search

microsoft / restler-fuzzer

RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.
MIT License
2.52k stars 284 forks source link

NameSpace checker not working as expected #763

Open hackS3c101 opened 1 year ago

hackS3c101 commented 1 year ago

Description

Im using RESTler on Vampi, a deliberately vulnerable application- https://github.com/erev0s/VAmPI In the app, there is a BOLA vuln where one user can create a new book (POST /books/v1 with a book_title & secret in the body of the request) and another authenticated user can retrieve this book by requesting GET /books/v1/{book_title}:

Im trying to trigger this scenario, as I understand this is a classic case which nameSpace checker can find. I configured everything and run fuzz-lean, and the "best" results I got is the fuzzer did used 2 different token I provided it, but not POST with user 1 -> GET with user2, but POST with user1 -> POST with user2. I even provided the same book_title manually in the grammer.py file and still no success. I do get one result of NameSpaace checker, but it is not the desired one.

How do I make the fuzzer work in the scenario of creating the resource with user1 (user1 token) and fetch the same resource with user 2 (user2 token)?

Another questions, can the fuzzer perform a full and ordered scenario? For example, register with 2 users, login with these 2 users, save their tokens, create the resource with user1 (POST to create a book in this case) and fetch it with user2? I want to automate this full scenario and not provide the fuzz with a token, but force it to make it, save it, and use it in subsequent requests.

Results + conf:

restler_bin/restler/Restler fuzz-lean --grammar_file Compile/grammar.py --dictionary_file Compile/dict.json --settings Compile/engine_settings.json --no_ssl --token_refresh_command "python MY_PATH/restler-fuzzer/get_token.py" --token_refresh_interval 3600 --enable_checkers namespacerule
Starting task FuzzLean...
Using python: 'python3' (Python 3.10.1)
Request coverage (successful / total): 10 / 13
Attempted requests: 13 / 13
Bugs were found!
Bug buckets:

NameSpaceRuleChecker_500: 1
main_driver_500: 2
See 'coverage_failures_to_investigate.txt' to investigate API coverage.
Task FuzzLean succeeded.

All the conf files + PCAP files where you can see that 2 different tokens were in used, but for the same POST create a book request (for some reason I could not upload file, so sharing a link):

https://drive.google.com/drive/folders/10Hm04XjXu2auxCa1_R6SMDVUv-Iers6m?usp=sharing

setting.json:

{
    "max_combinations": 20,
    "checkers": {

        "namespacerule" : {
            "mode":"exhaustive",
            "trigger_objects" : ["book_title"]
        }
    }
}

Steps to reproduce

Above

Expected results

No response

Actual results

No response

Environment details

No response

genkoman commented 7 months ago

Hi Marina,

any update on this? I'm also trying to test for BOLA and seeing the same as described above. Moreover, I believe the NameSpace checker should cover most of the HTTP methods such as POST with user1 -> GET/POST/PATCH/PUT/DELETE with user2 if methods are supported May be the result should be evaluated based on the HTTP status returned that could be also configurable in the settings. The reason for this is not strictly adhering to the HTTP specifications and misuse of HTTP response codes in different API implementations.