noir v0.25.1

crystal-lang security hacktoberfest pentesting attack-surfaces devsecops endpoints owasp owasp-noir api-security shadow-api

An advanced hybrid analyzer that automatically detects all endpoints in your codebase, including shadow and undocumented APIs.

An advanced hybrid analyzer that automatically detects all endpoints in your codebase,
including shadow and undocumented APIs.

Documentation • Installation • Usage • Contributing

OWASP Noir is an open-source attack surface discovery tool that automatically finds every endpoint in your codebase by combining precise static code analysis with AI. It reveals shadow APIs, undocumented routes, and hidden vulnerabilities that traditional tools and manual methods consistently miss — giving security teams and developers complete, accurate visibility into the real attack surface.

Why Noir?

Attack Surface Discovery: Analyzes source code to identify your application's complete attack surface, including hidden endpoints, shadow APIs, and other security blind spots.
AI-Powered Analysis: Leverages Large Language Models (LLMs) to detect endpoints in any language or framework—even those not natively supported.
SAST-to-DAST Bridge: Connects static code analysis with dynamic testing by providing discovered endpoints to DAST tools, enabling more comprehensive and accurate security scans.
DevSecOps Ready: Designed for seamless integration into security pipelines with support for tools like ZAP, Burp Suite, Caido, and more.
Multi-Format Output: Delivers results in JSON, YAML, OpenAPI Specification, and other formats for easy integration with your existing workflow.

Usage

noir -h

Example

noir -b <source_dir>

If you use it with Github Action, please refer to this document .

JSON Result

noir -b . -u https://testapp.internal.domains -f json -T

{
  "endpoints": [
    {
      "url": "https://testapp.internal.domains/query",
      "method": "POST",
      "params": [
        {
          "name": "my_auth",
          "value": "",
          "param_type": "cookie",
          "tags": []
        },
        {
          "name": "query",
          "value": "",
          "param_type": "form",
          "tags": [
            {
              "name": "sqli",
              "description": "This parameter may be vulnerable to SQL Injection attacks.",
              "tagger": "Hunt"
            }
          ]
        }
      ],
      "details": {
        "code_paths": [
          {
            "path": "spec/functional_test/fixtures/crystal_kemal/src/testapp.cr",
            "line": 8
          }
        ]
      },
      "protocol": "http",
      "tags": []
    }
  ]
}

For more details, please visit our documentation page.

Roadmap

We plan to expand the range of supported programming languages and frameworks, and to continuously increase accuracy. Furthermore, we will leverage AI and Large Language Models (LLMs) to significantly broaden our analysis capabilities.

Initially conceived as a tool to assist with WhiteBox testing, our immediate goal remains to extract and provide endpoints from the source code within the DevSecOps Pipeline. This enables Dynamic Application Security Testing (DAST) tools to conduct more accurate and stable scans.

Looking ahead, our ambition is for our tool to evolve into a crucial bridge, seamlessly connecting source code with DAST and other security testing tools, thereby facilitating a more integrated and effective security posture.

News & Updates

October 2025: Presented at the OWASP Seoul Meetup.
November 2024: Published a guest blog post "Powering Up DAST with ZAP and Noir" on the ZAP blog.
June 2024: Joined OWASP as OWASP Noir
- Renamed the GitHub organization from noir-cr to owasp-noir
- Transitioned to co-leadership with @ksg97031
November 2023: Moved the Noir repository to the noir-cr GitHub organization.
August 2023: Started as @hahwul's personal project.