07 Fuzz Testing

Coverage Based Fuzz-Testing #

GitLab allows you to add coverage-guided fuzz testing to your pipelines. This helps you discover bugs and potential security issues that other QA processes may miss. Coverage-guided fuzzing sends random inputs to an instrumented version of your application in an effort to cause unexpected behavior, such as a crash. Such behavior indicates a bug that you should address.

In this section we’ll learn how to configure coverage-based fuzzing. We will also go through examining the results.

Step 1: Configuration #

  1. Open the WebIDE

  2. Use the sidebar to open .gitlab-ci.yml

  3. Add the include section:

include:
  - template: Coverage-Fuzzing.gitlab-ci.yml
  1. Add to the bottom of the file:
my_fuzz_target:
  image: python:3.9.1-buster
  extends: .fuzz_base
  stage: c-fuzz
  script:
    - pip install --extra-index-url https://gitlab.com/api/v4/projects/19904939/packages/pypi/simple pythonfuzz
    - ./gitlab-cov-fuzz run --engine pythonfuzz -- fuzz.py
  1. Update the stages in .gitlab-ci.yml
stages:
    - build
    - c-fuzz
    - deploy

Step 2: Adding a vulnerability #

  1. Open fuzz.py under the root directory and replace the file contents with the following:
from html.parser import HTMLParser
from pythonfuzz.main import PythonFuzz

@PythonFuzz
def fuzz(buf):
    try:
        string = buf.decode("ascii")
        parser = HTMLParser()
        parser.feed(string)
    except UnicodeDecodeError:
        pass

if __name__ == '__main__':
    fuzz()
  1. Select Commit

  2. Select Create a new branch, give the branch a name, check Start a new merge request and press the Commit button

  3. Give the merge request a name and description

  4. Press the Create merge request button

  5. Wait for the pipeline to complete

NOTE The c-fuzz job will show failure, but this is to be expected, we can see the results once the job completes.

Step 3: Viewing the Results in MR #

  1. Once the pipeline has complete, we can expand the Security scanning section
NOTE You may need to refresh the page
  1. Select the Uncaught-exception Vulnerability

  2. Here we can see the vulnerability in full detail

Here you can see that an un-handled exception was picked up. This is because we are just passing instead of performing a function.


Web-API Based Fuzz-Testing #

GitLab allows you to add web-api fuzz testing to your pipelines. This helps you discover bugs and potential security issues that other QA processes may miss. API fuzzing performs fuzz testing of API operation parameters. Fuzz testing sets operation parameters to unexpected values in an effort to cause unexpected behavior and errors in the API back-end.

In this section we’ll learn how to configure Web-API based fuzzing. We will also go through examining the results.

Step 1: Configuration #

  1. Open the WebIDE

  2. Create a new file named test_openapi.v2.0.json with the OpenAPI spec seen below in the project’s root directory, making sure that INGRESS_ENDPOINT is replaced with your Ingress Endpoint obtained in lesson 2.

  {
  "swagger": "2.0",
  "info": {
    "version": "1.0",
    "title": "Adding Notes",
    "description": "Testing adding notes via simply simple notes"
  },
  "host": "INGRESS_ENDPOINT",
  "basePath": "/notes",
  "schemes": [
    "http"
  ],
  "consumes": [
    "application/json"
  ],
  "produces": [
    "application/json"
  ],
  "paths": {
    "/add": {
      "post": {
        "description": "User provides a note to add to the database",
        "summary": "POST api to create a note",
        "produces": [
          "application/json"
        ],
        "parameters": [
          {
            "name": "message",
            "in": "body",
            "required": true,
            "description": "The user provided text used to create a note",
            "schema": {
              "$ref": "#/definitions/CreateNoteRequest"
            }
          }
        ],
        "responses": {
          "200": {
            "description": "Note added successfully!"
          }
        }
      }
    }
  },
  "definitions": {
    "CreateNoteRequest": {
      "title": "Create NoteRequest",
      "example": {
        "message": "meow"
      },
      "type": "object",
      "properties": {
        "message": {
          "description": "The user provided text used to create a note",
          "example": "meow",
          "type": "string"
        }
      },
      "required": [
        "message"
      ]
    }
  }
}
  1. Add the following template to .gitlab-ci.yml
include:
  - template: API-Fuzzing.gitlab-ci.yml
  1. Add the following variables to .gitlab-ci.yml, remember to replace the INGRESS_ENDPOINT with your ingress endpoint
variables:
  FUZZAPI_PROFILE: Quick-10
  FUZZAPI_OPENAPI: test_openapi.v2.0.json
  FUZZAPI_TARGET_URL: http://INGRESS_ENDPOINT
  1. Update the stages in .gitlab-ci.yml
stages:
  - fuzz
  1. Select Commit

  2. Select commit to master

Step 2: Adding a vulnerability #

Now let’s add a vulnerability to see Web API fuzzing in action.

  1. Open the WebIDE

  2. Select notes/routes.py

  3. Change the following in the add_note() function in notes/routes.py

if len(msg) > 1024:
        return jsonify({"Error": "Message tooooo long!"}), 400

to

if len(msg) > 10:
        return jsonify({"Error": "Message tooooo long!"}), 500
  1. Press the Commit button

  2. Verify the code

  3. Select Create a new branch and Start a new merge request, and press Commit

  4. Give the MR a title and a description

  5. Press the Submit merge request button

Step 3: Viewing the Results #

  1. When the pipeline completes, press Expand under the Security Scan section
Note You may need to refresh your browser
  1. Click on the Unknown Fuzzing injection via ‘message’ on ‘POST’ vulnerability

  2. Here you have information on the Exception caught by fuzzing

Here you can see that an un-handled exception was picked up. This is because the server threw a 500 instead of handling the error. Ideally a database error should cause the 500, this is just a forced test.


Congratulations! You have now successfully learned how to perform both Coverage-based and Web-API fuzzing on your application.

Previous Lesson Next Lesson