GitLocker: The Coding Marketplace

Description:

APIFuzzer 0.9.13

APIFuzzer — HTTP API Testing Framework
APIFuzzer reads your API description and step by step fuzzes the fields to validate
if you application can cope with the fuzzed parameters. Does not require coding.
APIFuzzer main features

Parse API definition from local file or remote URL
JSON and YAML file format support
All HTTP methods are supported
Fuzzing of request body, query string, path parameter and request header are supported
Relies on random mutations
Support CI integration

Generate JUnit XML test report format
Send request to alternative URL
Support HTTP basic auth from configuration
Save report of failed test in JSON format into the pre-configured folder
Log to stdout instead of syslog

Configurable log level

Supported API definition formats

Swagger
OpenAPI

Planned

GraphQL
API Blueprint

Pre-requirements

Python3
sudo apt install libcurl4-openssl-dev libssl-dev libcurl4-nss-dev (on Ubuntu 18.04, required by pycurl)
sudo apt install gcc libcurl4-nss-dev (on Ubuntu 20.04, required by pycurl)

Installation
Latest release version:
pip3 install APIFuzzer

Development version:
Fetch the most recent code from GitHub
$ git clone https://github.com/KissPeter/APIFuzzer.git

Install requirements. If you don't have pip installed, then sudo apt-get install python3-pip -y
$ pip3 install -r APIFuzzer/requirements.txt

Quick Start
Check the help (some of them are not implemented yet):

$$ usage: APIFuzzer [-h] [-s SRC_FILE] [--src_url SRC_URL] [-r REPORT_DIR] [--level LEVEL] [-u ALTERNATE_URL] [-t TEST_RESULT_DST]
[--log {critical,fatal,error,warn,warning,info,debug,notset}] [--basic_output BASIC_OUTPUT] [--headers HEADERS] [-v ,--version]

APIFuzzer configuration

optional arguments:
-h, --help show this help message and exit
-s SRC_FILE, --src_file SRC_FILE
API definition file path. JSON and YAML format is supported
--src_url SRC_URL API definition url. JSON and YAML format is supported
-r REPORT_DIR, --report_dir REPORT_DIR
Directory where error reports will be saved. Default is temporally generated directory
--level LEVEL Test deepness: [1,2], the higher is the deeper (In progress)
-u ALTERNATE_URL, --url ALTERNATE_URL
Use CLI defined url instead compile the url from the API definition. Useful for testing
-t TEST_RESULT_DST, --test_report TEST_RESULT_DST
JUnit test result xml save path
--log {critical,fatal,error,warn,warning,info,debug,notset}
Use different log level than the default WARNING
--basic_output BASIC_OUTPUT
Use basic output for logging (useful if running in jenkins). Example --basic_output=True
--headers HEADERS Http request headers added to all request. Example: '[{"Authorization": "SuperSecret"}, {"Auth2": "asd"}]'

Usage example:
Start the sample application (install the necessary packages listed in test/requirements_for_test.txt):
$ python3 test/test_application.py

Start the fuzzer:
$ APIFuzzer -s test/test_api/openapi_v2.json -u http://127.0.0.1:5000/ -r /tmp/reports/ --log debug

Check the reports:
$ ls -1 /tmp/reports/

Report example:
$ json_pp < /tmp/reports/79_1573993485.5391517.json
{
"response" : "Test application exception: invalid literal for int() with base 10: '0\\x00\\x10'",
"sub_reports" : [],
"parsed_status_code" : 500,
"state" : "COMPLETED",
"test_number" : 79,
"request_body" : null,
"reason" : "failed",
"name" : "target",
"request_url" : "http://127.0.0.1:5000/exception/0\u0000\u0010",
"request_method" : "GET",
"status" : "failed",
"request_headers" : "{\"User-Agent\": \"APIFuzzer\", \"Accept-Encoding\": \"gzip, deflate\", \"Accept\": \"*/*\", \"Connection\": \"keep-alive\"}"
}