search

microsoft / restler-fuzzer

RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.
MIT License
2.52k stars 283 forks source link

The RESTler runs but without successful requests #811

Open b4kik opened 9 months ago

b4kik commented 9 months ago

Description

I tried to run RESTler both locally and on our execution server, but unfortunately I do not see any logs on our API GW related to these tests.

Steps to reproduce

alias restler='docker run --rm -v "$(pwd)":/mnt -it XXX.artifacts.rbi.tech/rice-restler-img:0.0.1.b2' [XXX_rice-test@XXX-XXXServer zap-openapi-configs]$ restler compile --api_spec customers.json Unable to find image 'XXX.artifacts.rbi.tech/rice-restler-img:0.0.1.b2' locally 0.0.1.b2: Pulling from rice-restler-img 7d97e254a046: Pull complete 3970ea6bbab9: Pull complete 09046965cfe2: Pull complete 4dbeac3c018a: Pull complete 015f4de41824: Pull complete 7f9d088af9a2: Pull complete af28609b2136: Pull complete cc94ae7c914b: Pull complete d95870778506: Pull complete fd0a760c2797: Pull complete e6bf4cd9b706: Pull complete 4e8bff89f0d0: Pull complete 4f4fb700ef54: Pull complete Digest: sha256:9b1f37f509ab0d502a0e34eaf6a862233ad4b101c35d57a59bb6e63c3553bf63 Status: Downloaded newer image for rice-docker-host.artifacts.rbi.tech/rice-restler-img:0.0.1.b2 Starting task Compile... Task Compile succeeded. Collecting logs...

[XXX_rice-test@XXX-XXXServer zap-openapi-configs]$ restler test --grammar_file Compile/grammar.py --dictionary_file Compile/dict.json --settings Compile/engine_settings.json --no_ssl Starting task Test... Using python: 'python3' (Python 3.9.2) Request coverage (successful / total): 0 / 15 Attempted requests: 0 / 15 No bugs were found. See 'coverage_failures_to_investigate.txt' to investigate API coverage. Task Test succeeded. Collecting logs...

[XXX_rice-test@XXX-XXXServer zap-openapi-configs]$ restler fuzz --grammar_file Compile/grammar.py --dictionary_file Compile/dict.json --settings Compile/engine_settings.json --no_ssl Starting task Fuzz... Using python: 'python3' (Python 3.9.2) Request coverage (successful / total): 0 / 15 Attempted requests: 0 / 15 No bugs were found. Task Fuzz succeeded. Collecting logs...

[XXX_rice-test@XXX-XXXServer zap-openapi-configs]$ restler fuzz-lean --grammar_file Compile/grammar.py --dictionary_file Compile/dict.json --settings Compile/engine_settings.json --host gil-dev160.rice-test.merlin Starting task FuzzLean... Using python: 'python3' (Python 3.9.2) Request coverage (successful / total): 0 / 15 Attempted requests: 0 / 15 No bugs were found. See 'coverage_failures_to_investigate.txt' to investigate API coverage. Task FuzzLean succeeded. Collecting logs...

[XXX_rice-test@XXX-XXXServer zap-openapi-configs]$ tail ./FuzzLean/coverage_failures_to_investigate.txt

GET /customers/fuzzstring/interactions?limit=5&offset=5 HTTP/1.1\r\nAccept: application/json\r\nHost: gil-dev160.rice-test.merlin\r\nX-Request-ID: 1446275d-fd97-4d86-933d-83c32fb913dc\r\nX-Correlation-ID: 99391c7e773ad88fgtr49ec9ddcb1f77khjzrss\r\nRICE-NWU-ID: RBHR\r\nAccept-Version: 1.2\r\nDevice-Session-ID: HP3WR49WZsP8T5eboyHQ==_8I0gbpi3Mw/A1hAdYRZqRwAAcR0DCY2B\r\nDevice-Session-Provider: fuzzstring\r\nAccept-Language: fuzzstring\r\n\r\n <

+++ Combination 5 +++: Request sequence:

GET /customers/fuzzstring/interactions?limit=5&offset=5 HTTP/1.1\r\nAccept: application/json\r\nHost: gil-dev160.rice-test.merlin\r\nX-Request-ID: dd8c0501-821e-4026-86fb-9d100587feec\r\nX-Correlation-ID: 99391c7e773ad88fgtr49ec9ddcb1f77khjzrss\r\nRICE-NWU-ID: RBHR\r\nAccept-Version: 1.2\r\nDevice-Session-ID: fuzzstring\r\nDevice-Session-Provider: Precognitive\r\nAccept-Language: fr-CH, fr;q=0.9, en;q=0.8, de;q=0.7, *;q=0.5\r\n\r\n <

[XXX_rice-test@XXX-XXXServer zap-openapi-configs]$ tail ./Test/coverage_failures_to_investigate.txt

GET /customers/fuzzstring/interactions?limit=5&offset=5 HTTP/1.1\r\nAccept: application/json\r\nHost: \r\nX-Request-ID: e503dd34-3eb0-4107-923b-f38c833b7923\r\nX-Correlation-ID: 99391c7e773ad88fgtr49ec9ddcb1f77khjzrss\r\nRICE-NWU-ID: RBHR\r\nAccept-Version: 1.2\r\nDevice-Session-ID: HP3WR49WZsP8T5eboyHQ==_8I0gbpi3Mw/A1hAdYRZqRwAAcR0DCY2B\r\nDevice-Session-Provider: fuzzstring\r\nAccept-Language: fuzzstring\r\n\r\n <

+++ Combination 5 +++: Request sequence:

GET /customers/fuzzstring/interactions?limit=5&offset=5 HTTP/1.1\r\nAccept: application/json\r\nHost: \r\nX-Request-ID: b8ba9dfc-57fe-4fca-bb54-9a0a3ad52435\r\nX-Correlation-ID: 99391c7e773ad88fgtr49ec9ddcb1f77khjzrss\r\nRICE-NWU-ID: RBHR\r\nAccept-Version: 1.2\r\nDevice-Session-ID: fuzzstring\r\nDevice-Session-Provider: Precognitive\r\nAccept-Language: fr-CH, fr;q=0.9, en;q=0.8, de;q=0.7, *;q=0.5\r\n\r\n <

Expected results

The tool is able to trigger successful requests and requests are visible in logs.

Actual results

Request coverage (successful / total): 0 / 15 Attempted requests: 0 / 15 No bugs were found.

Environment details

Python 2.7.18, dotnet/sdk:6.0, restler version is the newest one RUN git clone https://github.com/microsoft/restler-fuzzer.git /usr/local/src/restler-fuzzer