munshig

# 🛡️ munshig **Runtime API security that catches vulnerabilities as they happen.** munshig is a zero-config security proxy that monitors your API during development and automatically detects critical vulnerabilities like broken access control, missing authentication, SQL injection, and PII leaks—**before they reach production**. ```bash npx munshig # That's it. Your API is now being monitored for security issues. ``` --- ## 🔥 The Problem **APIs get hacked because developers miss authorization checks.** This exact bug has caused: - **Facebook**: 50 million accounts exposed (2018) - **T-Mobile**: 37 million customer records leaked (2023) - **Optus** (Australia): 10 million customers exposed (2022) - **Peloton**: All user data accessible (2021) Traditional security tools: - ❌ Cost $500k/year (Salt Security, Traceable AI) - ❌ Take 6 months to deploy - ❌ Require security teams to operate - ❌ Miss logic bugs (static analysis can't catch runtime issues) **munshig is different:** - ✅ Free and open source - ✅ Works in 30 seconds - ✅ Catches bugs during development - ✅ No configuration required --- ## ⚡ Quick Start ```bash # Start munshig (runs on port 3001 by default) npx munshig # Point your app/tests to localhost:3001 instead of localhost:3000 # munshig will forward traffic and monitor for vulnerabilities ``` That's it. munshig will now catch security bugs in real-time. --- ## 🎯 What It Catches ### 1. **Broken Access Control (BOLA)** 🔴 CRITICAL **The #1 API vulnerability** (OWASP A01:2021) ```javascript // Your API code (vulnerable): app.get('/api/users/:id', (req, res) => { const user = db.getUser(req.params.id); res.json(user); // ❌ No authorization check! }); // User 456 requests /api/users/123 // API returns User 123's data ``` **munshig catches this:** ``` 🔴 ══════════════════════════════════════════════════════════════ ⚠️ CRITICAL SECURITY VULNERABILITY DETECTED ════════════════════════════════════════════════════════════════ SEVERITY: CRITICAL (CVSS: 8.2) TYPE: BROKEN_ACCESS_CONTROL (BOLA) 🚨 User 456 accessed resource 123 📍 Endpoint: GET /api/users/123 👤 Authenticated User: 456 🎯 Accessed Resource: 123 🔴 Impact: Users can access other users' private data 📋 OWASP: A01:2021 - Broken Access Control 🔧 HOW TO FIX: app.get('/api/users/:id', async (req, res) => { const currentUserId = req.user.id; const requestedId = req.params.id; if (currentUserId !== requestedId) { return res.status(403).json({ error: 'Forbidden' }); } const user = await db.getUser(requestedId); res.json(user); }); ``` ### 2. **Missing Authentication** 🟡 HIGH Catches endpoints that should require authentication but don't. ``` 🚨 ══════════════════════════════════════════════════════════════ SEVERITY: HIGH TYPE: MISSING_AUTHENTICATION GET /api/admin/settings returned 200 without authentication 💡 RECOMMENDATION: Add authentication middleware to verify user identity ``` ### 3. **SQL Injection** 🔴 CRITICAL Detects SQL injection attempts in query parameters. ``` ⚠️ ══════════════════════════════════════════════════════════════ SECURITY THREAT DETECTED SEVERITY: CRITICAL TYPE: INJECTION_ATTACK (SQL_INJECTION) SQL Boolean Injection detected in GET /api/users?id=' OR '1'='1 🔧 HOW TO FIX: // ❌ BAD: const query = `SELECT * FROM users WHERE id = '${userId}'`; // ✅ GOOD: const query = 'SELECT * FROM users WHERE id = ?'; db.execute(query, [userId]); ``` ### 4. **PII Exposure** 🟡 HIGH Detects sensitive data (SSN, credit cards, emails) in API responses. ``` 🔒 ══════════════════════════════════════════════════════════════ DATA PRIVACY VIOLATION DETECTED SEVERITY: HIGH TYPE: DATA_EXPOSURE (PII_LEAK) API response contains sensitive PII: SSN, Email 📝 PII TYPES DETECTED: • SSN (e.g., 123-45-6789) • Email (e.g., user@example.com) 🔧 HOW TO FIX: // Redact sensitive fields res.json({ id: user.id, name: user.name, email: user.email.replace(/(.{2})(.*)(@.