search

microsoft / restler-fuzzer

RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.
MIT License
2.52k stars 283 forks source link

Replay not using AUTHORIZATION TOKEN from token_refresh_command #848

Open marcindulak opened 5 months ago

marcindulak commented 5 months ago

Description

It appears that the replay of bugs doesn't use the AUTHORIZATION TOKEN, when the token is provided using --token_refresh_command and --token_refresh_interval parameters.

The token is used as expected, and confirmed to be valid, when the bug_buckets/*.replay.txt is modified by hand to replace AUTHORIZATION TOKEN by Authorization: Bearer RealTokenHere.

Steps to reproduce

These are not really reproduction steps, I hope someone will be able to confirm this using a project with Authorization: Bearer token.

I'm running a replay of a bug found by the fuzzer

/RESTler/restler/Restler replay --host app --target_port 8000 --grammar_file Compile/grammar.py \
   --dictionary_file Compile/dict.json --settings Compile/engine_settings.json --no_ssl \
   --token_refresh_command 'sh /usr/src/restler-fuzzer/authentication_token.sh' --token_refresh_interval 10800 \
   --replay_log Fuzz/RestlerResults/experiment525/bug_buckets/PayloadBodyChecker_500_1.replay.txt

The main contents of Fuzz/RestlerResults/experiment525/bug_buckets/PayloadBodyChecker_500_1.replay.txt is 

-> PUT /api/v1/seed HTTP/1.1\r\nAccept: application/json\r\nHost: app\r\nContent-Type: application/json\r\nAUTHORIZATION TOKEN\r\n\r\nfalse
! producer_timing_delay 0
! max_async_wait_time 0
PREVIOUS RESPONSE: 'HTTP/1.1 500 Internal Server Error\r\ndate:  ...

The contents of /usr/src/restler-fuzzer/authentication_token.sh is 

echo {'id':{}}
echo Authorization: Bearer RealTokenHere

If I replace AUTHORIZATION TOKEN with Authorization: Bearer RealTokenHere in the bug_buckets/*.replay.txt , then the bug replays as expected.

Expected results

Starting task Replay... Using python: 'python3' (Python 3.11.6) Task Replay succeeded. Collecting logs...

Actual results

When using AUTHORIZATION TOKEN with --token_refresh_command and --token_refresh_interval, the fuzzer logs the following on screen

Starting task Replay...
Using python: 'python3' (Python 3.11.6)

ERROR: Restler engine failed. See logs in /usr/src/restler-fuzzer/Replay directory for more information. 

Task Replay failed.
Collecting logs...

and /usr/src/restler-fuzzer/Replay/EngineStdOut.txt contains

Failed to play sequence from log:
A valid authorization token was expected.
Retry with a token refresh script in the settings file or update the request in the replay log with a valid authorization token.

Environment details

PRETTY_NAME="Alpine Linux v3.18"; Python 3.11.6; No .NET SDKs were found; RESTler version: 9.2.3; https://github.com/microsoft/restler-fuzzer/commit/aef01a5a76c297c93645b93e471f65c97dde8807

marcindulak commented 5 months ago

Tried to debug and in /RESTler/engine/engine/core/request_utilities.py added some debug prints

def replace_auth_token(data, replace_str): 
    print("replace_auth_token", data)                               
    print("replace_str", replace_str)                               
    if data:                                                
        if latest_token_value:                              
            print("latest_token_value", latest_token_value) 
            data = data.replace(latest_token_value.strip('\r\n'), replace_str)
        if latest_shadow_token_value:                                         
            print("latest_shadow_token_value", latest_shadow_token_value)     
            data = data.replace(latest_shadow_token_value.strip('\r\n'), replace_str)
    print("data", data)                                                              
    return data

This results in the following cat /usr/src/restler-fuzzer/Replay/EngineStdOut.txt

replace_auth_token Will refresh token: sh /usr/src/restler-fuzzer/authentication_token.sh
replace_str _OMITTED_AUTH_TOKEN_
latest_token_value NO-TOKEN-SPECIFIED

latest_shadow_token_value NO-SHADOW-TOKEN-SPECIFIED

Failed to play sequence from log:
A valid authorization token was expected.
Retry with a token refresh script in the settings file or update the request in the replay log with a valid authorization token.
marcindulak commented 2 months ago

@marina-p

DarkTinia commented 2 months ago

I also encountered the same problem. When I set cmd it fails to replay but when I change AUTHORIZATION TOKEN it replays fine.