API Security: Redesign our main test target

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Problem

The main test target used during testing of API Security is a python flask application. It grew organically, but has reached the end of it's useful life in it's current form.

Some problems:

• Flask is slow -- Now that we support multi-CPU runners, the speed of the test target impacts our pipeline speed. Newer async frameworks like Sanic would be a better choice for us now.
• Too many 500 errors and expectations of order calls
• Design of target doesn't scale -- It's a hodgepodge of vulnerabilities, but no clear method of organization or documentation
• Need separation between vulnerabilities we support being found and common design patterns
  • We should have vulnerabilities separated out like the e2e benchmark
  • Design patterns being separate (e.g. dependencies between operations/variables)
  • Clear method for adding new vulnerabilities or concepts
• No automatic OpenAPI spec generation

Proposal

Flush out a design for a new python test target.

1. Framework: Sanic
   1. Extension modules to provide easy porting from Flask to Sanic
   2. Async support
   3. Very fast
   4. Blueprints look like a great way to encapsulate vulnerabilities/design patterns
2. Identify vulnerabilities to test
3. Identify features to test
4. Identify design patterns