Join the chat at https://gitter.im/API-Fuzzer/Lobby Codacy Badge Maintainability Scrutinizer Code Quality Build Status Documentation Status

APIFuzzer — HTTP API Testing Framework

APIFuzzer reads your API description and step by step fuzzes the fields to validate if you application can cope with the fuzzed parameters. Does not require coding.

Supported API Description Formats

Work in progress

Planned

Pre-requirements

  1. Python3
  2. sudo apt install libcurl4-openssl-dev libssl-dev (on Ubuntu 18.04, required by pycurl)

Installation

Fetch the most recent code from GitHub

$ git clone https://github.com/KissPeter/APIFuzzer.git

Install requirements. If you don't have pip installed, then sudo apt-get install python3-pip -y 

$ pip3 install -r APIFuzzer/requirements.txt

Quick Start

Check the help (some of them are not implemented yet):

$$ python3 fuzzer.py -h
usage: fuzzer.py [-h] [-s SRC_FILE] [--src_url SRC_URL] [-r REPORT_DIR]
                 [--level LEVEL] [-u ALTERNATE_URL] [-t TEST_RESULT_DST]
                 [--log {critical,fatal,error,warn,warning,info,debug,notset}]
                 [--basic_output BASIC_OUTPUT] [--headers HEADERS]

API fuzzer configuration

optional arguments:
  -h, --help        show this help message and exit
  -s SRC_FILE, --src_file SRC_FILE
                    API definition file path. Currently only JSON format is
                    supported
  --src_url SRC_URL
                    API definition url. Currently only JSON format is
                    supported
  -r REPORT_DIR, --report_dir REPORT_DIR
                    Directory where error reports will be saved. Default is
                    temporally generated directory
  --level LEVEL     Test deepness: [1,2], higher is the deeper !!!Not
                    implemented!!!
  -u ALTERNATE_URL, --url ALTERNATE_URL
                    Use CLI defined url instead compile the url from the API
                    definition. Useful for testing
  -t TEST_RESULT_DST, --test_report TEST_RESULT_DST
                    JUnit test result xml save path
  --log {critical,fatal,error,warn,warning,info,debug,notset}
                    Use different log level than the default WARNING
  --basic_output BASIC_OUTPUT
                    Use basic output for logging (useful if running in
                    jenkins). Example: --basic_output=True
  --headers HEADERS
                    Http request headers added to all request. Example:
                    '[{"Authorization": "SuperSecret"}, {"Auth2": "asd"}]'

Usage example:

Start the sample application (install the necessary packages listed in test/requirements_for_test.txt):
$ python3 test/test_application.py

Start the fuzzer:
$ python3 fuzzer.py -s test/test_swagger_definition.json -u http://127.0.0.1:5000/ -r /tmp/reports/ --log debug 

Check the reports:
$ ls -1 /tmp/reports/

Report example:
$ json_pp < /tmp/reports/79_1573993485.5391517.json
{
   "response" : "Test application exception: invalid literal for int() with base 10: '0\\x00\\x10'",
   "sub_reports" : [],
   "parsed_status_code" : 500,
   "state" : "COMPLETED",
   "test_number" : 79,
   "request_body" : null,
   "reason" : "failed",
   "name" : "target",
   "request_url" : "http://127.0.0.1:5000/exception/0\u0000\u0010",
   "request_method" : "GET",
   "status" : "failed",
   "request_headers" : "{\"User-Agent\": \"APIFuzzer\", \"Accept-Encoding\": \"gzip, deflate\", \"Accept\": \"*/*\", \"Connection\": \"keep-alive\"}"
}