search

microsoft / restler-fuzzer

RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.
MIT License
2.6k stars 297 forks source link

Schema to send a file as request body for an API fuzzing #338

Open Anudeep541 opened 3 years ago

Anudeep541 commented 3 years ago

Is there a schema method or specific parameter to set to include a local file as a request body when fuzzing an REST endpoint. When tried with schema type as string and format as binary in OpenAPI Specification as described here https://swagger.io/docs/specification/describing-request-body/file-upload/ and the compiled grammar when used for fuzzing doesn't show the request body as uploading a file.

marina-p commented 3 years ago

Hello @Jane2197,

Thank you for reporting this issue (and the others you opened). For this one, RESTler does not currently support/recognize the "binary" format in the specification. However, you may be able to get this working by modifying the grammar manually.

I've pushed some changes to the mp/formdata_fix branch, the commit message has an explanation for how to modify the grammar and dictionary to send a file as the body. If you have time to try this out, please let us know if it works for you.

(If the above works for you, please leave this issue open so we can track supporting the binary format in the RESTler compiler.)

Thanks,

Marina

Anudeep541 commented 3 years ago

Hi,

I tried file uploading with the mentioned branch by adding required changes in grammar.py and dict.json, but observed following issues

  1. For a file with extension .bin shows the following errors when running RESTler in TEST mode

ERROR: Restler engine failed Task Test failed.

Initializing: Garbage collection every 30 seconds.
Unhandled exception reading stream. Error:'utf-8' codec can't decode byte 0x94 in position 0: invalid start byte
Terminating garbage collection. Waiting for max 300 seconds.
  1. For a file with extension .txt, file is successfully uploaded to the server but the following issues are observed when running RESTler in TEST mode
ERROR: Results analyzer for logs in </path/to/Test> failed.
Cannot deserialize mutations dictionary: An exception occurred during deserialization:  Newtonsoft.Json.JsonSerializationException: Could not find member 'restler_multipart_formdata' on object of type 'MutationsDictionary'. Path 'restler_multipart_formdata', line 26, position 33.

Content-Type: multipart/form-data; boundary=_CUSTOM_BOUNDARY_1632293617 --_CUSTOM_BOUNDARY_1632293617 Content-Disposition: form-data; name="file1"; filename="test.txt" Content-Type: application/octet-stream

and at the end of file

--_CUSTOM_BOUNDARY_1632293617--

Thank you

marina-p commented 3 years ago

@Jane2197 thanks for trying this out and for the detailed logs. I see now the issue with the file upload.

I will get back to you when back from vacation next week with a fix.

Thanks,

Marina