Endava / cats

CATS is a REST API Fuzzer and negative testing tool for OpenAPI endpoints. CATS automatically generates, runs and reports tests with minimum configuration and no coding effort. Tests are self-healing and do not require maintenance.
Apache License 2.0
1.19k stars 73 forks source link

Question about Report #47

Closed dglee0307 closed 2 years ago

dglee0307 commented 2 years ago

First of all, I'm using this project really well. Thank you. But, there was a problem performing the REST API Fuzzing test with this project. Please tell me the solution to this problem. I worked on the project by writing kali linux(kali-linux-2021.4-installer-amd64.iso) on Virtual Box. The REST API uses swagger 2.0.

1) The characters are broken. ex) Scenario Send [values containing abugidas chars] in request fields: field [logfilterid], value [REPLACE with iజ్ఞ\u200cాP], is required [FALSE]

2) The jsonbody of the response part is strange. ex) Response { "responseCode": 200, "httpMethod": "GET", "jsonBody": { "notAJson": "<?xml version='1.0' encoding='UTF-8' ?>\n<!DOCTYPE html>\n<html xmlns=\"http://www.w3.org/1999/xhtml\"><head id=\"j_idt2\"><link type=\"text/css\" rel=\"stylesheet\" href=\"/mc2/faces/javax.faces.resource/theme.css?ln=primefaces-dain\" /><link type=\"text/css\" rel=\"stylesheet\" href=\"/mc2/faces/javax.faces.resource/font-awesome/5.13.0/css/all.min-jsf.css?ln=webjars\" /><link type=\"text/css\" rel=\"stylesheet\" href=\"/mc2/faces/javax.faces.resource/font-awesome/5.13.0/css/v4-shims.min-jsf.css?ln=webjars\" /><link t" }, "responseTimeInMs": "3", "numberOfWordsInResponse": "53", "numberOfLinesInResponse": "9", "contentLengthInBytes": "1126" }

en-milie commented 2 years ago

Hi @dglee0307. This is the actual intent of the Fuzzer to send weird characters. In this case https://en.wikipedia.org/wiki/Abugida. The purpose is to see how the application/service reacts when getting such characters. In this case it seems that it's responding with an html, rather than a valid JSON. Meaning that something is broken on the server side when processing such characters.

dglee0307 commented 2 years ago

Thanks for the reply. I'll try again as you told me. :) Have a nice day~