Closed lobax closed 4 years ago
base64 encoding is a standard function because this way no need to take care on escaping. Could you please share further information about the api request which generated this report? This is not enough to start any investigation in the code.
Thanks
The report was generated by running APIFuzzer against the test server:
python3 fuzzer.py -s test/test_swagger_definition.json -u http://127.0.0.1:5000/ -r /tmp/reports/ --log debug
Maybe the format for the reports should be added to the docs? I can do a PR once I feel I understand how it works.
Good point, I will extend the documentation
BTW, How do I get the request that triggered the report? Ideally, it should be a part of the report
Ideally the request, response and the response code are part of the report. Since often nasty chars are used, saving the report is not successful all the time. I'm working on it, but not an obvious issue. Please note that report is generated if the fuzzer was unable to identify the http response code or it is not on the following list: list(range(200, 300)) + list(range(400, 500))
It is a good idea during fuzzing to analyse the application log e.g grep -v -e DEBUG -e INFO -e NOTICE -e WARNING /log/file gives you the interesting log records :-)
it is fixed now
Reports are missing data about the request that cause the issue, and many fields are base64-encoded.
For instance, a report can look like this: