展示HN:Munshig – 捕获BOLA和SQL注入的运行时API安全代理
嘿,HN
我开发了 munshig,这是一个零配置的运行时 API 安全代理,能够在开发过程中监控您的 API,并自动检测诸如访问控制漏洞(BOLA)、缺失身份验证、SQL 注入和个人信息泄露等漏洞——在它们进入生产环境之前。
这个工具的灵感来源于像 Salt Security(每年 50 万美元的企业产品)这样的工具,但设计上可以通过一个命令在 30 秒内运行:
```
npx munshig
```
它位于您的开发 API 前面(例如:从 :3001 转发到 :3000),分析真实的请求和响应,并在您的终端中直接显示运行时安全问题——并提供详细的修复步骤。
GitHub: [https://github.com/shaikhzaynsaif/munshig](https://github.com/shaikhzaynsaif/munshig)
npm: [https://www.npmjs.com/package/munshig](https://www.npmjs.com/package/munshig)
我之所以开发这个工具,是因为我发现即使在大型公司中,API 仍然存在 BOLA 漏洞——大多数扫描器因为静态分析代码而错过这些漏洞,而不是分析运行时的行为。
我非常希望能收到其他开发者的反馈——特别是:
零配置代理的方法是否适合您的工作流程?
您希望它接下来检测哪些类型的漏洞(如 XSS、SSRF、JWT 滥用等)?
谢谢!
—— ZaynSaif(作者)
查看原文
Hey HN<p>I built munshig, a zero-config runtime API security proxy that monitors your API during development and automatically detects vulnerabilities like Broken Access Control (BOLA), missing authentication, SQL injection, and PII leaks — before they reach production.<p>It’s inspired by tools like Salt Security ($500k/year enterprise products), but designed to run in 30 seconds with a single command:<p>npx munshig<p>It sits in front of your dev API (e.g. :3001 → :3000), analyzes real requests/responses, and surfaces runtime security issues right in your terminal — with detailed remediation steps.<p>GitHub: <a href="https://github.com/shaikhzaynsaif/munshig" rel="nofollow">https://github.com/shaikhzaynsaif/munshig</a><p>npm: <a href="https://www.npmjs.com/package/munshig" rel="nofollow">https://www.npmjs.com/package/munshig</a><p>I built this because I kept seeing APIs with BOLA bugs even in large companies — most scanners miss them since they analyze code statically, not behavior at runtime.<p>Would love feedback from other developers — especially:<p>Does the zero-config proxy approach make sense for your workflow?<p>What kinds of vulnerabilities would you want it to detect next (XSS, SSRF, JWT misuse...)?<p>Thanks!<p>— ZaynSaif (Author)