search

microsoft / restler-fuzzer

RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.
MIT License
2.59k stars 296 forks source link

Can't use external example file #664

Closed Silverbullet069 closed 1 year ago

Silverbullet069 commented 1 year ago

Description

Hi, i'm currently replicating your demo for using external example file at https://youtu.be/FYmiPoRwEbE?t=2716, but doesn't seem to be working.

My config.json

{
  "SwaggerSpecFilePath": [
    "/home/darkswordman/Desktop/it-modern-problem-final/demo-server-test/swagger.json"
  ],
  "GrammarOutputDirectoryPath": "/home/darkswordman/Desktop/it-modern-problem-final/demo-server-test/Compile",
  "CustomDictionaryFilePath": "/home/darkswordman/Desktop/it-modern-problem-final/demo-server-test/dict.json",

  "IncludeOptionalParameters": true,
  "UseHeaderExamples": false,
  "UsePathExamples": false,
  "UseQueryExamples": false,
  "UseBodyExamples": false,
  "UseAllExamplePayloads": false,

  "DiscoverExamples": false,
  "ExamplesDirectory": "/home/darkswordman/Desktop/it-modern-problem-final/demo-server-test/examples",
  "ExampleConfigFilePath": "/home/darkswordman/Desktop/it-modern-problem-final/demo-server-test/examples/examples.json",

  "DataFuzzing": true,
  "ReadOnlyFuzz": false,
  "ResolveQueryDependencies": true,
  "ResolveBodyDependencies": true,
  "ResolveHeaderDependencies": false,
  "UseRefreshableToken": true,
  "AllowGetProducers": false,
  "TrackFuzzedParameterNames": false
}

My examples.json which's specified in "ExampleConfigFilePath"

{
  "paths": {
    "/api/blog/posts": {
      "post": {
        "1": {
          "parameters": {
            "payload": {
              "id": 12345,
              "tags": ["john doe", "jane doe"]
            }
          }
        }
      }
    }
  }
}

After compiling, i've tried to search for '12345' in grammar.py, but no hard-coded id was found What's more interesting that examples, not in external file, but in specification file, are still being used in grammar.py despite "UseAllExamplePayloads" is set to false.

Silverbullet069 commented 1 year ago

Never mind, i switch to special keyword " body" and it works like a charm. It seems that "payload" is not the name of the body parameter for /api/blog/posts POST. Using " body " omitted it. You need do more documentation when it comes to OpenAPI Specification, not everybody learn it before using RESTler...