search

microsoft / restler-fuzzer

RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.
MIT License
2.56k stars 293 forks source link

enhance documentation for custom payloads #135

Open marina-p opened 3 years ago

marina-p commented 3 years ago

As discussed in related issue #132, it would be useful to have more detailed examples of the different types of supported custom payloads. Currently, only the basic syntax is described in FuzzingDictionary.md

efebarlas commented 3 years ago

Hi, I am working on a project that would benefit a lot from custom payloads. Unfortunately, I was not able to get it to work from the existing documentation. When the property is to be specified in JSON pointer format, should that pointer refer to the property in the OpenAPI documentation's list of endpoints, or schemas, or can it be either one? Also, can you add more documentation (or examples) for custom payloads when you have the time? Thanks in advance.

marina-p commented 3 years ago

Hello @efebarlas,

Yes, we will add the documentation. In the meantime, do the following examples unblock you?

The json pointer refers to the json body type of the response only. If you have two different endpoints with the same body json type, and need to specify different custom payloads for them, you will have to add them both to the same list in the dictionary, and both endpoints will test them. You cannot refer to a nested property by pointer, it has to start from the root of the actual request schema of one of the endpoints.

Example (from one of the unit tests checked into the repo): one of the body's properties is an array "items", where each entry is of type "GroceryListItem", and you want to specify "deliveryTags" in the custom payload.

        "items": {
          "description": "The type of bags to use",
          "type": "array",
          "items": {
            "$ref": "#/definitions/GroceryListItem"
          }
        }
    "GroceryListItem": {
      "properties": {
        "name": {
          "description": "The name of the item",
          "type": "string"
        },
        "deliveryTags": {
          "description": "The delivery tags",
          "type": "object"
        }

"restler_custom_payload": {
     "/items/[0]/deliveryTags": [ "custom1" ]
}
efebarlas commented 3 years ago

Yes, these examples were very helpful. I will look at other custom payload unit tests as well. Thank you!