oppa requires Go 1.22+ to install successfully.
CGO_ENABLED=1 go install github.com/oneaudit/oppa/cmd/oppa@latestoppa -h
This will display help for the tool. Here are all the switches it supports.
Oppa is a toolkit to generate OpenAPI specifications from JSON lines.
Usage:
oppa [flags]
Flags:
TARGET:
-t, -target string target input file to parse
-im, -input-mode string mode of input file (jsonl, logger++) (default "jsonl")
CONFIGURATION:
-config string path to the oppa configuration file
TUNING:
-no-origin, -n By default, oppa adds an Origin header to all paths.
-keep-404, -k4 By default, oppa skips file endpoint with a 404 code.
-filter-regex, -fr string[] Skip endpoints based on a regex.
-filter-regex-base, -frb string[] Skip endpoints based on a regex.
OUTPUT:
-d, -output-dir string store openapi to custom directory
-silent display output only
-v, -verbose display verbose output
-debug display debug output
-version display project version
Oppa implements a strange and unconventional merge logic. Oppa lacks knowledge on the parameters in each request. To avoid losing information, Oppa creates one openapi entry for each unique URL.
https://example.com/?page=indexhttps://example.com/?page=home
This results in a strange OpenAPI file. This unconventional approach make it easier to test multiple query parameter combinations with nuclei without editing the tool.
/:
get:
parameters:
- in: query
name: page
schema:
default: index
type: string
responses:
default:
description: ""
//:
get:
parameters:
- in: query
name: page
schema:
default: home
type: string
responses:
default:
description: ""Oppa can work from Katana JSON Lines output file format. By default, generated files are stored in the oppa_openapi folder.
$ katana -u https://example.com -jsonl -o requests.txt
$ oppa -im jsonl -t requests.txt
On a GLPI project with directory listing, we can use:
oppa -config config.yaml -target katana.txt -fr "^/icons/" -fr "^/src/" -fr "^/pics/" -fr "^/templates/" -fr "^/css_compiled/"