search

microsoft / restler-fuzzer

RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.
MIT License
2.52k stars 283 forks source link

OAuth 2.0 Authentication using bearer token #843

Open SunithaShivananjaiah opened 7 months ago

SunithaShivananjaiah commented 7 months ago

Description

OAuth 2.0 kind of authentication how to do , here we have clinet id and key using which bearer token is generated please keep me posted ASAP

marina-p commented 6 months ago

Hello @SunithaShivananjaiah,

Generating tokens for RESTler is done through a custom script or program you provide, and the token can be passed to RESTler in several ways, as described in SettingsFile.md (see the 'Authentication' section). Below is an example Python script and settings which you can copy-paste into engine_settings.json to configure RESTler to use the auth token. In the data settings dictionary, specify any parameters you'd like to pass into the script (such as the client ID, and any additional settings to retrieve the secret).

  "authentication": {
    "token": {
      "module": {
        "file": "/path/to/auth.py",
        "function": "acquire_token",
        "data": {
          "client_id": "<GUID>",
          ...
        }
      },
      "token_refresh_interval": 300
    },
def acquire_token(data, log):
    token = gen_token(data)  # implementation to retrieve the token
    token_lines = [
        "{'user1':{}}",
        f"Authorization: {token}"
    ]
    return "\n".join(token_lines)

Thanks,

Marina

SunithaShivananjaiah commented 6 months ago

Hi @marina-p,

Thank you for your input, I had updated authentication info in engine-settings.json file as below and data file as below but am getting exception - "Cannot deserialize mutations dictionary: An exception occurred during deserialization: Newtonsoft.Json.JsonSerializationException: Could not find member"

Code snipet: engine.settings.json { "per_resource_settings": {}, "max_combinations": 20,

"authentication": {
  "token": {
    "module": {
      "file": "C:/restler_bin/restler/demo_server_config/acquire_token.py",
      "function": "acquire_token",
      "data": {
        "client_id": "client_id",
        "client_secret": "client_secret"

      }
    },
    "token_refresh_interval": 600
  }

} }

dict.json: { "restler_fuzzable_string": [ "fuzzstring" ], "restler_fuzzable_string_unquoted": [], "restler_fuzzable_datetime": [ "2019-06-26T20:20:39+00:00" ], "restler_fuzzable_datetime_unquoted": [], "restler_fuzzable_date": [ "2019-06-26" ], "restler_fuzzable_date_unquoted": [], "restler_fuzzable_uuid4": [ "566048da-ed19-4cd3-8e0a-b7e0e1ec4d72" ], "restler_fuzzable_uuid4_unquoted": [], "restler_fuzzable_int": [ "1" ], "restler_fuzzable_number": [ "1.23" ], "restler_fuzzable_bool": [ "true" ], "restler_fuzzable_object": [ "{ \"fuzz\": false }" ], "restler_custom_payload": {}, "restler_custom_payload_unquoted": {}, "restler_custom_payload_uuid4_suffix": {}, "restler_custom_payload_header": {}, "restler_custom_payload_query": {}, "client_id": [ "8975382c86-3b8e-4600-861d-f9bf130fef6b" ], "client_id1": [ "67882c86-3b8e-4600-861d-f9bf130fef6b" ], "client_secret": [ "4m68Q~eJ5BsRSrb~BYVGsdufeihsOgPJWtEF7" ], "resource": [ "67882c86-3b8e-4600-861d-f9bf130fef" ], "grant_type": [ "client_credentials" ] }

Used dummy data for posting here please check and leme know if any correction

Logs: Cannot deserialize mutations dictionary: An exception occurred during deserialization: Newtonsoft.Json.JsonSerializationException: Could not find member 'client_id' on object of type 'MutationsDictionary'. Path 'client_id', line 35, position 16. at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.ResolvePropertyAndCreatorValues(JsonObjectContract contract, JsonProperty containerProperty, JsonReader reader, Type objectType) at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.CreateObjectUsingCreatorWithParameters(JsonReader reader, JsonObjectContract contract, JsonProperty containerProperty, ObjectConstructor`1 creator, String id) at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.CreateNewObject(JsonReader reader, JsonObjectContract objectContract, JsonProperty containerMember, JsonProperty containerProperty, String id, Boolean& createdFromNonDefaultCreator) at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.CreateObject(JsonReader reader, Type objectType, JsonContract contract, JsonProperty member, JsonContainerContract containerContract, JsonProperty containerMember, Object existingValue) at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.CreateValueInternal(JsonReader reader, Type objectType, JsonContract contract, JsonProperty member, JsonContainerContract containerContract, JsonProperty containerMember, Object existingValue) at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.Deserialize(JsonReader reader, Type objectType, Boolean checkAdditionalContent) at Newtonsoft.Json.JsonSerializer.DeserializeInternal(JsonReader reader, Type objectType) at Newtonsoft.Json.JsonSerializer.Deserialize(JsonReader reader, Type objectType) at Newtonsoft.Json.JsonConvert.DeserializeObject(String value, Type type, JsonSerializerSettings settings) at Restler.ResultsAnalyzer.Analyze.Main.dictionarySuffixes$cont@54(String dictionaryFilePath, Unit unitVar) in C:\Restler_Security_VSCode\restler-fuzzer\src\ResultsAnalyzer\Analyze\Main.fs:line 54