*)/, '$1***$3'), ssn: '***-**-' + user.ssn.slice(-4) }); ``` --- ## 🎬 Demo ```bash # Terminal 1: Start your API npm run dev # Your API runs on :3000 # Terminal 2: Start munshig npx munshig # Terminal 3: Make requests curl http://localhost:3001/api/users/123 ``` **munshig output:** ``` 🛡️ Munshig proxy running on :3001 📡 Forwarding to :3000 ⚡ Started at 2:30:45 PM [14:30:50] ➡️ GET /api/users/123 [14:30:50] ⬅️ GET /api/users/123 → 200 🔴 ══════════════════════════════════════════════════════════════ ⚠️ CRITICAL SECURITY VULNERABILITY DETECTED User 456 accessed resource 123 This is a Broken Access Control bug (OWASP #1) [Full details and fix provided...] ════════════════════════════════════════════════════════════════ ``` --- ## 📊 Session Summary Press `Ctrl+C` to stop munshig and see a summary: ``` 📊 MUNSHIG SESSION SUMMARY ════════════════════════════════════════════════════════════════ 🔍 Total Requests: 47 🚨 Issues Found: 3 📍 Endpoints Discovered: 12 ⚠️ 3 security vulnerabilities detected! Review the alerts above and fix before deploying. ════════════════════════════════════════════════════════════════ ``` --- ## 📦 Installation ### Using npx (recommended) ```bash npx munshig ``` ### Global install ```bash npm install -g munshig munshig ``` ### Local development ```bash git clone https://github.com/shaikhzaynsaif/munshig.git cd munshig npm install npm start ``` --- ## 🔧 Configuration munshig works with **zero configuration**, but you can customize: ```bash # Default behavior (proxy on :3001, forwards to :3000) npx munshig # Custom ports (coming soon) npx munshig --port 3000 --proxy 8080 ``` --- ## 🏗️ How It Works 1. **Proxy Setup**: munshig starts an HTTP proxy on port 3001 2. **Traffic Interception**: All requests/responses are captured 3. **JWT Analysis**: Extracts user IDs from Authorization headers 4. **Pattern Detection**: Runs security detectors on each request 5. **Real-time Alerts**: Shows vulnerabilities with actionable fixes **No code changes required.** Just point your client to the proxy. --- ## 🆚 Comparison | Feature | munshig | Salt Security | Snyk | Manual Audits | |---------|---------|---------------|------|---------------| | **Price** | Free | $500k/year | $99/mo | $10k+ | | **Setup Time** | 30 seconds | 6 months | 1 day | Weeks | | **BOLA Detection** | ✅ Automatic | ✅ Yes | ❌ No | ✅ Manual | | **Runtime Analysis** | ✅ Yes | ✅ Yes | ❌ Static only | ❌ One-time | | **For Developers** | ✅ Yes | ❌ Enterprise | ⚠️ Partial | ❌ Post-dev | | **Open Source** | ✅ Yes | ❌ No | ❌ No | N/A | --- ## 🎯 Who Is This For? - **Solo developers** building APIs - **Startup engineering teams** (pre-Series A) - **Open source maintainers** securing their projects - **Security researchers** testing APIs - **Students** learning API security --- ## 🛠️ Tech Stack - **Node.js** - Runtime - **Express** - HTTP handling - **http-proxy** - Traffic forwarding - **JWT decoding** - User identification **Zero dependencies bloat.** Just 2 core dependencies. --- ## 🚀 Roadmap - [x] BOLA/IDOR detection - [x] Missing authentication detection - [x] SQL injection detection - [x] PII leak detection - [ ] CI/CD integration (GitHub Actions) - [ ] Web dashboard - [ ] Custom detection rules - [ ] VSCode extension - [ ] Production monitoring mode --- ## 🤝 Contributing Contributions welcome! Please read [CONTRIBUTING.md](CONTRIBUTING.md) first. **Areas we'd love help with:** - Additional security detectors - Framework-specific integrations - Documentation improvements - Bug reports and feature requests --- ## 📄 License MIT License - see [LICENSE](LICENSE) --- ## 🙏 Acknowledgments Inspired by: - [OWASP API Security Top 10](https://owasp.org/www-project-api-security/) - Salt Security, Traceable AI (the $500k tools we're democratizing) - Every developer who's shipped a BOLA bug to production (we've all been there) --- ## 📞 Support - **Issues**: [GitHub Issues](https://github.com/shaikhzaynsaif/munshig/issues) - **Twitter**: [@shaikhzsaifal](https://twitter.com/shaikhzsaifal) - **Email**: saifalshaikh41@gmail.com --- ## ⭐ Star History If munshig saved you from a security bug, please star the repo! ⭐ --- **Built with ❤️ by developers, for developers.** **Stop shipping BOLA bugs. Start using munshig.** ```bash npx munshig ```