Closed stuti100 closed 2 years ago
Hi @stuti100. The --securityFuzzerFile
requires the httpMethod
entry to be present. It's not very explicit in the message currently presented in the log. I'll commit some changes to make that more comprehensible. In the mean time, alte your file as:
/path
test1:
description: XSS Strings
httpMethod: POST
targetFieldTypes:
- string
stringsFile: xss.txt
expectedResponseCode: 200
The command you've used runs all the Fuzzers + the SecurityFuzzer. There is an alternate command to run only the SecurityFuzzer:
> cats run --contract=XXX --server=SERVER --output=OUTPUT secure.yml
Hi @en-milie,Thanks for answering. I made above suggested changes and have some queries :
▶ start Start fuzzing path /_meta java.lang.NullPointerException at com.endava.cats.factory.FuzzingDataFactory.extractResponseSchemaRef(FuzzingDataFactory.java:491) at com.endava.cats.factory.FuzzingDataFactory.getResponsePayloads(FuzzingDataFactory.java:467) at com.endava.cats.factory.FuzzingDataFactory.getFuzzDataForNonBodyMethods(FuzzingDataFactory.java:230) at com.endava.cats.factory.FuzzingDataFactory.getFuzzingDataForGet(FuzzingDataFactory.java:162)
✖ error Fuzzer [SecurityFuzzer] failed due to [JsonObject] [Test 1892*][**SF***] ✖ error Exception while processing!: java.lang.UnsupportedOperationException: JsonObject at com.google.gson.JsonElement.getAsString(JsonElement.java:179) at com.endava.cats.io.ServiceCaller.buildQueryParameters(ServiceCaller.java:446) at com.endava.cats.io.ServiceCaller.addUriParams(ServiceCaller.java:294) at com.endava.cats.io.ServiceCaller.call(ServiceCaller.java:200)
What should be done in these case?@stuti100 Can you please send the OpenAPI specs, especially the _meta
path and corresponding request/response objects?
Also wanted to know,while using cats run command we are unable to use --ignoreResponseCode and --paths? Is this true that we cannot use them in cats run command and only specific arguments would be ran ?
--paths and --ignoreXXX arguments cannot be used with 'cats run'. this is because you the security.yml file has the paths as the main keys so adding another --path argument is redundant. the security.yml file also has a expectedResponseCode entry which might get in conflict with the --ignoreXXX argument. but I'll think about this a bit and see what is the best way to introduce --ignoreXXX arguments in 'cats run'.
Yes,got that.How can we provide multiple expectedResponseCode ? I tried providing them seperated by comma(,),but it does not work.
Hi @stuti100. To tackle things in order:
expectedResponseCode
codes. As mentioned I'll extend this in correlation with the --ignoreXXX
arguments. Probably in the next release./_meta
path details?Thanks @en-milie for updates.Hoping to see the next release soon.
I was curious to use the security fuzzer offered by CATS but when ran,does not give the right result.Is this the right way to use it,I am using the command below (attached in screenshot)? If not please provide some additional info and how it outputs will look like?