RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.
MIT License
2.52k
stars
284
forks
source link
How Restler handles historical data when fuzzing? #782
I am not familiar with how Restler handles historical data. For example, I have two APIs; one of them registers a user with a POST request and returns the user's ID in the response, while the other API requires the ID to be included in the path parameter to retrieve the expected results.
I tried to test this scenario, but the second request did not work as expected - I only got a fuzz string instead of the expected ID in the position. I am unsure if this is due to my improper usage or if Restler is unable to handle historical requests from the response.
My APIs look like:
method: POST endpoint: /people body: {anything}
response is like: {
"msg": "add person: {'id': '8622399152', 'data': {'name': 'ssssss'}}"
}
method: GET endpoint: /search/fuzzstring
then I want fuzzer could send request like 'GET /search/8622399152'
Description
I am not familiar with how Restler handles historical data. For example, I have two APIs; one of them registers a user with a POST request and returns the user's ID in the response, while the other API requires the ID to be included in the path parameter to retrieve the expected results. I tried to test this scenario, but the second request did not work as expected - I only got a fuzz string instead of the expected ID in the position. I am unsure if this is due to my improper usage or if Restler is unable to handle historical requests from the response.
My APIs look like: