RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.
MIT License
2.52k
stars
283
forks
source link
[Feature Request] Structured log for improved results analysis #818
We want to enable some of the post run analysis thus we are looking for a structured JSON log which can be configured every instance of request + response where a bug is detected. These bugs could be HTTP result codes where the result codes can be configured, or issues detected by Checkers.
Just to clarify, the log does not need to have all the request + responses. Just the ones where RESTler deemed the response is a bug.
The following data should be included in each request + response in the log.
Client Timestamp - Time RESTler evaluated the response and determined there's a bug.
Request
a. HTTP Version
b. Method
c. Uri
d. Query String
e. Headers
f. Host
g. Body
Response
a. HTTP Version
b. Status Code
c. Status Description
d. Headers
e. Body
Bug info
a. Source - Name of the Checker if found by a checker or “main”?
b. Type of bug (e.g. UseAfterFree, HTTP 500, HTTP 401)
We do not have requirements for the log to be generated while a run is in progress. It can be generated after a run (e.g., a ResultAnalyzer command) and can be enabled from a config file or Restler.exe command line.
We do not have a requirement on whether there are multiple log files (e.g., one file for InvalidValueChecker and another for main) or just one log file as long as the information in items 1 through 4 are included (perhaps item 4 can be inferred from the file name).
đź’ˇ Idea
We want to enable some of the post run analysis thus we are looking for a structured JSON log which can be configured every instance of request + response where a bug is detected. These bugs could be HTTP result codes where the result codes can be configured, or issues detected by Checkers.
Just to clarify, the log does not need to have all the request + responses. Just the ones where RESTler deemed the response is a bug.
The following data should be included in each request + response in the log.
We do not have requirements for the log to be generated while a run is in progress. It can be generated after a run (e.g., a ResultAnalyzer command) and can be enabled from a config file or Restler.exe command line.
We do not have a requirement on whether there are multiple log files (e.g., one file for InvalidValueChecker and another for main) or just one log file as long as the information in items 1 through 4 are included (perhaps item 4 can be inferred from the file name).
Design Notes
Example of what we're looking for: