search

Yelp / fuzz-lightyear

A pytest-inspired, DAST framework, capable of identifying vulnerabilities in a distributed, micro-service ecosystem through chaos engineering testing and stateful, Swagger fuzzing.
Other
205 stars 25 forks source link

Fuzz with self signed certificate #72

Open zodf0055980 opened 2 years ago

zodf0055980 commented 2 years ago

Hello, This is a nice project. I try to us it to test my api, but it run fail when server with self signed certificate. This is exception report

Traceback (most recent call last):
  File "/home/yuan/fuzz-lightyear/venv/lib/python3.6/site-packages/urllib3/connectionpool.py", line 603, in urlopen
    chunked=chunked)
  File "/home/yuan/fuzz-lightyear/venv/lib/python3.6/site-packages/urllib3/connectionpool.py", line 344, in _make_request
    self._validate_conn(conn)
  File "/home/yuan/fuzz-lightyear/venv/lib/python3.6/site-packages/urllib3/connectionpool.py", line 843, in _validate_conn
    conn.connect()
  File "/home/yuan/fuzz-lightyear/venv/lib/python3.6/site-packages/urllib3/connection.py", line 370, in connect
    ssl_context=context)
  File "/home/yuan/fuzz-lightyear/venv/lib/python3.6/site-packages/urllib3/util/ssl_.py", line 368, in ssl_wrap_socket
    return context.wrap_socket(sock)
  File "/usr/lib/python3.6/ssl.py", line 407, in wrap_socket
    _context=self, _session=session)
  File "/usr/lib/python3.6/ssl.py", line 817, in __init__
    self.do_handshake()
  File "/usr/lib/python3.6/ssl.py", line 1077, in do_handshake
    self._sslobj.do_handshake()
  File "/usr/lib/python3.6/ssl.py", line 689, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/yuan/fuzz-lightyear/venv/lib/python3.6/site-packages/requests/adapters.py", line 449, in send
    timeout=timeout
  File "/home/yuan/fuzz-lightyear/venv/lib/python3.6/site-packages/urllib3/connectionpool.py", line 641, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/home/yuan/fuzz-lightyear/venv/lib/python3.6/site-packages/urllib3/util/retry.py", line 399, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='127.0.0.1', port=4433): Max retries exceeded with url: /test(Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/yuan/fuzz-lightyear/venv/lib/python3.6/site-packages/bravado/http_future.py", line 124, in wrapper
    return func(self, *args, **kwargs)
  File "/home/yuan/fuzz-lightyear/venv/lib/python3.6/site-packages/bravado/http_future.py", line 290, in _get_incoming_response
    inner_response = self.future.result(timeout=timeout)
  File "/home/yuan/fuzz-lightyear/venv/lib/python3.6/site-packages/bravado/requests_client.py", line 392, in result
    **settings
  File "/home/yuan/fuzz-lightyear/venv/lib/python3.6/site-packages/requests/sessions.py", line 646, in send
    r = adapter.send(request, **kwargs)
  File "/home/yuan/fuzz-lightyear/venv/lib/python3.6/site-packages/requests/adapters.py", line 514, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='127.0.0.1', port=4433): Max retries exceeded with url: /test (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/yuan/fuzz-lightyear/venv/lib/python3.6/site-packages/fuzz_lightyear/main.py", line 136, in run_tests
    validate_sequence(result.requests, result.responses)
  File "/home/yuan/fuzz-lightyear/venv/lib/python3.6/site-packages/fuzz_lightyear/runner.py", line 18, in validate_sequence
    run_sequence(sequence, responses)
  File "/home/yuan/fuzz-lightyear/venv/lib/python3.6/site-packages/fuzz_lightyear/runner.py", line 35, in run_sequence
    auth=auth,
  File "/home/yuan/fuzz-lightyear/venv/lib/python3.6/site-packages/fuzz_lightyear/request.py", line 204, in send
    **kwargs,
  File "/home/yuan/fuzz-lightyear/venv/lib/python3.6/site-packages/fuzz_lightyear/supplements/abstraction.py", line 60, in default_request_method
    return future.result()
  File "/home/yuan/fuzz-lightyear/venv/lib/python3.6/site-packages/bravado/http_future.py", line 270, in result
    incoming_response = self._get_incoming_response(timeout)
  File "/home/yuan/fuzz-lightyear/venv/lib/python3.6/site-packages/bravado/http_future.py", line 128, in wrapper
    self.future._raise_connection_error(exception)
  File "/home/yuan/fuzz-lightyear/venv/lib/python3.6/site-packages/bravado/http_future.py", line 91, in _raise_connection_error
    self._raise_error(BravadoConnectionError, 'ConnectionError', exception)
  File "/home/yuan/fuzz-lightyear/venv/lib/python3.6/site-packages/bravado/http_future.py", line 82, in _raise_error
    sys.exc_info()[2],
  File "/home/yuan/fuzz-lightyear/venv/lib/python3.6/site-packages/six.py", line 692, in reraise
    raise value.with_traceback(tb)
  File "/home/yuan/fuzz-lightyear/venv/lib/python3.6/site-packages/bravado/http_future.py", line 124, in wrapper
    return func(self, *args, **kwargs)
  File "/home/yuan/fuzz-lightyear/venv/lib/python3.6/site-packages/bravado/http_future.py", line 290, in _get_incoming_response
    inner_response = self.future.result(timeout=timeout)
  File "/home/yuan/fuzz-lightyear/venv/lib/python3.6/site-packages/bravado/requests_client.py", line 392, in result
    **settings
  File "/home/yuan/fuzz-lightyear/venv/lib/python3.6/site-packages/requests/sessions.py", line 646, in send
    r = adapter.send(request, **kwargs)
  File "/home/yuan/fuzz-lightyear/venv/lib/python3.6/site-packages/requests/adapters.py", line 514, in send
    raise SSLError(e, request=request)
bravado.http_future.RequestsFutureAdapterConnectionError

I found it use bravado to send request, and it can use with ssl_verify after this pr. How could I use fuzz-lightyear with ssl_verify set?

AlexB1986 commented 2 years ago

Hi, I also faced with that issue and could not find right way to bypass it. Quick (but not elegant) way is to modify your local bravado library source code -- https://github.com/Yelp/bravado/blob/master/bravado/requests_client.py#L285 -- True --> False. But may be there is other more elegant way to do that.

Alexander

zodf0055980 commented 2 years ago

@AlexB1986 I did the same way to fix it, I modify file in venv/bin.

Thanks.