Skip to main content

Openapi3 fuzzer

Project description

Simple fuzzer for OpenAPI 3 specification based APIs

What does this fuzzer do?

  1. Sends various attack patterns to all the paths defined in an OpenAPI 3 definition file, using the OAS3 definition to create populate requests.
  2. Verifies if the responses matches those defined in the OAS3 definition file, complains and exit(2) if it doesn't.
  3. Complains loudly and exit(1) if a path returns an internal server error (status code 500 and higher)

Why does this OpenAPI fuzzer exist?

To make it easy to integrate an OpenAPI 3 fuzzer in an existing API.

How do I use this?

  1. Install the fuzzer using its pip package
  2. Add at least the following packages to requirements-test.txt:
coverage==5.0.3
openapi3-fuzzer
adal==1.2.2
Flask-Testing==0.7.1
  1. Generate OpenAPI (https://github.com/OpenAPITools/openapi-generator)
  2. Create a test_fuzzing file in the test location using the template below:
import adal

import config
from openapi3_fuzzer import FuzzIt
from openapi_server.test import BaseTestCase


def get_token():
    """
    Create a token for testing
    :return:
    """
    oauth_expected_authenticator = authenticatoruri
    client_id = appid
    client_secret = secret
    resource = resource/audience

    # get an Azure access token using the adal library
    context = adal.AuthenticationContext(oauth_expected_authenticator)
    token_response = context.acquire_token_with_client_credentials(
        resource, client_id, client_secret)

    access_token = token_response.get('accessToken')
    return access_token


class TestvAPI(BaseTestCase):

    def test_fuzzing(self):
        FuzzIt("openapi.yaml", get_token(), self)
  1. Run using our unittest container or via the Python Unittest Framework

What OAS3 items are supported?

Based on OpenAPI specification 3.0.2:

Operation Supported
GET Yes
POST Yes
PUT Yes
DELETE Yes
HEAD Yes
OPTIONS no
PATCH no
TRACE no
Parameter in Supported
path Yes
query no
header no
cookie no
Property types Supported
string Yes
integer Yes
number Yes
array Yes
none Yes
boolean no

Example output

Internal server error:

GET fuzzing /managers/expenses/{expenses_id}/attachments

* INTERNAL SERVER ERROR
  Endpoint returned 500 but expected one of [200]
  GET https://dev.myapi.example/managers/expenses/99999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999/attachments

Response doesn't conform to the OAS3 spec:

--------------------------------------------
GET fuzzing /employees/expenses/{expenses_id}

- Unexpected status code
  Endpoint returned 404 but expected one of [200, 'default']
  GET https://dev.myapi.example/employees/expenses/)$#***^
POST fuzzing /employees/expenses/{expenses_id}

- Unexpected status code
  Endpoint returned 400 but expected one of [201, 'default']
  POST https://dev.myapi.example/employees/expenses
{
    "amount": "123",
    "cost_type": "123",
    "note": ";sleep 10",
    "transaction_date": "123"
}

Contributors

A special thanks to the contributors outside of VWT Digital.

Name Contribution
Jorrit Folmer Started the project and created a base for the fuzzer.

LICENSE

GPL3

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

openapi3-fuzzer-1.3.2.tar.gz (9.1 kB view details)

Uploaded Source

Built Distribution

openapi3_fuzzer-1.3.2-py3-none-any.whl (21.3 kB view details)

Uploaded Python 3

File details

Details for the file openapi3-fuzzer-1.3.2.tar.gz.

File metadata

  • Download URL: openapi3-fuzzer-1.3.2.tar.gz
  • Upload date:
  • Size: 9.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.15.0 pkginfo/1.7.0 requests/2.25.1 setuptools/50.3.2 requests-toolbelt/0.9.1 tqdm/4.59.0 CPython/3.5.2

File hashes

Hashes for openapi3-fuzzer-1.3.2.tar.gz
Algorithm Hash digest
SHA256 d837a20c9592271eee5b418a60439919efed5e14999aa80455c41704ac2ea665
MD5 a27eef669945501561f003e287390bf2
BLAKE2b-256 b53c3d0f78b5885efa8606378b44497f50eb76187747e0fb7ff27ab0027937d7

See more details on using hashes here.

File details

Details for the file openapi3_fuzzer-1.3.2-py3-none-any.whl.

File metadata

  • Download URL: openapi3_fuzzer-1.3.2-py3-none-any.whl
  • Upload date:
  • Size: 21.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.15.0 pkginfo/1.7.0 requests/2.25.1 setuptools/50.3.2 requests-toolbelt/0.9.1 tqdm/4.59.0 CPython/3.5.2

File hashes

Hashes for openapi3_fuzzer-1.3.2-py3-none-any.whl
Algorithm Hash digest
SHA256 cd9ea56c3709a4133ae4e8f99293a62f4eb1b5a82e170fea7e5c7d7d8054aafb
MD5 c06e3bc6229866d9f4cfa3654fcd6a34
BLAKE2b-256 e4e028cd82cc3c20de36cc40d2f59eb7b59fd0e727d504dfcf4974af8409dcb8

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page