HackerTrans
TopNewTrendsCommentsPastAskShowJobs

matusf

no profile record

Submissions

Show HN: OpenAPI fuzzer – fuzzing APIs based on OpenAPI specification

github.com
76 points·by matusf·5 anni fa·22 comments

Privacy Redirect

github.com
1 points·by matusf·5 anni fa·0 comments

comments

matusf
·4 anni fa·discuss
[dead]
matusf
·4 anni fa·discuss
It's more of a cure of symptoms rather than a cause, but these uBlock Origin filters work for me. They hide the signup popup. There is also a filer list called EasyList Cookie[0], which hides the cookies popup.

  twitter.com##div#layers div[data-testid="sheetDialog"]:upward(div[role="group"][tabindex="0"])
  twitter.com##html:style(overflow: auto !important;)
0: https://github.com/easylist/easylist/tree/master/easylist_co...
matusf
·5 anni fa·discuss
Thanks for the report. However, without more information I'm not able to help you. What is your setup? How did you run it? could you please share the specification file? Also, let's probably move this discussion to GitHub issues: https://github.com/matusf/openapi-fuzzer/issues
matusf
·5 anni fa·discuss
Yes, we looked into it. There is a chapter in my thesis[0] about RESTler and comparison with OpenAPI fuzzer. The main difference between those two fuzzer is that RESTler is a statefull fuzzer and OpenAPI fuzzer is a stateless fuzzer.

Thanks to being statefull, RESTler is able to analyze a dependencies between a requests. For example, it will not call and endpoint to get user details before calling endpoint to create a user. This should make it more efficient because it does not waste requests to calling endpoint that will return 404.

On the other hand, fuzzing is all about trying to supply unexpected input to the software. Therefore, OpenAPI fuzzer makes those requests, since it may cause some undefined behavior when we try to get user before creating one.

So while RESTler tries to check some invariant (for example if deleted user cannot be accessed) OpenAPI fuzzer tries to cause the service to crash by invalid input. RESTler is usually not able to crash the service by providing invalid input, because it needs to keep the fuzzing dictionary small (bigger dictionary would make the dependency finding slow). So I think, they complements each other nicely.

Another difference it in reporting error. RESTler considers only status code 500 as an error. However, OpenAPI specification states all possible status codes that we can get from an endpoint. OpenAPI fuzzer utilizes this and reports every time it receives and unexpected status code.

0: https://github.com/matusf/bachelor-thesis/releases/download/...
matusf
·5 anni fa·discuss
Right now, it's probably not well suited for use in CI, since it runs until it's terminated. But I definitely plan to add a support for better usage in CI along with some examples. Thanks for the suggestion. I'll look into it!
matusf
·5 anni fa·discuss
No, it does not. As for the parsing of the OAS, it relies on openapiv3[0], which does not yet support it.

0: https://github.com/glademiller/openapiv3
matusf
·5 anni fa·discuss
Hi HN, I'd like to share with you a fuzzer I've been working on. It is a black-box, smart, generation-based fuzzer, that fuzzes APIs based on OpenAPI specification. It all started as a bachelor thesis[0], when I wanted to do something security-related and learn Rust along the way. My colleague @viralpoetry tutored me and so far, we've been able to find bugs in software such as k8s, gitea, and vault[1].

As for the choice of language, Rust proved to be a good decision, even though, one would think that dynamic languages are better suited for fuzzing (at least that was the choice for API fuzzers that I looked into). Thanks to Rust's type system, I was able to deserialize the OpenAPI specification to structs and traverse them when creating a fuzzing payload in a type-safe way. Other fuzzers load the specification to a dictionary/hashmap and then fail during the traversal because of some missing key they expected.

0: https://github.com/matusf/bachelor-thesis/releases/download/...

1: https://github.com/matusf/openapi-fuzzer#findings
matusf
·5 anni fa·discuss
Python 3.6 added f-strings which are rather popular and they cause syntax error in previous versions of Python.