How to add mine dictionaries? about cats HOT 13 CLOSED

yes, most likely end of this week.

from cats.

Hi @comat0zz. The CustomFuzzer is only intended to create functional tests without writing actual code. More like a DSL where you can instruct CATS to run specific tests for specific paths with specific values and let CATS fill in the gaps. You can verify results and use variables across tests. As I said, typical to a functional test.

If you want to pass your own values within specific fields you can use the --refData argument where you pass a file with a syntax described in the README file. You can use all if the value is supplied for all paths. Or specify the exact path if that values only applies for a specific path.

from cats.

Hi @en-milie !
Not quite the answer I was expecting. ^)

I want to make one dictionary for all fields of a certain type. For example:

1. for all string value - this is a check for sql injection.
2. for all numbers value - large numbers, marginal values.

How should it look like? Let's look at an example of a Security Fuzzer. How can I modify it?

/pet:
    test_1:
      description: Run XSS scenarios
      name: "My Pet"
      expectedResponseCode: 200
      targetFields:
        - pet#id
        - pet#description
      stringsFile: xss.txt

/pet change to all?
targetFields: - pet#id change to ... ? all#all ? empty?

how to set the required type of dictionary for a certain type of fields?

from cats.

The SecurityFuzzer does not support field types. Only specific field names. This was deliberate as it can take a very long time to go through all fields based on a dictionary. If you multiply paths * fields * dictionary words, you can end up with tens of thousands of tests easily.
But it seems a good idea to take data types. Maybe something like:

/pet:
    test_1:
      description: Run XSS scenarios
      name: "My Pet"
      expectedResponseCode: 200
      fieldTypes:
        - string
        - date
      stringsFile: xss.txt

And also allow all as path.

from cats.

@en-milie, fieldTypes is already working or is it just an idea?

from cats.

Just an idea at the moment. Not that hard to implement.

from cats.

@en-milie , I would be happy if you do it :)

from cats.

@en-milie Can you orient: will it be implemented? If yes, then when? For me, this opportunity is very important.

from cats.

You can now use targetFieldTypes in securityFuzzer.yml. You can not specify yet all as path. d1cb526

This is a sample targeting all string fields.

/pets/{id}/move:
  test1:
    description: XSS strings
    targetFieldTypes:
      - string
      - email
    stringsFile: xss.txt
    httpMethod: POST
    expectedResponseCode: 200

from cats.

@en-milie Wow, thx! When will this functionality be released in cats-linux?

from cats.

Will do a release today.

from cats.

@comat0zz https://github.com/Endava/cats/releases/tag/cats-7.0.5

from cats.

@en-milie Great work!

from cats.