Openapi3 fuzzer
Project description
Simple fuzzer for OpenAPI 3 specification based APIs
What does this fuzzer do?
- Sends various attack patterns to all the paths defined in an OpenAPI 3 definition file, using the OAS3 definition to create populate requests.
- Verifies if the responses matches those defined in the OAS3 definition file, complains and exit(2) if it doesn't.
- Complains loudly and exit(1) if a path returns an internal server error (status code 500 and higher)
Why does this OpenAPI fuzzer exist?
To make it easy to integrate an OpenAPI 3 fuzzer in an existing API.
How do I use this?
- Install the fuzzer using its pip package
- Add at least the following packages to requirements-test.txt:
coverage==5.0.3
openapi3-fuzzer
adal==1.2.2
Flask-Testing==0.7.1
- Generate OpenAPI (https://github.com/OpenAPITools/openapi-generator)
- Create a test_fuzzing file in the test location using the template below:
import adal
import config
from openapi3_fuzzer import FuzzIt
from openapi_server.test import BaseTestCase
def get_token():
"""
Create a token for testing
:return:
"""
oauth_expected_authenticator = authenticatoruri
client_id = appid
client_secret = secret
resource = resource/audience
# get an Azure access token using the adal library
context = adal.AuthenticationContext(oauth_expected_authenticator)
token_response = context.acquire_token_with_client_credentials(
resource, client_id, client_secret)
access_token = token_response.get('accessToken')
return access_token
class TestvAPI(BaseTestCase):
def test_fuzzing(self):
FuzzIt("openapi.yaml", get_token(), self)
- Run using our unittest container or via the Python Unittest Framework
What OAS3 items are supported?
Based on OpenAPI specification 3.0.2:
Operation | Supported |
---|---|
GET | Yes |
POST | Yes |
PUT | Yes |
DELETE | Yes |
HEAD | Yes |
OPTIONS | no |
PATCH | no |
TRACE | no |
Parameter in | Supported |
---|---|
path | Yes |
query | no |
header | no |
cookie | no |
Property types | Supported |
---|---|
string | Yes |
integer | Yes |
number | Yes |
array | Yes |
none | Yes |
boolean | no |
Example output
Internal server error:
GET fuzzing /managers/expenses/{expenses_id}/attachments
* INTERNAL SERVER ERROR
Endpoint returned 500 but expected one of [200]
GET https://dev.myapi.example/managers/expenses/99999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999/attachments
Response doesn't conform to the OAS3 spec:
--------------------------------------------
GET fuzzing /employees/expenses/{expenses_id}
- Unexpected status code
Endpoint returned 404 but expected one of [200, 'default']
GET https://dev.myapi.example/employees/expenses/)$#***^
POST fuzzing /employees/expenses/{expenses_id}
- Unexpected status code
Endpoint returned 400 but expected one of [201, 'default']
POST https://dev.myapi.example/employees/expenses
{
"amount": "123",
"cost_type": "123",
"note": ";sleep 10",
"transaction_date": "123"
}
Contributors
A special thanks to the contributors outside of VWT Digital.
Name | Contribution |
---|---|
Jorrit Folmer | Started the project and created a base for the fuzzer. |
LICENSE
GPL3
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
openapi3-fuzzer-1.3.2.tar.gz
(9.1 kB
view hashes)
Built Distribution
Close
Hashes for openapi3_fuzzer-1.3.2-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | cd9ea56c3709a4133ae4e8f99293a62f4eb1b5a82e170fea7e5c7d7d8054aafb |
|
MD5 | c06e3bc6229866d9f4cfa3654fcd6a34 |
|
BLAKE2b-256 | e4e028cd82cc3c20de36cc40d2f59eb7b59fd0e727d504dfcf4974af8409dcb8 |