Giters

lobax / APIFuzzer

Fuzz your application using you Swagger or API Blueprint definition without coding

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Join the chat at https://gitter.im/API-Fuzzer/Lobby Codacy Badge Maintainability Scrutinizer Code Quality Build Status Documentation Status

APIFuzzer — HTTP API Testing Framework

APIFuzzer reads your API description and step by step fuzzes the fields to validate if you application can cope with the fuzzed parameters. Does not require coding.

Supported API Description Formats

Work in progress

Installation

Fetch the most recent code from GitHub

$ git clone https://github.com/KissPeter/APIFuzzer.git

Install requirements. If you don't have pip installed, then sudo apt-get install python3-pip -y

$ pip3 install -r APIFuzzer/requirements.txt

Quick Start

Check the help (some of them are not implemented yet):

$$ python3 fuzzer.py -h
usage: fuzzer.py [-h] -s SRC_FILE [-r REPORT_DIR] [--level LEVEL]
                 [-u ALTERNATE_URL] [-t TEST_RESULT_DST]
                 [--log {critical,fatal,error,warn,warning,info,debug,notset}]
                 [--headers HEADERS]

API fuzzer configuration

optional arguments:
  -h, --help        show this help message and exit
  -s SRC_FILE, --src_file SRC_FILE
                    API definition file path
  -r REPORT_DIR, --report_dir REPORT_DIR
                    Directory where error reports will be saved. Default is
                    temporally generated directory
  --level LEVEL     Test deepness: [1,2], higher is the deeper !!!Not
                    implemented!!!
  -u ALTERNATE_URL, --url ALTERNATE_URL
                    Use CLI defined url instead compile the url from the API
                    definition. Useful for testing
  -t TEST_RESULT_DST, --test_report TEST_RESULT_DST
                    JUnit test result xml save path !!!Not implemented!!!
  --log {critical,fatal,error,warn,warning,info,debug,notset}
                    Use different log level than the default WARNING
  --headers HEADERS
                    Http request headers added to all request. Example:
                    '[{"Authorization": "SuperSecret"}, {"Auth2": "asd"}]'

Usage example:

Start the sample application (install the necessary packages listed in test/requirements_for_test.txt):
$ python3 test/test_application.py

Start the fuzzer:
$ python3 fuzzer.py -s test/test_swagger_definition.json -u http://127.0.0.1:5000/ -r /tmp/reports/ --log debug 

Check the reports:
$ ls -1 /tmp/reports/

Report example:
$ json_pp < /tmp/reports/79_1573993485.5391517.json
{
   "response" : "Test application exception: invalid literal for int() with base 10: '0\\x00\\x10'",
   "sub_reports" : [],
   "parsed_status_code" : 500,
   "state" : "COMPLETED",
   "test_number" : 79,
   "request_body" : null,
   "reason" : "failed",
   "name" : "target",
   "request_url" : "http://127.0.0.1:5000/exception/0\u0000\u0010",
   "request_method" : "GET",
   "status" : "failed",
   "request_headers" : "{\"User-Agent\": \"APIFuzzer\", \"Accept-Encoding\": \"gzip, deflate\", \"Accept\": \"*/*\", \"Connection\": \"keep-alive\"}"
}

About

Fuzz your application using you Swagger or API Blueprint definition without coding

License:MIT License

Languages

Language:Python 92.4%Language:Shell 7.6%