Allow users to configure HTTP header fuzzing in API Fuzzing
Problem to solve
As a user I want to selectively enable fuzzing of HTTP headers with the option to include or exclude specific headers.
Many web APIs use headers (custom and well defined) to track API version, perform authentication/authorization, etc. Because this headers are read by the application code, vulnerabilities may exist in them.
Some common web frameworks such as Java's Spring, produce server errors (500) when headers are tested, even when no actual issue has been found. For this reason it's useful to start with this option disabled and allow selective use.
API Fuzzing already has the ability to test HTTP headers, however it was disabled in 13.3 to provide a better default experience. This issue will re-introduce the feature with the ability to configure it on a per-check basis.
Intended users
User experience goal
User can configure header testing via the API Fuzzing yaml configuration file.
Proposal
Configure header testing via new configuration options for General Fuzzing Check. Fuzzing headers
can be a source of false positives, so the option will default to off and require listing each header to be fuzzed.
- General Fuzzing Check is the only check active for headers
- Provide the following options:
- On/Off
- Included headers list
- Default to off
The following checks will have this configuration option:
- General Fuzzing Check
Document this portion of the configuration file.
Documentation
Add documentation on this new configuration option.
Availability & Testing
- Unit test changes
- Integration test changes
What does success look like, and how can we measure that?
Users ability to enable/disable header fuzzing via the configuration file.
Technical Solution
-
Make changes to check -
Write integration test -
Update production configuration file with new configuration settings set to off -
Write documentation -
Publish analyzer