- Sends various attack patterns to all the paths defined in an OpenAPI 3 definition file, using the OAS3 definition to create populate requests.
- Verifies if the responses matches those defined in the OAS3 definition file, complains and exit(2) if it doesn't.
- Complains loudly and exit(1) if a path returns an internal server error (status code 500 and higher)
To make it easy to integrate an OpenAPI 3 fuzzer in an existing API.
- Install the fuzzer using its pip package
- Add at least the following packages to requirements-test.txt:
coverage==5.0.3
openapi3-fuzzer
adal==1.2.2
Flask-Testing==0.7.1
- Generate OpenAPI (https://github.com/OpenAPITools/openapi-generator)
- Create a test_fuzzing file in the test location using the template below:
import adal
import config
from openapi3_fuzzer import FuzzIt
from openapi_server.test import BaseTestCase
def get_token():
"""
Create a token for testing
:return:
"""
oauth_expected_authenticator = authenticatoruri
client_id = appid
client_secret = secret
resource = resource/audience
# get an Azure access token using the adal library
context = adal.AuthenticationContext(oauth_expected_authenticator)
token_response = context.acquire_token_with_client_credentials(
resource, client_id, client_secret)
access_token = token_response.get('accessToken')
return access_token
class TestvAPI(BaseTestCase):
def test_fuzzing(self):
FuzzIt("openapi.yaml", get_token(), self)
- Run using our unittest container or via the Python Unittest Framework
Based on OpenAPI specification 3.0.2:
Operation | Supported |
---|---|
GET | Yes |
POST | Yes |
PUT | Yes |
DELETE | Yes |
HEAD | Yes |
OPTIONS | no |
PATCH | no |
TRACE | no |
Parameter in | Supported |
---|---|
path | Yes |
query | no |
header | no |
cookie | no |
Property types | Supported |
---|---|
string | Yes |
integer | Yes |
number | Yes |
array | Yes |
none | Yes |
boolean | no |
Internal server error:
GET fuzzing /managers/expenses/{expenses_id}/attachments
* INTERNAL SERVER ERROR
Endpoint returned 500 but expected one of [200]
GET https://dev.myapi.example/managers/expenses/99999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999/attachments
Response doesn't conform to the OAS3 spec:
--------------------------------------------
GET fuzzing /employees/expenses/{expenses_id}
- Unexpected status code
Endpoint returned 404 but expected one of [200, 'default']
GET https://dev.myapi.example/employees/expenses/)$#***^
POST fuzzing /employees/expenses/{expenses_id}
- Unexpected status code
Endpoint returned 400 but expected one of [201, 'default']
POST https://dev.myapi.example/employees/expenses
{
"amount": "123",
"cost_type": "123",
"note": ";sleep 10",
"transaction_date": "123"
}
A special thanks to the contributors outside of VWT Digital.
Name | Contribution |
---|---|
Jorrit Folmer | Started the project and created a base for the fuzzer. |
GPL3