Comments (13)
yes, most likely end of this week.
from cats.
Hi @comat0zz. The CustomFuzzer
is only intended to create functional tests without writing actual code. More like a DSL where you can instruct CATS to run specific tests for specific paths with specific values and let CATS fill in the gaps. You can verify results and use variables across tests. As I said, typical to a functional test.
If you want to pass your own values within specific fields you can use the --refData
argument where you pass a file with a syntax described in the README file. You can use all
if the value is supplied for all paths. Or specify the exact path if that values only applies for a specific path.
from cats.
Hi @en-milie !
Not quite the answer I was expecting. ^)
I want to make one dictionary for all fields of a certain type. For example:
- for all string value - this is a check for sql injection.
- for all numbers value - large numbers, marginal values.
How should it look like? Let's look at an example of a Security Fuzzer. How can I modify it?
/pet:
test_1:
description: Run XSS scenarios
name: "My Pet"
expectedResponseCode: 200
targetFields:
- pet#id
- pet#description
stringsFile: xss.txt
/pet change to all?
targetFields: - pet#id change to ... ? all#all ? empty?
how to set the required type of dictionary for a certain type of fields?
from cats.
The SecurityFuzzer
does not support field types. Only specific field names. This was deliberate as it can take a very long time to go through all fields based on a dictionary. If you multiply paths * fields * dictionary words, you can end up with tens of thousands of tests easily.
But it seems a good idea to take data types. Maybe something like:
/pet:
test_1:
description: Run XSS scenarios
name: "My Pet"
expectedResponseCode: 200
fieldTypes:
- string
- date
stringsFile: xss.txt
And also allow all
as path.
from cats.
@en-milie, fieldTypes is already working or is it just an idea?
from cats.
Just an idea at the moment. Not that hard to implement.
from cats.
@en-milie , I would be happy if you do it :)
from cats.
@en-milie Can you orient: will it be implemented? If yes, then when? For me, this opportunity is very important.
from cats.
You can now use targetFieldTypes
in securityFuzzer.yml
. You can not specify yet all
as path. d1cb526
This is a sample targeting all string
fields.
/pets/{id}/move:
test1:
description: XSS strings
targetFieldTypes:
- string
- email
stringsFile: xss.txt
httpMethod: POST
expectedResponseCode: 200
from cats.
@en-milie Wow, thx! When will this functionality be released in cats-linux?
from cats.
Will do a release today.
from cats.
@comat0zz https://github.com/Endava/cats/releases/tag/cats-7.0.5
from cats.
@en-milie Great work!
from cats.
Related Issues (20)
- Ignoring a field inside a functional fuzzer HOT 3
- Unsupported Operation Exception when supplying headers via -H flag HOT 3
- String values are sent as integer values HOT 3
- CATS 9.0.1 convert all components of the contract to String HOT 5
- Publishing of Maven release, enabling programmatic usage in Java HOT 7
- NullPointerException: MediaType.getSchema() HOT 5
- NumberFormatException: input string HOT 3
- [Functional Fuzzer] Requesting Ability to Set Parameter Values as NULL for POST Requests in CATs HOT 5
- Request for Guidance: Writing a Functional Fuzzer for OpenAPI Specs with Missing Keys HOT 5
- [Functional Fuzzer] Date String Parsing Bug HOT 4
- SecurityFuzzer stringFile enhancement HOT 2
- FunctionalFuzzer issue with array parameters HOT 7
- Requests pass, but values are not substituted HOT 4
- Error when liniting file `com.jayway.jsonpath.PathNotFoundException` HOT 4
- Strange results number (always 0 successful, additional 2 errors) HOT 2
- Configurable Error Code Expectations HOT 4
- FeatureRequest/Integration With REST-Assured HOT 2
- Troubleshooting Discrepancy in HTTP Status Code Responses: CATS Tool GET Method Issue HOT 2
- CATS runner crashing with java.lang.NullPointerException HOT 4
- CATS runner crashing with java.lang.IllegalStateException HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cats.