In [1]:
from fuzzingbook.GeneratorGrammarFuzzer import ProbabilisticGeneratorGrammarFuzzer
from fuzzingbook.APIFuzzer import ASCII_STRING_GRAMMAR
from fuzzingbook.GrammarFuzzer import GrammarFuzzer
from fuzzingbook.Grammars import *
from dotenv import load_dotenv
from tqdm import tqdm
import requests
import socket
import json
import os

In [2]:
def get_ip_adress():
    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    s.connect(("8.8.8.8", 80))
    result = s.getsockname()[0]
    s.close()

    return result


get_ip_adress()

'192.168.0.113'

In [3]:
# Load environment variables
load_dotenv()

# Get the host URL
host_url = f"http://{get_ip_adress()}:2283"

# Get the bearer token
BEARER_TOKEN = os.getenv('BEARER_TOKEN')
BEARER_TOKEN

'CaJCvjxWF5BSEyitQYkdQBFRvmVKvXj1bkkvews44'

# Grammar


In [140]:
import string

BEARER_TOKEN_GRAMMAR = {
    "<start>": ["<token>"],
    "<token>": [("<base64>", opts(prob=0)), ("<base64>.<base64>.<base64>", opts(prob=1)), ("<malformed_token>", opts(prob=0))],
    "<base64>": ["<chars>", "<chars>=*", "<chars>=="],
    "<chars>": ["<letter>", "<letter><chars>", "<digit>", "<digit><chars>"],
    "<letter>": srange(string.ascii_lowercase + string.ascii_uppercase),
    "<digit>": crange('0', '9'),
    "<malformed_token>": ["!", "$%^", "<chars>.", "<chars><chars>", ""]
}

assert is_valid_grammar(BEARER_TOKEN_GRAMMAR)

In [4]:
UUID_GRAMMAR = {
    "<start>": ["<uuid>"],
    "<uuid>": ["<hex8>-<hex4>-<version>-<variant>-<hex12>"],
    "<hex8>": ["<hex><hex><hex><hex><hex><hex><hex><hex>"],
    "<hex4>": ["<hex><hex><hex><hex>"],
    "<version>": ["4<hex><hex><hex>"],  # Version 4 UUID
    # Variant 1
    "<variant>": ["8<hex><hex><hex>", "9<hex><hex><hex>", "a<hex><hex><hex>", "b<hex><hex><hex>"],
    "<hex12>": ["<hex><hex><hex><hex><hex><hex><hex><hex><hex><hex><hex><hex>"],
    "<hex>": ["<digit>", "<hexdigit>"],
    "<digit>": ["0", "1", "2", "3", "4", "5", "6", "7", "8", "9"],
    "<hexdigit>": ["a", "b", "c", "d", "e", "f"]
}

assert is_valid_grammar(UUID_GRAMMAR)

# Functions


In [5]:
import uuid


def is_valid_uuid(uuid_to_test, version=4):
    try:
        uuid.UUID(uuid_to_test, version=version)
    except ValueError:
        return False
    return True

### À partir de cette partie, nous avons défini des sections pour chaque endpoint que nous avons testé. La plus intérresante est "Get Api Key".


# Seach Smart


In [173]:
def searchSmart(url, BEARER_TOKEN, query):
    payload = json.dumps({
        "query": query,
    })

    headers = {
        'Content-Type': 'application/json',
        'Accept': 'application/json',
        'Authorization': f'Bearer {BEARER_TOKEN}'
    }

    return requests.request("POST", url, headers=headers, data=payload)

- Une recherche se fait peu importe l'entrée de la query.
- Gère les strings vide, c'est bien
- Les caractères spéciaux ne changent rien, la recherche se fait quand meme, et ca renvoi les assets disponibles.


In [None]:
url = f"{host_url}/api/search/smart"
query = ProbabilisticGeneratorGrammarFuzzer(ASCII_STRING_GRAMMAR).fuzz()

print(query)
mutation_fuzzer = MutationFuzzer(seed=[query])
fuzz = [mutation_fuzzer.fuzz() for _ in range(10)][-1]

response = searchSmart(url, BEARER_TOKEN, fuzz)
response.json()

# Download Archive


In [186]:
def downloadArchive(url, BEARER_TOKEN, assets_id):
    payload = json.dumps({
        "assetIds": [
            assets_id
        ]
    })
    headers = {
        'Content-Type': 'application/json',
        'Accept': 'application/octet-stream',
        'Authorization': f'Bearer {BEARER_TOKEN}'
    }

    return requests.request("POST", url, headers=headers, data=payload)

- Bonne gestion de l'UUID
- Bonne gestion d'asset non trouvé lorsque l'UUID est valide

