datatype aware fuzzing - work in progress

KissPeter · Feb 6, 2020 · db08c21 · db08c21
1 parent 0120b01
commit db08c21
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 11 deletions.
diff --git a/apifuzzer/swagger_template_generator.py b/apifuzzer/swagger_template_generator.py
@@ -1,9 +1,6 @@
 from apifuzzer.base_template import BaseTemplate
 from apifuzzer.template_generator_base import TemplateGenerator
-from apifuzzer.utils import \
-    get_sample_data_by_type, \
-    get_fuzz_type_by_param_type, \
-    transform_data_to_bytes
+from apifuzzer.utils import get_sample_data_by_type, get_fuzz_type_by_param_type, transform_data_to_bytes
 
 
 class ParamTypes(object):
@@ -25,7 +22,7 @@ def __init__(self, api_resources, logger):
 
     @staticmethod
     def normalize_url(url_in):
-        # Kitty doesn't support some characters as tempalte name so need to be cleaned, but it is necessary, so
+        # Kitty doesn't support some characters as template name so need to be cleaned, but it is necessary, so
         # we will change back later
         return url_in.strip('/').replace('/', '+')
 
@@ -40,7 +37,15 @@ def process_api_resources(self):
                     template = BaseTemplate(name=template_container_name)
                     template.url = normalized_url
                     template.method = method.upper()
-                    fuzz_type = get_fuzz_type_by_param_type(param.get('type'))
+                    type = param.get('type')
+                    format = param.get('format')
+                    if format is not None:
+                        fuzzer_type = format.lower()
+                    elif type is not None:
+                        fuzzer_type = type.lower()
+                    else:
+                        fuzzer_type = None
+                    fuzz_type = get_fuzz_type_by_param_type(fuzzer_type)
                     sample_data = get_sample_data_by_type(param.get('type'))
 
                     # get parameter placement(in): path, query, header, cookie

diff --git a/apifuzzer/utils.py b/apifuzzer/utils.py
@@ -4,6 +4,7 @@
 from binascii import Error
 from logging import Formatter
 from logging.handlers import SysLogHandler
+from random import randint
 
 from bitstring import Bits
 
@@ -20,9 +21,28 @@ def get_field_type_by_method(http_method):
 
 
 def get_fuzz_type_by_param_type(fuzz_type):
-    # TODO we should have a shallow and a deep scan. This could be the difference
-    # TODO get mutation according to a field type
-    return RandomBitsField
+    # https://kitty.readthedocs.io/en/latest/data_model/big_list_of_fields.html#atomic-fields
+    # https://swagger.io/docs/specification/data-models/data-types/
+    string_types = [RandomBitsField]
+    number_types = [RandomBitsField]
+    types = {
+        'integer': number_types,
+        'float': number_types,
+        'double': number_types,
+        'int32': number_types,
+        'int64': number_types,
+        'number': number_types,
+        'string': string_types,
+        'email': string_types,
+        'uuid': string_types,
+        'uri': string_types,
+        'hostname': string_types,
+        'ipv4': string_types,
+        'ipv6': string_types,
+        'boolean': string_types
+    }
+    fuzzer_list = types.get(fuzz_type, string_types)
+    return fuzzer_list[randint(0, len(fuzzer_list) - 1)]
 
 
 def get_sample_data_by_type(param_type):
@@ -32,8 +52,7 @@ def get_sample_data_by_type(param_type):
         u'integer': 1,
         u'number': 667.5,
         u'boolean': False,
-        u'array': ['a', 'b', 'c'],
-        # TODO sample object
+        u'array': ['a', 'b', 'c']
     }
     return types.get(param_type, b'\x00')