API Fuzzing MVC
Problem to solve
REST APIs power web applications and integrations between applications with JSON becoming a more popular notation in use within REST API resources. Developers and security analysts need a way to validate API stability and security without it being a burden. Implementing API fuzzing support within the CI/CD pipeline enables GitLab users to get immediate results with every build and merge request.
Today OWASP ZAP is implemented for DAST. This tool can support fuzzing of web resources and specifically the input it identifies. ZAP can be verified to meet this initial MVC however other solutions like Peach Fuzzer Community Edition and Sulley framework should be explored as they will allow for long term extensibility.
Implement Fuzz API Scanning, leveraging the environment variable
FUZZ_API_SCAN_ENABLED, to verify stability and security of the user’s solution.
Provide a CI job template that users can include in their pipelines.
- Similar to how we provide
After including the job template, allow users to define in their job template: * REST API Resource → This is the URL of the REST API to be fuzz tested and should be verified to be a URL. * Resource Representation → Path appended to the Resource which includes where the API provides sample representation in JSON.
- The findings of the Fuzz API scan should be available within the CI/CD results where other GitLab Secure results are presented (e.g., DAST).
- The results should be provided within the same context as other GitLab Secure results are provided. This means that the user does not need to wait on a specific GitLab page or worry about results being lost if they navigate away from the page.
Example output (from DAST):
Metrics should be collected as described in the Success section below.
Permissions and Security
What does success look like, and how can we measure that?
Percentage of pipelines with the