--> Pas de crash ou de comportement inattendu


In [None]:
url = f"{host_url}/api/download/archive"

for _ in enumerate(tqdm(range(100))):
    seed_input = GrammarFuzzer(UUID_GRAMMAR).fuzz()
    mutation_fuzzer = MutationFuzzer(seed=[seed_input])
    fuzz = [mutation_fuzzer.fuzz() for _ in range(100)][-1]

    response = downloadArchive(url, BEARER_TOKEN, assets_id=fuzz)
    print(response.json())

# Get API Key


In [7]:
def get_api_key(url, BEARER_TOKEN):
    payload = {}
    headers = {
        'Accept': 'application/json',
        'Authorization': f'Bearer {BEARER_TOKEN}'
    }

    return requests.request("GET", url, headers=headers, data=payload)

In [9]:
def APIKeyFuzzer():
    # Generate UUID from grammar
    seed_input = GrammarFuzzer(UUID_GRAMMAR).fuzz()

    # Mutate de UUID
    mutation_fuzzer = MutationFuzzer(seed=[seed_input])
    fuzz = [mutation_fuzzer.fuzz() for i in range(10)][-1]

    # Get the API key
    url = f"{host_url}/api/api-keys/{fuzz}"
    response = get_api_key(url, BEARER_TOKEN)
    response.json()

    # print(fuzz)
    # print(response.status_code)

    return response, fuzz, seed_input
# ?eb395150-70a8-4le-8eda-96ebaac0d4+74 # Invalid UUID but passes the API key endpoint

This fuzz pass the endpoint but it's not a UUID. For example: ?eb395150-70a8-4le-8eda-96ebaac0d4+74


In [None]:
for _ in enumerate(tqdm(range(10000))):
    # Fuzz the API
    result, fuzz, seed = APIKeyFuzzer()
    # Oracle check
    if result.status_code == 200 and not is_valid_uuid(fuzz):
        print("Seed:", seed)
        print("Unvalid UUID:", fuzz)
        print("Passed the API Endpoint with status code:", result.status_code)
        print("And return the API Keys:\n", result.json())
        break

  1%|          | 78/10000 [00:01<03:38, 45.42it/s]

Seed: 3fc11395-d5d5-42a8-b31e-52dbd430dfdb
Unvalid UUID: #fk11395-d5d5-n2a8-b3.9e-52dd430e@fd
Passed the API Endpoint with status code: 200
And return the API Keys:
 [{'id': 'c0bae82a-5600-407f-ac7b-93a12c80aa76', 'name': 'stringefef', 'createdAt': '2025-01-04T10:03:56.795Z', 'updatedAt': '2025-01-04T10:03:56.795Z', 'permissions': ['all']}, {'id': '7caefc54-c553-4324-8bcc-8046740ab449', 'name': 'string', 'createdAt': '2025-01-04T10:03:27.742Z', 'updatedAt': '2025-01-04T10:03:27.742Z', 'permissions': ['all']}, {'id': '9930e98b-eec6-42c1-a8a9-175ed4e96013', 'name': 'Clé API 2', 'createdAt': '2025-01-04T09:59:06.287Z', 'updatedAt': '2025-01-04T09:59:06.287Z', 'permissions': ['all']}, {'id': '09115fc9-ce66-4f89-bc98-e2b62b93bd3b', 'name': 'Clé API', 'createdAt': '2025-01-03T17:53:11.144Z', 'updatedAt': '2025-01-03T17:53:20.072Z', 'permissions': ['all']}, {'id': '9431dea8-5857-45fa-9f93-709b9c8adfad', 'name': 'string', 'createdAt': '2025-01-02T12:39:40.168Z', 'updatedAt': '2025-01-02T12:39:




# Create Activity


In [236]:
def globalCreateActivityFuzzer(function):
    for _ in enumerate(tqdm(range(10000))):
        # Fuzz the API
        response = function()
        # Oracle check
        if response.status_code == 201:
            print("Unvalid fuzz:", fuzz)
            print("Passed the API Endpoint with status code:", result.status_code)
            print("And return:\n", result.json())
            break

In [234]:
def createActivity(url, BEARER_TOKEN, comment, type, assetId, albumId):
    payload = json.dumps({
        "albumId": assetId,
        "assetId": albumId,
        "comment": comment,
        "type": type
    })

    headers = {
        'Content-Type': 'application/json',
        'Accept': 'application/json',
        'Authorization': f'Bearer {BEARER_TOKEN}'
    }

    return requests.request("POST", url, headers=headers, data=payload)

Pour type:

- gère la vérification de la valeur, si c'est bien "comment" ou "like"

Pour Comment:

- rien à signaler, n'importe quel commentaire est accepté

Pour assetId & albumId:

- Bonne gestion/verification de l'UUID


In [215]:
url = f"{host_url}/api/activities"

