Use domain given in OpenAPI spec to make calls against #4
Description
I am trying to use the autoswagger command line tool but unfortunately I could not get it to work with my usecase.
I can reproduce that with a publicly available spec file: the tool uses the domain of the spec file and appends the domain and paths mentioned in the spec file to it resulting in invalid URLs.
✖ python3 autoswagger.py https://docs.hetzner.cloud/cloud.spec.json -v
/ | __ __/ /_____ ______ ______ _____ _____ ____ _____
/ /| |/ / / / __/ __ \/ ___/ | /| / / __ `/ __ `/ __ `/ _ \/ ___/
/ ___ / /_/ / /_/ /_/ (__ )| |/ |/ / /_/ / /_/ / /_/ / __/ /
/_/ |_\__,_/\__/\____/____/ |__/|__/_\__,_/\__, /\__, /\___/_/
/____//____/
https://intruder.io
Find unauthenticated endpoints
[18:26:42] [INFO] Processing direct spec URL: https://docs.hetzner.cloud/cloud.spec.json
[18:26:42] [DEBUG] Fetching Swagger/OpenAPI spec directly from https://docs.hetzner.cloud/cloud.spec.json
[18:26:43] [SUCCESS] Successfully loaded spec.
[18:26:43] [INFO] Successfully loaded spec.
[18:26:43] [INFO] Scanning endpoints.
[18:26:44] [INFO] GET https://docs.hetzner.cloud/https://api.hetzner.cloud/v1/actions/1 returned 308
It calls https://docs.hetzner.cloud/https://api.hetzner.cloud/v1/actions/1 where I'd expect https://api.hetzner.cloud/v1/actions/1.
Maybe trying both domains, the one from where the spec file is hosted and the one mentioned inside the spec file, is an option here or to allow overwriting the domain (and path prefix) manually. This could then be used as well to e.g. test a generic spec file from a supplier against my self-hosted version of the software.