search

microsoft / restler-fuzzer

RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.
MIT License
2.52k stars 283 forks source link

Token Refresh Interval is not working under Proxy #890

Open tteeze opened 2 months ago

tteeze commented 2 months ago

Description

I able to run fuzz scan with the authentication method for the first time. After my token expired, I encountered the following error, and the token didn't refresh as expected and the fuzzing scan stopped

Authentication failed when refreshing token:

Using Token authentication method: TokenAuthMethod.MODULE with error HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded with url: (Caused by ProxyError('Unable to connect to proxy', NewConnectionError(': Failed to establish a new connection: Socket error: 503: Service Unavailable\n')))

Sample output of the Auth Token from network.auth Returning a valid token {u'app1': {}, u'app2': {}}} Authorization: Bearer Token 1

Authorization: Bearer Token 2

Steps to reproduce

engine_settings.json

"authentication": { "token": { "module": { "file": "/auth_module.py", "function": "acquire_token_data", "data": {} }, "token_refresh_interval": 1000 } },

auth_module.py

def acquire_token_data(data, log):

endpoint = os.getenv("ENDPOINT")

proxies = {'http': 'proxy1', 'https': 'proxy2'} 

data = {"username": os.getenv("USERNAME"),
    "password": os.getenv("PASSWORD"),
    "grant_type": os.getenv("GRANT_TYPE"),
    "scope": os.getenv("SCOPE"),
    "client_id": os.getenv("CLIENT_ID"),
    "client_secret": os.getenv("CLIENT_SECRET"),
    }

headers = {"content-type": "application/x-www-form-urlencoded"}

response = requests.post(endpoint, data=data, headers=headers, proxies=proxies )

json_response = response.json()

access_token = json_response.get("access_token")

token_lines = [ "{u'app1': {}, u'app2': {}}", f"Authorization: Bearer {a_access_token}", "---", f"Authorization: Bearer {b_access_token}", ]

token_lines = "\n".join(token_lines)

log(f"Returning a valid token {token_lines}")

return token_lines

Expected results

Refresh the token within the command and proceed with the fuzzing scan.

Actual results

Authentication failed when refreshing token:

Using Token authentication method: TokenAuthMethod.MODULE with error HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded with url: (Caused by ProxyError('Unable to connect to proxy', NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7d969852f820>: Failed to establish a new connection: Socket error: 503: Service Unavailable\n')))

Environment details

No response