Check type


In [238]:
type_fuzz = ProbabilisticGeneratorGrammarFuzzer(ASCII_STRING_GRAMMAR).fuzz()

comment_fuzz = ProbabilisticGeneratorGrammarFuzzer(ASCII_STRING_GRAMMAR).fuzz()
mutation_comment = MutationFuzzer(seed=[comment_fuzz])
comment_fuzz = [mutation_comment.fuzz() for _ in range(10)][-1]

valid_assetId = GrammarFuzzer(UUID_GRAMMAR).fuzz()
valid_albumId = GrammarFuzzer(UUID_GRAMMAR).fuzz()

globalCreateActivityFuzzer(lambda: createActivity(url, BEARER_TOKEN,
                                                  comment_fuzz, type_fuzz, valid_assetId, valid_albumId))

100%|██████████| 10000/10000 [01:06<00:00, 150.05it/s]


Check comment


In [239]:
type = random.choice(["comment", "like"])
valid_assetId = GrammarFuzzer(UUID_GRAMMAR).fuzz()
valid_albumId = GrammarFuzzer(UUID_GRAMMAR).fuzz()

comment_fuzz = ProbabilisticGeneratorGrammarFuzzer(ASCII_STRING_GRAMMAR).fuzz()
mutation_comment = MutationFuzzer(seed=[comment_fuzz])
comment_fuzz = [mutation_comment.fuzz() for _ in range(10)][-1]

globalCreateActivityFuzzer(lambda: createActivity(url, BEARER_TOKEN, comment_fuzz,
                                                  type, valid_assetId, valid_albumId))

100%|██████████| 10000/10000 [01:23<00:00, 119.71it/s]


Check assetId and albumId


In [240]:
type = random.choice(["comment", "like"])

assetId = GrammarFuzzer(UUID_GRAMMAR).fuzz()
albumId = GrammarFuzzer(UUID_GRAMMAR).fuzz()

mutation_assetId = MutationFuzzer(seed=[assetId])
mutation_albumId = MutationFuzzer(seed=[albumId])

assetId_fuzz = [mutation_assetId.fuzz() for _ in range(10)][-1]
albumId_fuzz = [mutation_albumId.fuzz() for _ in range(10)][-1]

globalCreateActivityFuzzer(lambda: createActivity(
    url, BEARER_TOKEN, comment_fuzz, type, assetId_fuzz, albumId_fuzz))

100%|██████████| 10000/10000 [01:18<00:00, 126.81it/s]


# Create User Admin


In [25]:
def createUserAdmin(url, BEARER_TOKEN, data):
    payload = json.dumps({
        "email": data["email"],
        "name": data["name"],
        "password": data["password"],
    })
    headers = {
        'Content-Type': 'application/json',
        'Accept': 'application/json',
        'Authorization': f'Bearer {BEARER_TOKEN}'
    }

    return requests.request("POST", url, headers=headers, data=payload)

In [5]:
EMAIL_GRAMMAR = {
    "<start>": ["<email>"],
    "<email>": ["<name>@<domain>"],
    "<name>": ["<word>", "<word>.<name>"],
    "<domain>": ["<domainpart>.<tld>"],
    "<domainpart>": ["<word>", "<word><domainpart>"],
    "<tld>": ["com", "org", "net", "io"],
    "<word>": srange(string.ascii_lowercase),
}

assert is_valid_grammar(EMAIL_GRAMMAR)

In [146]:
NAME_GRAMMAR = {
    "<start>": ["<name>"],
    "<name>": ["<word> <word>", "<word> <name>"],
    "<word>": srange(string.ascii_lowercase),
}

assert is_valid_grammar(NAME_GRAMMAR)

In [None]:
url = f"{host_url}/api/admin/users"
i = 0
y = []
for _ in enumerate(tqdm(range(100))):
    email_fuzz = GrammarFuzzer(EMAIL_GRAMMAR).fuzz()
    name_fuzz = ProbabilisticGeneratorGrammarFuzzer(
        ASCII_STRING_GRAMMAR).fuzz()
    password_fuzz = ProbabilisticGeneratorGrammarFuzzer(
        ASCII_STRING_GRAMMAR).fuzz()

    data = {
        "email": email_fuzz,
        "name": name_fuzz,
        "password": password_fuzz,
    }

    response = createUserAdmin(url, BEARER_TOKEN, data)

    if response.status_code == 500:
        print("Error : ", response.json())
        print(data)
        break

    if response.status_code == 201:
        i += 1
    else:
        y.append(response.json()["message"])

print("User created : ", i)
print(y)

- Failed when name or password is empty string
- failed when quotasize is a fixed value


In [None]:
import requests


url = f"{host_url}/api/admin/users"

payload = {}
headers = {
    'Accept': 'application/json',
    'Authorization': 'Bearer rDw9HVorPTNJynq03q4Fm7DbF7QWtxyoCajU739OQ'
}

response = requests.request("GET", url, headers=headers, data=payload)


response.json()

# Get All albums


In [None]:
def getAllAlbums(url, BEARER_TOKEN):
    payload = {}
    headers = {
        'Accept': 'application/json',
        'Authorization': f'Bearer {BEARER_TOKEN}'
    }

    return requests.request("GET", url, headers=headers, data=payload)