorization
Noir extracts authentication requirements per endpoint (e.g., @login_required, Authorization: Bearer). Missing auth on sensitive endpoints is a critical finding.
Step‑by‑step guide to validate auth gaps:
Extract all endpoints that lack auth annotations
python noir.py -t ./source --auth-marker "auth_required" --list-unprotected > no_auth_endpoints.txt
For each endpoint, send an unauthenticated request and check for 200 OK
while read endpoint; do
curl -s -o /dev/null -w "%{http_code} %{url_effective}\n" "https://target.com$endpoint"
done < no_auth_endpoints.txt | grep -v 401
Windows PowerShell equivalent:
Get-Content no_auth_endpoints.txt | ForEach-Object {
$status = (Invoke-WebRequest -Uri "https://target.com$_" -Method Get -SkipCertificateCheck).StatusCode
if ($status -ne 401) { Write-Host "$_ returned $status" }
}
If any endpoint returns `200` or `302` (redirect to login but still accessible via direct object reference), you have an authorization bypass. Remediate by adding proper middleware or attribute‑based checks.
6. Automating Noir in CI/CD Pipelines
Integrate Noir into GitHub Actions or Jenkins to block builds when shadow APIs exceed a threshold.
Example GitHub Actions workflow (`.github/workflows/noir-scan.yml`):
name: OWASP Noir Scan on: [push, pull_request] jobs: noir: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Setup Python uses: actions/setup-python@v5 with: python-version: '3.11' - name: Install Noir run: | git clone https://github.com/OWASP/Noir.git cd Noir && pip install -r requirements.txt - name: Run Noir and fail if >5 shadow endpoints run: | python Noir/noir.py -t ./src -o noir_report.json SHADOW_COUNT=$(jq '.endpoints[] | select(.shadow==true) | .path' noir_report.json | wc -l) if [ $SHADOW_COUNT -gt 5 ]; then echo "Too many shadow endpoints ($SHADOW_COUNT) – failing build" exit 1 fi - name: Upload report uses: actions/upload-artifact@v4 with: name: noir-report path: noir_report.json
For Jenkins, use the Pipeline plugin to call similar shell steps. This ensures continuous visibility into your API attack surface.
7. Remediation Playbook for Shadow APIs
Once Noir identifies a shadow endpoint, follow this response playbook:
1. Confirm functionality: Is the endpoint still in use? Check production logs for requests to that path.
2. If active: Document it immediately (update OpenAPI spec). Then assess its sensitivity.
3. If inactive: Remove the code and the route from the API gateway. For immediate risk, apply WAF rule:
Example ModSecurity rule to block a specific shadow API SecRule REQUEST_URI "@streq /api/internal/old/debug" "id:1001,deny,status:403,msg:'Shadow API blocked'"
4. If needed but hidden: Add authentication and rate limiting. Use an API gateway to move it to a non‑guessable path (e.g., `/api/internal-v2/` with a random token).
5. Post‑remediation: Re‑run Noir with `–compare` against the updated spec to confirm the endpoint is either removed or properly documented.
What Undercode Say:
- Key Takeaway 1: OWASP Noir transforms reactive API security into proactive asset inventory, revealing shadow endpoints that SAST alone misses and DAST can’t reach without prior knowledge.
- Key Takeaway 2: Integrating Noir into CI/CD pipelines and combining it with ZAP or Burp creates a continuous attack surface management loop, drastically reducing the window of exposure for forgotten routes.
Analysis: The rise of microservices and rapid development cycles has made API sprawl the top attack vector in 2025. Noir addresses a critical blind spot: undocumented endpoints that become silent backdoors. By automating endpoint discovery from source code, security teams can finally answer “what APIs do we actually have?” without manual, error‑prone audits. The tool’s ability to differentiate between public, internal, and deprecated routes allows for risk‑based prioritization—shadow APIs handling PII or admin functions become immediate fire drills. Moreover, Noir’s export formats (ZAP, JSON, OpenAPI diff) plug directly into existing toolchains, making adoption frictionless for red teams and appsec engineers alike. As API‑driven architectures dominate, expect Noir‑like capabilities to become mandatory in every DevSecOps pipeline.
Prediction:
Within two years, API endpoint discovery tools like OWASP Noir will be as fundamental as SAST scanners. Regulatory frameworks (e.g., PCI DSS v5, NIS2) will require organizations to maintain a verifiable, real‑time inventory of all API endpoints, with penalties for shadow APIs. AI‑assisted variants will automatically suggest remediation code (e.g., adding authentication middleware) and predict which shadow endpoints are most likely to be exploited based on code comments and change history. Companies that fail to adopt such tooling will face breach rates 3x higher than peers due to unmonitored internal routes exposed to the internet. The future of API security is not just scanning—it’s knowing what you have before anyone else does.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: 0xfrost Owasp – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
