openapi3-fuzzer


Nameopenapi3-fuzzer JSON
Version 1.2.3 PyPI version JSON
download
home_pagehttps://github.com/vwt-digital/openapi3-fuzzer/tree/master
SummaryOpenapi3 fuzzer
upload_time2020-07-03 08:34:06
maintainer
docs_urlNone
authorVWT Digital
requires_python>=3.6
licensegpl-3.0
keywords openapi3 fuzzer vwt
VCS
bugtrack_url
requirements No requirements were recorded.
Travis-CI No Travis.
coveralls test coverage No coveralls.
            # Simple fuzzer for OpenAPI 3 specification based APIs

## What does this fuzzer do?

1. Sends various attack patterns to all the paths defined in an OpenAPI 3 definition file, using the OAS3 definition to create populate requests.
2. Verifies if the responses matches those defined in the OAS3 definition file, complains and exit(2) if it doesn't.
3. Complains loudly and exit(1) if a path returns an internal server error (status code 500 and higher)

## Why does this OpenAPI fuzzer exist?

To make it easy to integrate an OpenAPI 3 fuzzer in an existing API.

## How do I use this?

1. Install the fuzzer using its [pip package](https://pypi.org/project/openapi3-fuzzer/)
2. Add at least the following packages to requirements-test.txt:
````python
coverage==5.0.3
openapi3-fuzzer
adal==1.2.2
Flask-Testing==0.7.1
````
3. Generate OpenAPI (https://github.com/OpenAPITools/openapi-generator)
4. Create a test_fuzzing file in the test location using the template below:
````python
import adal

import config
from openapi3_fuzzer import FuzzIt
from openapi_server.test import BaseTestCase


def get_token():
    """
    Create a token for testing
    :return:
    """
    oauth_expected_authenticator = authenticatoruri
    client_id = appid
    client_secret = secret
    resource = resource/audience

    # get an Azure access token using the adal library
    context = adal.AuthenticationContext(oauth_expected_authenticator)
    token_response = context.acquire_token_with_client_credentials(
        resource, client_id, client_secret)

    access_token = token_response.get('accessToken')
    return access_token


class TestvAPI(BaseTestCase):

    def test_fuzzing(self):
        FuzzIt("openapi.yaml", get_token(), self)

````
5. Run using our [unittest container](https://github.com/vwt-digital/cloudbuilder-unittest) or via the [Python Unittest Framework](https://docs.python.org/3/library/unittest.html)

## What OAS3 items are supported?

Based on [OpenAPI specification 3.0.2](https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.2.md):

Operation | Supported
----------|----------
GET       | Yes
POST      | Yes
PUT       | Yes
DELETE    | Yes
HEAD      | Yes
OPTIONS   | no
PATCH     | no
TRACE     | no

Parameter in | Supported
-------------|----------
path         | Yes
query        | no
header       | no
cookie       | no

Property types | Supported
---------------|----------
string         | Yes
integer        | Yes
number         | Yes
array          | Yes
none           | Yes
boolean        | no

## Example output

Internal server error:

````
GET fuzzing /managers/expenses/{expenses_id}/attachments

* INTERNAL SERVER ERROR
  Endpoint returned 500 but expected one of [200]
  GET https://dev.myapi.example/managers/expenses/99999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999/attachments
````

Response doesn't conform to the OAS3 spec:

````
--------------------------------------------
GET fuzzing /employees/expenses/{expenses_id}

- Unexpected status code
  Endpoint returned 404 but expected one of [200, 'default']
  GET https://dev.myapi.example/employees/expenses/)$#***^
````

````
POST fuzzing /employees/expenses/{expenses_id}

- Unexpected status code
  Endpoint returned 400 but expected one of [201, 'default']
  POST https://dev.myapi.example/employees/expenses
{
    "amount": "123",
    "cost_type": "123",
    "note": ";sleep 10",
    "transaction_date": "123"
}
````

## LICENSE

GPL3



            

Raw data

            {
    "_id": null,
    "home_page": "https://github.com/vwt-digital/openapi3-fuzzer/tree/master",
    "name": "openapi3-fuzzer",
    "maintainer": "",
    "docs_url": null,
    "requires_python": ">=3.6",
    "maintainer_email": "",
    "keywords": "Openapi3,fuzzer,vwt",
    "author": "VWT Digital",
    "author_email": "support@vwt.digital",
    "download_url": "https://files.pythonhosted.org/packages/14/e8/d367f723d10313890422792c66355bfc6855ec949a66b037e0c7163fa073/openapi3-fuzzer-1.2.3.tar.gz",
    "platform": "",
    "description": "# Simple fuzzer for OpenAPI 3 specification based APIs\n\n## What does this fuzzer do?\n\n1. Sends various attack patterns to all the paths defined in an OpenAPI 3 definition file, using the OAS3 definition to create populate requests.\n2. Verifies if the responses matches those defined in the OAS3 definition file, complains and exit(2) if it doesn't.\n3. Complains loudly and exit(1) if a path returns an internal server error (status code 500 and higher)\n\n## Why does this OpenAPI fuzzer exist?\n\nTo make it easy to integrate an OpenAPI 3 fuzzer in an existing API.\n\n## How do I use this?\n\n1. Install the fuzzer using its [pip package](https://pypi.org/project/openapi3-fuzzer/)\n2. Add at least the following packages to requirements-test.txt:\n````python\ncoverage==5.0.3\nopenapi3-fuzzer\nadal==1.2.2\nFlask-Testing==0.7.1\n````\n3. Generate OpenAPI (https://github.com/OpenAPITools/openapi-generator)\n4. Create a test_fuzzing file in the test location using the template below:\n````python\nimport adal\n\nimport config\nfrom openapi3_fuzzer import FuzzIt\nfrom openapi_server.test import BaseTestCase\n\n\ndef get_token():\n    \"\"\"\n    Create a token for testing\n    :return:\n    \"\"\"\n    oauth_expected_authenticator = authenticatoruri\n    client_id = appid\n    client_secret = secret\n    resource = resource/audience\n\n    # get an Azure access token using the adal library\n    context = adal.AuthenticationContext(oauth_expected_authenticator)\n    token_response = context.acquire_token_with_client_credentials(\n        resource, client_id, client_secret)\n\n    access_token = token_response.get('accessToken')\n    return access_token\n\n\nclass TestvAPI(BaseTestCase):\n\n    def test_fuzzing(self):\n        FuzzIt(\"openapi.yaml\", get_token(), self)\n\n````\n5. Run using our [unittest container](https://github.com/vwt-digital/cloudbuilder-unittest) or via the [Python Unittest Framework](https://docs.python.org/3/library/unittest.html)\n\n## What OAS3 items are supported?\n\nBased on [OpenAPI specification 3.0.2](https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.2.md):\n\nOperation | Supported\n----------|----------\nGET       | Yes\nPOST      | Yes\nPUT       | Yes\nDELETE    | Yes\nHEAD      | Yes\nOPTIONS   | no\nPATCH     | no\nTRACE     | no\n\nParameter in | Supported\n-------------|----------\npath         | Yes\nquery        | no\nheader       | no\ncookie       | no\n\nProperty types | Supported\n---------------|----------\nstring         | Yes\ninteger        | Yes\nnumber         | Yes\narray          | Yes\nnone           | Yes\nboolean        | no\n\n## Example output\n\nInternal server error:\n\n````\nGET fuzzing /managers/expenses/{expenses_id}/attachments\n\n* INTERNAL SERVER ERROR\n  Endpoint returned 500 but expected one of [200]\n  GET https://dev.myapi.example/managers/expenses/99999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999/attachments\n````\n\nResponse doesn't conform to the OAS3 spec:\n\n````\n--------------------------------------------\nGET fuzzing /employees/expenses/{expenses_id}\n\n- Unexpected status code\n  Endpoint returned 404 but expected one of [200, 'default']\n  GET https://dev.myapi.example/employees/expenses/)$#***^\n````\n\n````\nPOST fuzzing /employees/expenses/{expenses_id}\n\n- Unexpected status code\n  Endpoint returned 400 but expected one of [201, 'default']\n  POST https://dev.myapi.example/employees/expenses\n{\n    \"amount\": \"123\",\n    \"cost_type\": \"123\",\n    \"note\": \";sleep 10\",\n    \"transaction_date\": \"123\"\n}\n````\n\n## LICENSE\n\nGPL3\n\n\n",
    "bugtrack_url": null,
    "license": "gpl-3.0",
    "summary": "Openapi3 fuzzer",
    "version": "1.2.3",
    "split_keywords": [
        "openapi3",
        "fuzzer",
        "vwt"
    ],
    "urls": [
        {
            "comment_text": "",
            "digests": {
                "md5": "a7a55821d0dd27ace1e5dae77c98d405",
                "sha256": "e92e837a0a91dd44164c7eb4c3cc07388bd3ec44f77d6ef2ab057560bee46fb9"
            },
            "downloads": -1,
            "filename": "openapi3_fuzzer-1.2.3-py3-none-any.whl",
            "has_sig": false,
            "md5_digest": "a7a55821d0dd27ace1e5dae77c98d405",
            "packagetype": "bdist_wheel",
            "python_version": "py3",
            "requires_python": ">=3.6",
            "size": 19993,
            "upload_time": "2020-07-03T08:34:05",
            "upload_time_iso_8601": "2020-07-03T08:34:05.451848Z",
            "url": "https://files.pythonhosted.org/packages/68/b4/76d20301819862c20342b00e249e2f2b32e014431b2b0f739535b1a62d11/openapi3_fuzzer-1.2.3-py3-none-any.whl",
            "yanked": false,
            "yanked_reason": null
        },
        {
            "comment_text": "",
            "digests": {
                "md5": "929c1a222e922adaf86722d462de0e6d",
                "sha256": "1d297fa515d59d3eb718d965416c04db7e3cff705c5032c1ee60eb292064c8da"
            },
            "downloads": -1,
            "filename": "openapi3-fuzzer-1.2.3.tar.gz",
            "has_sig": false,
            "md5_digest": "929c1a222e922adaf86722d462de0e6d",
            "packagetype": "sdist",
            "python_version": "source",
            "requires_python": ">=3.6",
            "size": 7612,
            "upload_time": "2020-07-03T08:34:06",
            "upload_time_iso_8601": "2020-07-03T08:34:06.418507Z",
            "url": "https://files.pythonhosted.org/packages/14/e8/d367f723d10313890422792c66355bfc6855ec949a66b037e0c7163fa073/openapi3-fuzzer-1.2.3.tar.gz",
            "yanked": false,
            "yanked_reason": null
        }
    ],
    "upload_time": "2020-07-03 08:34:06",
    "github": false,
    "gitlab": false,
    "bitbucket": false,
    "lcname": "openapi3-fuzzer"
}
        
Elapsed time: 0.12713s