--securityFuzzerFile Argument not showing any results

[stuti100]

I was curious to use the security fuzzer offered by CATS but when ran,does not give the right result.Is this the right way to use it,I am using the command below (attached in screenshot)? If not please provide some additional info and how it outputs will look like?

[en-milie]

Hi @stuti100. The --securityFuzzerFile requires the httpMethod entry to be present. It's not very explicit in the message currently presented in the log. I'll commit some changes to make that more comprehensible. In the mean time, alte your file as:

/path
  test1:
    description: XSS Strings
    httpMethod: POST
    targetFieldTypes:
      - string
    stringsFile: xss.txt
    expectedResponseCode: 200

The command you've used runs all the Fuzzers + the SecurityFuzzer. There is an alternate command to run only the SecurityFuzzer:

> cats run --contract=XXX --server=SERVER --output=OUTPUT secure.yml 

[stuti100]

Hi @en-milie,Thanks for answering. I made above suggested changes and have some queries :

• As for the contract,both .yaml and .json will work? If i am trying json it is giving are logs show null pointer exception ▶ start Start fuzzing path /_meta java.lang.NullPointerException at com.endava.cats.factory.FuzzingDataFactory.extractResponseSchemaRef(FuzzingDataFactory.java:491) at com.endava.cats.factory.FuzzingDataFactory.getResponsePayloads(FuzzingDataFactory.java:467) at com.endava.cats.factory.FuzzingDataFactory.getFuzzDataForNonBodyMethods(FuzzingDataFactory.java:230) at com.endava.cats.factory.FuzzingDataFactory.getFuzzingDataForGet(FuzzingDataFactory.java:162)
• While running security fuzzer some of the api are working fine but some of them are showing ✖ error Fuzzer [SecurityFuzzer] failed due to [JsonObject] [Test 1892*][**SF***] ✖ error Exception while processing!: java.lang.UnsupportedOperationException: JsonObject at com.google.gson.JsonElement.getAsString(JsonElement.java:179) at com.endava.cats.io.ServiceCaller.buildQueryParameters(ServiceCaller.java:446) at com.endava.cats.io.ServiceCaller.addUriParams(ServiceCaller.java:294) at com.endava.cats.io.ServiceCaller.call(ServiceCaller.java:200) What should be done in these case?

[en-milie]

@stuti100 Can you please send the OpenAPI specs, especially the _meta path and corresponding request/response objects?

[stuti100]

Also wanted to know,while using cats run command we are unable to use --ignoreResponseCode and --paths? Is this true that we cannot use them in cats run command and only specific arguments would be ran ?

[en-milie]

--paths and --ignoreXXX arguments cannot be used with 'cats run'. this is because you the security.yml file has the paths as the main keys so adding another --path argument is redundant. the security.yml file also has a expectedResponseCode entry which might get in conflict with the --ignoreXXX argument. but I'll think about this a bit and see what is the best way to introduce --ignoreXXX arguments in 'cats run'.

[stuti100]

Yes,got that.How can we provide multiple expectedResponseCode ? I tried providing them seperated by comma(,),but it does not work.

[en-milie]

Hi @stuti100. To tackle things in order:

1. currently you cannot provide multiple expectedResponseCode codes. As mentioned I'll extend this in correlation with the --ignoreXXX arguments. Probably in the next release.
2. Is there a way to get the OpenAPI specs for the error above, especially the /_meta path details?

[stuti100]

Thanks @en-milie for updates.Hoping to see the next release soon.