search

microsoft / restler-fuzzer

RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.
MIT License
2.52k stars 283 forks source link

Handling of optional parameters #836

Open Marcondiro opened 7 months ago

Marcondiro commented 7 months ago

Description

Hello, When I have optional parameters in the OpeanAPI I'd like the fuzzer to generate both requests where the parameter is present and requests where it is not. For example for the API GET /users?optionalParam I'd like to test both

I'm wondering if there is a way in RESTler to handle optional parameters this way. I'm aware of the possibility of setting the "param_kind" option but it looks like I can choose only to set always all the optional parameters or none of them (please tell me if I am mistaken on this). So for the API GET /users?optionalParam1&optionalParam2 there is no way to generate

Thanks! 😊

marina-p commented 7 months ago

Hello @Marcondiro,

This can be accomplished, but all of the combinations will not necessarily be exercised in every fuzz mode. These will be exercised by setting "fuzzing_mode": "bfs" in the engine settings, or by passing the --test_all_combinations in Test mode on the command line (up to the specified 'max_combinations'), and adding the following settings object to the engine settings (see SettingsFile.md for more details):

"test_combinations_settings": {
     "query_param_combinations": {
      "max_combinations": 50,
      "param_kind": "optional"
    }
}

Thanks,

Marina

Marcondiro commented 7 months ago

Thanks a lot @marina-p! 🙂 Is there anything similar for the payload as well? My goal would be to have both: