API Fuzzing MVC documentation
Problem to solve
Documentation is needed for API Fuzzer. This is the first release of the feature.
Proposal
Provide documentation structured similarly to existing scanners.
Documentation should cover at a minimum:
- Description of what fuzzing is.
- Description of the problem fuzzing solves.
- Technical instructions for adding our fuzzer to a project.
- Screenshots are required for this.
- Technical instructions for understanding the results from fuzzing.
- Screenshots are required for this.
- An example of walking through a project and using the fuzzer.
The following is capturing comments from architecture document:
-
Provide minimal viable documentation for this milestone. - Will not document the API Fuzzer configuration format
-
Document the overrides json format -
Provide example of Bearer Token authentication
-
-
Document environment variables -
Document provided configuration files and profiles - Capabilities and usage, not yaml
-
Document requirements for testing external target - Public DNS
- Access to required ports (80/443)
- Supported authentication type
- Warning not to test production systems
- Recommendations
- Server located in US
- No VPN in between
- Fast internet connection
- Notify operations/security department
- May setoff WAF or other edge security devices
- Document basic debugging/verification steps. How to find log files, verify tests are working, etc.
Environment Variables
The following environment variables will be exposed to the user.
Docker related (optional):
All of these variables are optional.
NOTE: Skipping docker variables for the moment. Removing docker-in-docker has been mentioned.
[ ] FUZZAPI_D_TARGET_IMAGE[ ] FUZZAPI_D_TARGET_ENV[ ] FUZZAPI_D_TARGET_VOLUME[ ] FUZZAPI_D_TARGET_PORTS[x] FUZZAPI_D_WORKER_IMAGE[x] FUZZAPI_D_WORKER_ENV[x] FUZZAPI_D_WORKER_VOLUME[x] FUZZAPI_D_WORKER_PORTS[x] FUZZAPI_D_NETWORK - (optional) Name of docker network, defaults to “testing-net”[ ] FUZZAPI_D_PRE_SCRIPT - (optional) Pre script runs after docker login and docker network create, but before we start the scanning image container.[ ] FUZZAPI_D_POST_SCRIPT - (optional) Post script runs after scanning image container is started. This is the place to start your target(s) and kick off scanning if using our CLI tools.
Core configuration:
-
FUZZAPI_VERSION - (optional) Set version of tool to use, defaults to “latest” -
FUZZAPI_TARGET_URL - URL prefix for test target -
FUZZAPI_CONFIG - Configuration file for API Fuzzer -
FUZZAPI_PROFILE - Testing profile to use (defaults to Quick) -
FUZZAPI_REPORT - (optional) Filename for the report, defaults to gl-apifuzzer-report.xml -
FUZZAPI_TIMEOUT - (Optional) Response timeout
How To Perform Testing:
-
FUZZAPI_OPENAPI - Provide an OpenAPI specification to drive testing -
FUZZAPI_HAR - Provide a HAR file to drive testing -
For HAR - Add warning about possibly including sensitive data in the HAR
Authentication related:
-
FUZZAPI_OVERRIDES_FILE - (optional) Filename with header/cookie replacements -
FUZZAPI_OVERRIDES_ENV - (optional) Filename with header/cookie replacements -
FUZZAPI_OVERRIDES_CMD - (optional) Command/script to perform authentication and update overrides json file with new token -
FUZZAPI_OVERRIDES_INTERVAL - (Optional) User supplied authentication timeout value (minutes)
Links / references
The following page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.