A pytest-inspired, DAST framework, capable of identifying vulnerabilities in a distributed, micro-service ecosystem through chaos engineering testing and stateful, Swagger fuzzing.
This change makes the vulnerable testing application a bit more realistic, by adding a database and supporting apikey authorization. By doing so, I uncovered and fix the following bugs:
headers are now ascii-only
responses don't save None as a valid data source
auth headers aren't overwritten by fuzzed ones
Technical Details
We add sqlalchemy as a new dev requirements (mainly because I don't want to deal with Python's native sqlite library)
This creates a temporary database on the filesystem (because in-memory databases and Flask debug mode don't play well with each other)
There's a whole new set of endpoints (/user) for easier user management via API calls. In the integration test, we really shouldn't be reading directly from the database, if that can be helped.
Summary
This change makes the vulnerable testing application a bit more realistic, by adding a database and supporting
apikey
authorization. By doing so, I uncovered and fix the following bugs:None
as a valid data sourceTechnical Details
sqlalchemy
as a new dev requirements (mainly because I don't want to deal with Python's nativesqlite
library)/user
) for easier user management via API calls. In the integration test, we really shouldn't be reading directly from the database, if that can be helped.For more details, check out the commit history.