Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Request for Guidance: Writing a Functional Fuzzer for OpenAPI Specs with Missing Keys #81

Closed
beam-me-up opened this issue Sep 12, 2023 · 5 comments
Closed

Request for Guidance: Writing a Functional Fuzzer for OpenAPI Specs with Missing Keys #81

beam-me-up opened this issue Sep 12, 2023 · 5 comments
Labels
question Further information is requested

Comments

@beam-me-up
Copy link

I'm interested in learning how to write a functional fuzzer for OpenAPI specifications that lack keys. To illustrate, I have provided a sample OpenAPI spec below:

/users:
    post:
      description: This API is used to get the list of users based on the input data.
      requestBody:
        content:
          application/json:
            schema:
              type: string
        required: true

In this example, the OpenAPI spec is missing keys that are typically present. I would greatly appreciate some guidance or best practices on how to approach fuzzing such specifications effectively.
@en-milie
Copy link
Contributor

I'm not sure I understand the question. Can you please provide additional context with a more detailed example.

@beam-me-up
Copy link
Author

Sure @en-milie, here is the curl command sample for the above request.

curl --location --request POST 'http://localhost:8080/users' \
--header 'Content-Type: application/json' \
--data-raw '"dGVzdERhdGE="'

This is a valid body. As a content-type as json, the body is expected to have a JSON object, array or literal.

@en-milie en-milie added the question Further information is requested label Nov 16, 2023
@en-milie
Copy link
Contributor

en-milie commented Jan 10, 2024
edited
Loading

Hi @beam-me-up. I want to resume this issue. And want to check if my understanding is correct. You would like to be able to check if a certain request body is missing fields that you would typically expect? And deduct this from the endpoint name and http method? Or specify the expected fields in the functional fuzzer file?
It will help if you can provide a full example, like:

  • a full OpenAPI sample spec
  • what additional data you would expect to feed CATS with, either via the functional fuzzer file or arguments
  • what would you expect the output of CATS to be

Thanks!

@beam-me-up
Copy link
Author

Hi @en-milie,

Apologies for the delay.

For a request like this:

curl --location --request POST 'http://localhost:8080/users' \
--header 'Content-Type: application/json' \
--data-raw '"dGVzdERhdGE="'

If there's no JSON payload and only raw content in the body, I was curious if Functional Fuzzer supports testing this scenario. It's not a mandatory requirement. A simple "yes" or "no" response would be sufficient, and we can close this accordingly.

@en-milie
Copy link
Contributor

Currently it's a 'no'.

@en-milie en-milie closed this as completed Feb 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@beam-me-up @en-milie