search

microsoft / restler-fuzzer

RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.
MIT License
2.6k stars 297 forks source link

Support for multiple local server URLs in path level or method/operation level in RESTler grammar #334

Open Anudeep541 opened 3 years ago

Anudeep541 commented 3 years ago

This is the Open API Specification that is being used to support API endpoints of two different servers.

paths:
  /data/serialNo:
    servers:
      - url: http://10.10.10.2:1234/v1
    get:
      parameters:
        - in: path
          name: serialNo
          required: true
          schema:
            type: string
            nullable: true
      responses:
        '200':
          description: Success in downloading
        '5XX':
          description: Unexpected error
  /keys:
    delete:
      servers:
        - url: http://10.10.10.3:4321/v1
      parameters:
        - in: query
          name: alias
          required: true
          schema:
            type: string
            nullable: true
      responses:
        '200':
          description: Success in downloading
        '5XX':
          description: Unexpected error

When describing the multiple server URLs either in path level or method/operation level as shown above, the generated RESTler grammar doesn't include either of the server IP addresses as shown below.

multiple_servers_issue

marina-p commented 3 years ago

Hello @Jane2197,

Yes, it is expected that RESTler does not have the host URL in the grammar. Then, when the service is tested, the "host" passed in the engine settings is parsed on the fly and injected into the grammar.

Question for you: are these API endpoints mostly independent, such that you could split them up into two different specifications that could each be tested independently? or are there many cases where data is returned from one server and sent to another server and so you'd really want to test sequences of the entire set of endpoints together?

If it's the latter, this is a new use case for RESTler and we will need some time to brainstorm/design how this should work. If it's the former, I would recommend splitting up the endpoints into two specs to fuzz such a specification with RESTler.

Thanks,

Marina

Anudeep541 commented 3 years ago

Hi,

Thanks for the response, the use case in our testing is the former where we have independent API endpoints. Yes, we are currently performing the test by splitting up the specifications, but since we are fuzzing each server for 2 days and we have total four servers, it is taking 8 days total for our testing. Hence we were looking if it possible to add all servers in a single specification.

mbiuki commented 3 years ago

Hi @marina-p, x-referencing from #353 discussion, I think the authentication params, e.g., X-Work-ID that was described in https://github.com/microsoft/restler-fuzzer/issues/353#issuecomment-931782496, could be considered for the latter case you've described in https://github.com/microsoft/restler-fuzzer/issues/334#issuecomment-915619332 above.