APIFuzzer reads your API description and step by step fuzzes the fields to validate if you application can cope with the fuzzed parameters. Does not require coding.
Latest version:
pip3 install APIFuzzer
Development version: Fetch the most recent code from GitHub
$ git clone https://github.com/KissPeter/APIFuzzer.git
Install requirements. If you don't have pip installed, then sudo apt-get install python3-pip -y
$ pip3 install -r APIFuzzer/requirements.txt
$ docker pull kisspeter/apifuzzer:latest
Check the help (some of them are not implemented yet):
$$ usage: APIFuzzer [-h] [-s SRC_FILE] [--src_url SRC_URL] [-r REPORT_DIR] [--level LEVEL] [-u ALTERNATE_URL] [-t TEST_RESULT_DST]
[--log {critical,fatal,error,warn,warning,info,debug,notset}] [--basic_output BASIC_OUTPUT] [--headers HEADERS] [-v ,--version]
APIFuzzer configuration
optional arguments:
-h, --help show this help message and exit
-s SRC_FILE, --src_file SRC_FILE
API definition file path. JSON and YAML format is supported
--src_url SRC_URL API definition url. JSON and YAML format is supported
-r REPORT_DIR, --report_dir REPORT_DIR
Directory where error reports will be saved. Default is temporally generated directory
--level LEVEL Test deepness: [1,2], the higher is the deeper (In progress)
-u ALTERNATE_URL, --url ALTERNATE_URL
Use CLI defined url instead compile the url from the API definition. Useful for testing
-t TEST_RESULT_DST, --test_report TEST_RESULT_DST
JUnit test result xml save path
--log {critical,fatal,error,warn,warning,info,debug,notset}
Use different log level than the default WARNING
--basic_output BASIC_OUTPUT
Use basic output for logging (useful if running in jenkins). Example --basic_output=True
--headers HEADERS Http request headers added to all request. Example: '[{"Authorization": "SuperSecret"}, {"Auth2": "asd"}]'
Start the sample application (install the necessary packages listed in test/requirements_for_test.txt):
$ python3 test/test_application.py
Start the fuzzer:
$ APIFuzzer -s test/test_api/openapi_v2.json -u http://127.0.0.1:5000/ -r /tmp/reports/ --log debug
Check the reports:
$ ls -1 /tmp/reports/
Report example:
$ json_pp < /tmp/reports/79_1573993485.5391517.json
{
"response" : "Test application exception: invalid literal for int() with base 10: '0\\x00\\x10'",
"sub_reports" : [],
"parsed_status_code" : 500,
"state" : "COMPLETED",
"test_number" : 79,
"request_body" : null,
"reason" : "failed",
"name" : "target",
"request_url" : "http://127.0.0.1:5000/exception/0\u0000\u0010",
"request_method" : "GET",
"status" : "failed",
"request_headers" : "{\"User-Agent\": \"APIFuzzer\", \"Accept-Encoding\": \"gzip, deflate\", \"Accept\": \"*/*\", \"Connection\": \"keep-alive\"}"
}
Notes
- Use http://host.docker.internal instead of http://127.0.0.1 or http://localhost in the references. Read Docker cocumentation for further explanation
- You need to attach a volume like in this example to share files and folders with the container:
docker run --volume results:/results/ kisspeter/apifuzzer --src_url http://host.docker.internal:8000/openapi.json --url http://host.docker.internal:8000 --test_report /results/junit.xml --report /results/report/ ```
Notes
- Define
--net
at startup to attach this docker to an existing network. Read Docker cocumentation for further explanation- Use http://CONTAINERNAME instead of http://127.0.0.1 or http://localhost in the references.
- You need to attach a volume like in this example to share files and folders with the container:
docker run --volume results:/results/ kisspeter/apifuzzer --net fastapi-performance-optimization_default kisspeter/apifuzzer --src_url http://fastapi-performance-optimization:8000/openapi.json -u http://fastapi-performance-optimization:8000 --test_report /results/junit.xml --report /results/report/```