search

microsoft / restler-fuzzer

RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.
MIT License
2.52k stars 283 forks source link

Authentication and Authorization checks using Restler #805

Open thrivikramgit opened 10 months ago

thrivikramgit commented 10 months ago

Description

Hello Team,

Firstly thank you for creating such an amazing tool. Using Restler we could cover three areas and I would like to summarize each. Please correct us if we are using the process in correct manner.

  1. Input Validation and Error Handling checks: we are tuning payloads, custom grammar file depending on the Swagger, If possible we would like to provide some examples. Using this I have seen that Restler could found more bugs.

  2. Authentication Checks: We are passing an invalid token and run the Restler like using test mode or fuzz-lean mode. We will verify the network logs and checks if any resource was created or accessed or deleted. We consider this as bug.

  3. Authorization Checks: Let us consider there are two tenants. Tenant A, we are passing a token and run the Restler like using test mode or fuzz-lean mode. Then we need to check if Tenant B token could access resources of Tenant A. But How we can do that? I am little bit confused. Could you please help me?

Thanks for your support, Vikram

Oleggg2000 commented 10 months ago

I would also be so appreciative to have an examples of using more than one auth token. Moveover i have different yaml file listed in Swagger Spec File Path parameter. Some of them need "admin" token, others use "user" token. What do u suggest to us, @marina-p ? Thx for future reply!

thrivikramgit commented 9 months ago

Hello @marina-p , Could you please help us here?

Thanks for your support