search

microsoft / restler-fuzzer

RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.
MIT License
2.52k stars 283 forks source link

Authentication Refresh Interval Enforcement #841

Open asdfxyz135 opened 7 months ago

asdfxyz135 commented 7 months ago

Description

Hi,

thanks for the useful fuzzer and your additional resources! I'm still new to using RESTler, so hopefully my question makes sense...

I am using authentication with a set refresh interval (tokens are invalidated after a certain time if not refreshed). This seems to work great, but now I noticed that I run into a situation where the invalid value checker seems to not renew the token in time. If the checker runs longer than the refresh interval (for a specific sequence) the last x requests of that sequence all run into "403 Forbidden". After that, a new sequence is rendered and the token seems to be refreshed just fine again.

I tried reducing the refresh interval, but this does not seem to have any effect (for above problem). For me it looks like the refresh time is not checked in between the rendering of sequences. I would have expected that the freshness of the authentication token would be checked on every request (maybe in "send_request_data()").

Now I'm wondering if I misunderstand/misconfigured RESTler (maybe a checker is not supposed to run for this long on a single sequence?) or if this is an issue that other people also encountered.

I would love to hear your input on this.

Thanks & best regards Tina

marina-p commented 6 months ago

Hello Tina,

Thank you for reporting this issue. This is a bug in the implementation of the invalid value checker - we will fix this ASAP.

Thanks,

Marina