A pytest-inspired, DAST framework, capable of identifying vulnerabilities in a distributed, micro-service ecosystem through chaos engineering testing and stateful, Swagger fuzzing.
$ fuzz-lightyear --seed 98739285919045619183416780265481568499 https://petstore.swagger.io/v2/swagger.json -v --ignore-exceptions -t 'store.getOrderById'
======================================== fuzzing session starts ========================================
Hypothesis Seed: 98739285919045619183416780265481568499
warning: No auth method specified.
store E
============================================= Test Failures =============================================
_________________________________ store.getOrderById [ValidationError] _________________________________
Input:
{
"orderId": 2934
}
Traceback (most recent call last):
File "/Users/aaronloo/Documents/yelp/fuzzing/fuzzer-core/fuzz_lightyear/main.py", line 106, in run_tests
run_sequence(result.requests, result.responses)
File "/Users/aaronloo/Documents/yelp/fuzzing/fuzzer-core/fuzz_lightyear/runner.py", line 13, in run_sequence
response = request.send()
File "/Users/aaronloo/Documents/yelp/fuzzing/fuzzer-core/fuzz_lightyear/request.py", line 146, in send
**kwargs
File "/Users/aaronloo/Documents/yelp/fuzzing/fuzzer-core/fuzz_lightyear/supplements/abstraction.py", line 57, in default_request_method
)(*args, **kwargs)
File "/Users/aaronloo/Documents/yelp/fuzzing/fuzzer-core/venv/lib/python3.6/site-packages/bravado/client.py", line 247, in __call__
self.operation, request_options, **op_kwargs)
File "/Users/aaronloo/Documents/yelp/fuzzing/fuzzer-core/venv/lib/python3.6/site-packages/bravado/client.py", line 285, in construct_request
construct_params(operation, request, op_kwargs)
File "/Users/aaronloo/Documents/yelp/fuzzing/fuzzer-core/venv/lib/python3.6/site-packages/bravado/client.py", line 308, in construct_params
marshal_param(param, param_value, request)
File "/Users/aaronloo/Documents/yelp/fuzzing/fuzzer-core/venv/lib/python3.6/site-packages/bravado_core/param.py", line 124, in marshal_param
validate_schema_object(swagger_spec, param_spec, value)
File "/Users/aaronloo/Documents/yelp/fuzzing/fuzzer-core/venv/lib/python3.6/site-packages/bravado_core/validate.py", line 53, in validate_schema_object
validate_primitive(swagger_spec, schema_object_spec, value)
File "/Users/aaronloo/Documents/yelp/fuzzing/fuzzer-core/venv/lib/python3.6/site-packages/bravado_core/validate.py", line 33, in scrubbed
reraise(*sys.exc_info())
File "/Users/aaronloo/Documents/yelp/fuzzing/fuzzer-core/venv/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/Users/aaronloo/Documents/yelp/fuzzing/fuzzer-core/venv/lib/python3.6/site-packages/bravado_core/validate.py", line 25, in scrubbed
return func(*args, **kwargs)
File "/Users/aaronloo/Documents/yelp/fuzzing/fuzzer-core/venv/lib/python3.6/site-packages/bravado_core/validate.py", line 81, in validate_primitive
).validate(value)
File "/Users/aaronloo/Documents/yelp/fuzzing/fuzzer-core/venv/lib/python3.6/site-packages/jsonschema/validators.py", line 348, in validate
raise error
jsonschema.exceptions.ValidationError: 2934 is greater than the maximum of 10.0
Failed validating 'maximum' in schema:
{'description': 'ID of pet that needs to be fetched',
'format': 'int64',
'in': 'path',
'maximum': 10.0,
'minimum': 1.0,
'name': 'orderId',
'required': True,
'type': 'integer'}
On instance:
2934
------------------------------------------ Captured log calls ------------------------------------------
[request:138] INFO curl -X GET https://petstore.swagger.io/v2/store/order/2934
======================================= 1 failed in 0.06 seconds =======================================
This logic is in a TODO statement in the fuzzer.py file.
Reproduction Steps
This logic is in a
TODOstatement in the fuzzer.py file.