Can RESTler detect other status codes than 500?

microsoft / restler-fuzzer

RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.

MIT License

2.61k stars 303 forks source link

Can RESTler detect other status codes than 500? #892

Open henning410 opened 6 months ago

henning410 commented 6 months ago

Description

I have some test API with endpoint GET /testStatusCode. In the OAS is defined, that this endpoint will return 200 or 400 status code. Instead, I implemented my API to always return 403. Other fuzzers can detect this difference between real status code and specified status code as bug. What about RESTler? Is this possible?

Thanks for your great work so far :)

SilvanD commented 6 months ago

I believe there's no looking for difference between OAS and real answers (since I don't see any reference to response codes in compilation results), but you can detect specified codes with "custom_bug_codes" in user settings file. At least that's what I do in my project detecting both 200 and 5** codes.

Please refer to: https://github.com/microsoft/restler-fuzzer/blob/main/docs/user-guide/SettingsFile.md