search

microsoft / restler-fuzzer

RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.
MIT License
2.59k stars 296 forks source link

How to deal with `found unsupported format: uint64`? #629

Closed banool closed 2 years ago

banool commented 2 years ago

Description

Hey, I'm using RESTler with the following fuzzing dictionary:

{
    "restler_fuzzable_string": [
      "fuzzstring"
    ],
    "restler_fuzzable_string_unquoted": [],
    "restler_fuzzable_datetime": [
      "2019-06-26T20:20:39+00:00"
    ],
    "restler_fuzzable_datetime_unquoted": [],
    "restler_fuzzable_date": [
      "2019-06-26"
    ],
    "restler_fuzzable_date_unquoted": [],
    "restler_fuzzable_uuid4": [
      "566048da-ed19-4cd3-8e0a-b7e0e1ec4d72"
    ],
    "restler_fuzzable_uuid4_unquoted": [],
    "restler_fuzzable_int": [
      "10"
    ],
    "restler_fuzzable_number": [
      "1.23"
    ],
    "restler_fuzzable_bool": [
      "true"
    ],
    "restler_fuzzable_object": [
      "{ \"fuzz\": false }"
    ],
    "restler_custom_payload": {

    },
    "restler_custom_payload_unquoted": {},
    "restler_custom_payload_uuid4_suffix": {},
  }

In my OpenAPI spec, I use custom formats. I've read https://github.com/microsoft/restler-fuzzer/blob/main/docs/user-guide/FuzzingDictionary.md but can't see how to add support for them.

I would expect to be able to add something like this:

    "restler_custom_payload_uint64": [
        "545"
    ],

But that doesn't work.

A further complication here is that while the format is uint64, it is actually a string (to support languages such as JS). I'd need the custom payload to be able to encode that (perhaps just with "\"545\"").

I need this because I have custom formats such as uint64 and hex and I'd like to be able to control what values are generated for those.

marina-p commented 2 years ago

Hello @banool,

Being able to use custom payload formats in the dictionary (using a similar syntax that you would expect to work as in your description) is a future planned feature - unfortunately, today it is not supported and you must define custom payloads for each individual parameter with those formats using ``restler_custom_payload```. Is that feasible for your use case, or are there too many such parameters? The related issue describing the currently planned dictionary syntax is #369.

Regarding the encoding question, RESTler should use the string you enter into the dictionary as-is (so, using the \"545\" value should work, if I understood the description correctly).

Thanks,

Marina

banool commented 2 years ago

Hey @marina-p, thanks for the response! Understood, I think I should be able to use restler_custom_payload for now, I don't have too many named parameters using these custom formats.