API Fuzzing using a Postman Collection

Problem to solve

As a user, I want to perform API Fuzzing using a Postman Collection. Postman collections are common assets to have and provide an easy way for users to get started with API Fuzzing.

Intended users

• Sasha (Software Developer)
• Sam (Security Analyst)
• Simone (Software Engineer in Test)

User experience goal

User can setup API Fuzzing using a Postman Collection via a new variable.

Proposal

Add a new variable FUZZAPI_POSTMAN_COLLECTION allowing the user to provide a filename for a Postman Collection that is checked into the repository or generated by the pipeline.

The following versions will be supported:

1. Collection v2
2. Collection v2.1

Use authentication provided if user doesn't specify any:

- Bearer token - Basic auth - API Key (if support has been added to API Fuzzing)

Tasks:

1. Add support for variable to worker-entry
   1. Validate file and error if unsupported
2. Add authentication support to runner existing Postman support
3. Add integration tests to worker-entry
4. Update API Fuzzing template
5. Document and add changelog entry
6. Create example project that uses Postman Collection

Documentation

• Document usage of new variable

What does success look like, and how can we measure that?

Users are able to perform API Fuzzing using a Postman Collection.

Links / references

/cc @sethgitlab @stkerr

The following page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.