Show HN: Munshig – 运行时 API 安全代理,拦截 BOLA 和 SQLi 攻击
1 分•作者: shaikhzaynsaif•8 个月前
嗨,HN
我开发了 munshig,一个零配置的运行时 API 安全代理,它在开发过程中监控你的 API,并自动检测诸如访问控制失效(BOLA)、缺少身份验证、SQL 注入和 PII 泄露等漏洞——在它们进入生产环境之前。
它的灵感来自于 Salt Security(价值 50 万美元/年的企业产品)等工具,但设计为只需一条命令即可在 30 秒内运行:
npx munshig
它位于你的开发 API 前面(例如::3001 → :3000),分析真实的请求/响应,并在你的终端中直接显示运行时安全问题——并提供详细的修复步骤。
GitHub: [https://github.com/shaikhzaynsaif/munshig](https://github.com/shaikhzaynsaif/munshig)
npm: [https://www.npmjs.com/package/munshig](https://www.npmjs.com/package/munshig)
我开发这个工具是因为我经常看到即使是大公司的 API 也存在 BOLA 漏洞——大多数扫描器都会遗漏它们,因为它们静态地分析代码,而不是在运行时分析行为。
希望得到其他开发者的反馈——特别是:
这种零配置代理方法对你的工作流程有意义吗?
你希望它接下来检测哪些类型的漏洞(XSS、SSRF、JWT 滥用等)?
谢谢!
— ZaynSaif(作者)
查看原文
Hey HN<p>I built munshig, a zero-config runtime API security proxy that monitors your API during development and automatically detects vulnerabilities like Broken Access Control (BOLA), missing authentication, SQL injection, and PII leaks — before they reach production.<p>It’s inspired by tools like Salt Security ($500k/year enterprise products), but designed to run in 30 seconds with a single command:<p>npx munshig<p>It sits in front of your dev API (e.g. :3001 → :3000), analyzes real requests/responses, and surfaces runtime security issues right in your terminal — with detailed remediation steps.<p>GitHub: <a href="https://github.com/shaikhzaynsaif/munshig" rel="nofollow">https://github.com/shaikhzaynsaif/munshig</a><p>npm: <a href="https://www.npmjs.com/package/munshig" rel="nofollow">https://www.npmjs.com/package/munshig</a><p>I built this because I kept seeing APIs with BOLA bugs even in large companies — most scanners miss them since they analyze code statically, not behavior at runtime.<p>Would love feedback from other developers — especially:<p>Does the zero-config proxy approach make sense for your workflow?<p>What kinds of vulnerabilities would you want it to detect next (XSS, SSRF, JWT misuse...)?<p>Thanks!<p>— ZaynSaif (Author)