Allow endpoint-specific authentication headers

Yelp / fuzz-lightyear

A pytest-inspired, DAST framework, capable of identifying vulnerabilities in a distributed, micro-service ecosystem through chaos engineering testing and stateful, Swagger fuzzing.

Other

205 stars 25 forks source link

Allow endpoint-specific authentication headers #57

Closed tanx16 closed 3 years ago

tanx16 commented 3 years ago

This change now allows users to select different authentication headers depending on the operation id. If the function decorated with victim_account or attacker_account starts with a operation_id, then the operation id will automatically be passed in when fuzzing.

@fuzz_lightyear.victim_account
def victim_session(operation_id):
    if operation_id in special_operations:
        return special_header
    else:
        return standard_header

tanx16 commented 3 years ago

For some magical reason, if we put operation id as the first variable in a function, we can inject without errors. This still ran into the caching issue though, so I added a check for if the args match when passed in.