Skip to content

Support overriding parameters in API Fuzzing

Problem to solve

A common method of API authentication is passing a credential token via a parameter in the query string or request body. API Fuzzing does not provide method to perform this type of authentication.

Proposal

API Fuzzing has a feature called overrides that allows a user to add a header or cookie. This feature will be extended to also support parameters in the query string, json, form data, and XML.

One of the design goals for overrides is providing a simple, small format that can be provided easily through an environmental variable.

Extend the existing format to include several optional properties: query, body-form, body-json, body-xml.

{
  "headers":    { "name": "value"  }, 
  "cookies":    { "name": "value"  },
  "query":      { "name": "value"  },
  "body-form":  { "name": "value"  },
  "body-json":  { "jsonpath": "value" },
  "body-xml" :  { "xpath":    "value" }
}
  1. Parameter in query string

    { "query": {"api_key": "b5638ae7-6e77-4585-b035-7d9de2e3f6b3"} }
  2. Parameter in form encoded body

    { "body-form": {"api_key": "b5638ae7-6e77-4585-b035-7d9de2e3f6b3"} }
  3. Parameter in json encoded body

    The parameter key is a JSONPath expression.

    { "body-json": {"$.api_key": "b5638ae7-6e77-4585-b035-7d9de2e3f6b3"} }
  4. Parameter in xml encoded body

    The parameter key is an xpath expression.

    Set value to all xml elements named api_key:

    { "body-xml": {"//api_key": "b5638ae7-6e77-4585-b035-7d9de2e3f6b3"} }

    Set value to all attributes named api_key:

    { "body-xml": {"//@api_key": "b5638ae7-6e77-4585-b035-7d9de2e3f6b3"} }

Tasks:

  1. Update runner to support:
    1. Querystring parameters
    2. Form body parameters
    3. Json body parameters
    4. Xml body parameters
      1. XML Attributes
      2. XML value elements
  2. Create tests
  3. Publish update container prior to merging documentation
  4. Update documentation for overrides
  5. Update documentation for Authentication adding an API Key section
    1. Header API key
    2. Parameter API key

The following page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.

Edited by 🤖 GitLab Bot 🤖