Gby56
commented
2 years ago I remembered that Restler does that https://github.com/microsoft/restler-fuzzer
Open Gby56 opened 2 years ago
Gby56
commented
2 years ago I remembered that Restler does that https://github.com/microsoft/restler-fuzzer
matusf
commented
2 years ago Hi, yes, as for now it only generates random payloads according to the specs. I've read the paper and it is a really interesting approach. The two strategies can find two different categories of bugs. The random strategy finds mostly bugs related to input parsing while the restler generates mostly correct inputs and finds "workflow bugs". i.e. some action should happen after another action but it does not. Both of those strategies are useful and interesting and it would be super cool if one could just choose one or the other. So if you are interested in implementing the restler strategy would be welcomed! btw, I'm now working on shrinking of the found payloads.
I was wondering if the fuzzer was only generating random payloads from the spec, or was it able to reuse responses from the easy requests (ones that don't require a parameter) This would really improve the drilling in complex paths, otherwise it will only hit 404 or 403 for non-existing/non-authorized resources (unless there is an IDOR vulnerability or the authentication allows you to get any value)
It's less like raw fuzzing, but smarter and maybe more efficient. I built something similar in python so maybe I could try in rust