Skip to content

API Fuzzing MVC

Problem to solve

REST APIs power web applications and integrations between applications with JSON becoming a more popular notation in use within REST API resources. Developers and security analysts need a way to validate API stability and security without it being a burden. Implementing API fuzzing support within the CI/CD pipeline enables GitLab users to get immediate results with every build and merge request.

Further details

Today OWASP ZAP is implemented for DAST. This tool can support fuzzing of web resources and specifically the input it identifies. ZAP can be verified to meet this initial MVC however other solutions like Peach Fuzzer Community Edition and Sulley framework should be explored as they will allow for long term extensibility.

Intended users

Both Sam (Security Analyst) and Sasha (Software Developer) can be targeted users for this MVC.

Proposal

Implement Fuzz API Scanning, leveraging the environment variable FUZZ_API_SCAN_ENABLED, to verify stability and security of the user’s solution.

Configuration

Provide a CI job template that users can include in their pipelines.

  • Similar to how we provide DAST.gitlab-ci.yml and SAST.gitlab-ci.yml.

After including the job template, allow users to define in their job template: * REST API Resource → This is the URL of the REST API to be fuzz tested and should be verified to be a URL. * Resource Representation → Path appended to the Resource which includes where the API provides sample representation in JSON.

Results Output
  • The findings of the Fuzz API scan should be available within the CI/CD results where other GitLab Secure results are presented (e.g., DAST).
  • The results should be provided within the same context as other GitLab Secure results are provided. This means that the user does not need to wait on a specific GitLab page or worry about results being lost if they navigate away from the page.
Example output (from DAST):

DAST Output

Metrics

Metrics should be collected as described in the Success section below.

Permissions and Security

TBD.

Documentation

TBD.

Testing

TBD.

What does success look like, and how can we measure that?

Percentage of pipelines with the FUZZ_API_SCAN_ENABLED enabled

Links / references

Swagger and Open API Specification
Peach Tech API Security
Peach Community Edition
Sulley Framework

The following page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.

Edited by 🤖 GitLab Bot 🤖