Coverage Based Fuzz-Testing #
GitLab allows you to add coverage-guided fuzz testing to your pipelines. This helps you discover bugs and potential security issues that other QA processes may miss. Coverage-guided fuzzing sends random inputs to an instrumented version of your application in an effort to cause unexpected behavior, such as a crash. Such behavior indicates a bug that you should address.
In this section we’ll learn how to configure coverage-based fuzzing. We will also go through examining the results.
Step 1: Configuration #
Open the WebIDE
Use the sidebar to open
.gitlab-ci.ymlAdd the include section:
include:
- template: Coverage-Fuzzing.gitlab-ci.yml
- Add to the bottom of the file:
my_fuzz_target:
image: python:3.9.1-buster
extends: .fuzz_base
stage: c-fuzz
script:
- pip install --extra-index-url https://gitlab.com/api/v4/projects/19904939/packages/pypi/simple pythonfuzz
- ./gitlab-cov-fuzz run --engine pythonfuzz -- fuzz.py
- Update the stages in
.gitlab-ci.yml
stages:
- build
- c-fuzz
- deploy
Step 2: Adding a vulnerability #
- Open
fuzz.pyunder the root directory and replace the file contents with the following:
from html.parser import HTMLParser
from pythonfuzz.main import PythonFuzz
@PythonFuzz
def fuzz(buf):
try:
string = buf.decode("ascii")
parser = HTMLParser()
parser.feed(string)
except UnicodeDecodeError:
pass
if __name__ == '__main__':
fuzz()
Select Commit
Select Create a new branch, give the branch a name, check Start a new merge request and press the Commit button
Give the merge request a name and description
Press the Create merge request button
Wait for the pipeline to complete
NOTE The c-fuzz job will show failure, but this is to be expected, we can see the results once the job completes.
Step 3: Viewing the Results in MR #
- Once the pipeline has complete, we can expand the Security scanning section
NOTE You may need to refresh the page
Select the Uncaught-exception Vulnerability
Here we can see the vulnerability in full detail
Here you can see that an un-handled exception was picked up. This is because we are just passing instead of performing a function.
Web-API Based Fuzz-Testing #
GitLab allows you to add web-api fuzz testing to your pipelines. This helps you discover bugs and potential security issues that other QA processes may miss. API fuzzing performs fuzz testing of API operation parameters. Fuzz testing sets operation parameters to unexpected values in an effort to cause unexpected behavior and errors in the API back-end.
In this section we’ll learn how to configure Web-API based fuzzing. We will also go through examining the results.
Step 1: Configuration #
Open the WebIDE
Create a new file named
test_openapi.v2.0.jsonwith the OpenAPI spec seen below in the project’s root directory, making sure that INGRESS_ENDPOINT is replaced with your Ingress Endpoint obtained in lesson 2.
{
"swagger": "2.0",
"info": {
"version": "1.0",
"title": "Adding Notes",
"description": "Testing adding notes via simply simple notes"
},
"host": "INGRESS_ENDPOINT",
"basePath": "/notes",
"schemes": [
"http"
],
"consumes": [
"application/json"
],
"produces": [
"application/json"
],
"paths": {
"/add": {
"post": {
"description": "User provides a note to add to the database",
"summary": "POST api to create a note",
"produces": [
"application/json"
],
"parameters": [
{
"name": "message",
"in": "body",
"required": true,
"description": "The user provided text used to create a note",
"schema": {
"$ref": "#/definitions/CreateNoteRequest"
}
}
],
"responses": {
"200": {
"description": "Note added successfully!"
}
}
}
}
},
"definitions": {
"CreateNoteRequest": {
"title": "Create NoteRequest",
"example": {
"message": "meow"
},
"type": "object",
"properties": {
"message": {
"description": "The user provided text used to create a note",
"example": "meow",
"type": "string"
}
},
"required": [
"message"
]
}
}
}
- Add the following template to
.gitlab-ci.yml
include:
- template: API-Fuzzing.gitlab-ci.yml
- Add the following variables to
.gitlab-ci.yml, remember to replace the INGRESS_ENDPOINT with your ingress endpoint
variables:
FUZZAPI_PROFILE: Quick-10
FUZZAPI_OPENAPI: test_openapi.v2.0.json
FUZZAPI_TARGET_URL: http://INGRESS_ENDPOINT
- Update the stages in
.gitlab-ci.yml
stages:
- fuzz
Select Commit
Select commit to master
Step 2: Adding a vulnerability #
Now let’s add a vulnerability to see Web API fuzzing in action.
Open the WebIDE
Select notes/routes.py
Change the following in the
add_note()function innotes/routes.py
if len(msg) > 1024:
return jsonify({"Error": "Message tooooo long!"}), 400
to
if len(msg) > 10:
return jsonify({"Error": "Message tooooo long!"}), 500
Press the Commit button
Verify the code
Select Create a new branch and Start a new merge request, and press Commit
Give the MR a title and a description
Press the Submit merge request button
Step 3: Viewing the Results #
- When the pipeline completes, press Expand under the Security Scan section
Note You may need to refresh your browser
Click on the Unknown Fuzzing injection via ‘message’ on ‘POST’ vulnerability
Here you have information on the Exception caught by fuzzing
Here you can see that an un-handled exception was picked up. This is because the server threw a 500 instead of handling the error. Ideally a database error should cause the 500, this is just a forced test.
Congratulations! You have now successfully learned how to perform both Coverage-based and Web-API fuzzing on your application.