Missing response, parsed_status_code and request_body are in reports

[naveenn2n]

Hi KissPeter,

I am able to run the tool successfully. But after validating the reports, I haven't found parameters which are response, parsed_status_code and request body .

Below is the report which i get

{"status": "failed", "name": [{"Authorization": "SuperSecret"}, {"Auth2": "asd"}], "sub_reports": [], "test_number": 177, "state": "COMPLETED", "request_url": "http://127.0.0.1:5000/v2/pet/findByStatus?status=\u0003\u0007U'", "request_method": "GET", "request_headers": "{\"User-Agent\": \"APIFuzzer\", \"Accept-Encoding\": \"gzip, deflate\", \"Accept\": \"/\", \"Connection\": \"keep-alive\", \"Authorization\": \"SuperSecret\", \"Auth2\": \"asd\"}", "reason": "failed" }

In provided example, I have seen below parameters response, parsed_status_code request_body

Note: Based on status_code . I will try to eliminate false positives.

[KissPeter]

Hi,

Response, parsed_status_code are not always presented. If the fuzzer generates odd HTTP request the client may not recognise it as "HTTP request" just TCP. After a while the connection will be dropped therefore the fuzzer won't be able to provide the mentioned fields. Such reports shouldn't be dropped automaticalli as they might not be false positives. I would resend the request to see what happends.

I'm not sure about request_body as it is empty for non POST, PUT methods. It should be part of the report only not included if something bad happens during HTTP communication. Worths checking the logs.

[naveenn2n]

Hi Kiss peter,

Is there any possibility to capture complete request and response into reports? It's useful for further enhancements i believe.

Thanks, M. Naveen.

[KissPeter]

I believe everything is captured already. What do you think is missing?

[naveenn2n]

I verified in reports. But i didn't see complete requests and responses.

[KissPeter]

Once again, what is missing? By complete request and response you mean the raw request and resposne without parsing? How it looks like before splitting into request method, url, headers, body and response code, headers and body?

[naveenn2n]

Hi KissPeter,

Please verify the below reports which have generated now. In that i verified POST, DELETE, PUT and GET Methods. In that, I didn't see complete Request body Parameters and Response Body Parameters. Hope you are clear now.

I have attached below reports. Here we didn't see response body. Without response, we couldn't come with conclusion whether it's False positive or True Positive. reportsoday.zip

[KissPeter]

This is how a report looks like in case of POST request when client throws 500 http error: { "**request_url**" : "http://127.0.0.1:5000/post_param", "**request_body**" : { "param_int" : "%%\u0001%%\u0001%%\u0001%%\u0001", "body" : "\u0000", "param_str" : "a\u0000s\u0000d\u0000" }, "**parsed_status_code**" : 500, "response" : "", "name" : { "dpfsfosd" : "rkjqodiq" }, "request_headers" : "{\"User-Agent\": \"APIFuzzer 0.9\", \"Accept-Encoding\": \"gzip, deflate\", \"Accept\": \"*/*\", \"Connection\": \"keep-alive\", \"dpfsfosd\": \"rkjqodiq\"}", "state" : "COMPLETED", "status" : "failed", "reason" : "failed", "**request_method**" : "POST", "test_number" : 261, "sub_reports" : [] } This is how a report looks like in case of GET request when client throws 500 http error: { "state" : "COMPLETED", "sub_reports" : [], "name" : { "wjpevuux" : "dfiljtwc" }, "response" : "", "request_body" : {}, "status" : "failed", "request_method" : "GET", "parsed_status_code" : 500, "request_url" : "http://127.0.0.1:5000/path_param/667.5667.5", "test_number" : 0, "request_headers" : "{\"User-Agent\": \"APIFuzzer 0.9\", \"Accept-Encoding\": \"gzip, deflate\", \"Accept\": \"*/*\", \"Connection\": \"keep-alive\", \"wjpevuux\": \"dfiljtwc\"}", "reason" : "failed" } As there wasn't request body, there is nothing to add to the report. Sorry, I still don't understand what do you miss. Just to double check, are you aware of the difference between GET and POST HTTP request methods? Again: Response, parsed_status_code are not always presented. If the fuzzer generates odd HTTP request the client may not recognise it as "HTTP request" just TCP.