►
From YouTube: GitLab 13 4 introduces API Fuzz Testing
Description
GitLab 13.4 releases API fuzz testing! This technique can find bugs and security vulnerabilities in your APIs that other approaches may miss.
A
So
I'm
going
to
walk
you
through
an
example
and
show
you
how
you
can
use
this
inside
of
gitlab
13.4
on
your
own
applications.
I'm
sharing
my
screen
and
this
repository
is
a
basic
python
application.
It's
using
the
flask
framework,
so
you
can
see
in
this
code
it's
defining
a
few
different
endpoints
for
this
home
page.
It
has
an
api
set
of
endpoints
as
well,
and
each
of
those
endpoints
does
a
few
different
things,
but
so
now
what
we
want
to
do
is
look
at.
How
will
I
fuzz
test
this
application?
A
One
of
the
great
things
about
git
labs,
api
fuzz
testing-
is
that
if
you
already
have
an
open
api
specification
for
your
application,
which
many
apps
do
you
can
use
that
function
or
you
can
use
that
file
directly.
Luckily,
our
example-
repo
has
one
of
these,
so
we
can
actually
look,
and
this
is
the
open
api
definition.
A
So
we
can
actually
take
this
open
api
definition
and
provide
that
directly
to
the
fuzz
testing
inside
of
git
lab,
I'm
looking
at
the
get
lab
ci
file
that
defines
how
pipelines
are
run
inside
of
git
lab.
All
you
need
to
do
to
add.
Fuzz
testing
to
your
apps
is
include
the
api
fuzz
testing
template
as
part
of
your
ci
pipeline
and
then
from
there
define
several
required
variables.
A
These
are
to
point
out
the
location
of
that
open
api
file,
as
well
as
what
the
url
of
your
application
will
be
hosted.
This
example
has
a
number
of
other
optional
configuration
parameters.
These
are
going
to
be
in
the
documentation.
This
is
just
related
to
the
specific
demo,
I'm
showing
you
right
now.
These
are
not
required.
The
only
required
ones
are
going
to
be
again
that
open
api
definition
and
the
target
url
once
we've
added
this
to
our
pipeline.
A
Let's
take
a
look
and
see
what
this
will
look
like.
So
I've
run
this
job
a
little
while
ago
and
we
can
see
our
one
api
fuzzer
job
ran
after
it
ran
it,
populated
our
test
tab
with
the
results
that
it
found.
So,
let's
take
a
look
at
that,
so
we
can
see
that
it
ran
one
test:
fuzzy
injection
on
this
api
users,
api
and
it
found
something.
A
A
If
we
scroll
down,
we
can
see
that
we
get
an
internal
server
error
or
an
http
500
error
when
this
long
string
of
ones
was
used-
and
this
is
fuzz
testing
finding
a
bug.
This
is
exactly
what
we're
trying
to
do
with
api.
Fuzz
testing
is
find
these
sorts
of
bugs
so
that
you
can
then
take
the
next
step
to
figure
out
why
this
caused
http,
http
500
error,
figure
out
why
this
crashed
the
application,
and
so
you
can
fix
it
before
it
gets
to
a
production
environment.
A
So
this
is
great
and
we're
really
excited
to
be
offering
api
fuzz
testing
when
with
an
open
api
specifications,
but
a
question
might
be
what
do
I
do?
If
I
don't
have
an
open
api
specification,
can
I
still
use
api
fuzz
testing
and
the
answer
is
yes,
so,
let's
take
a
look
at
another
way
that
you
can
use
open
ap,
you
can
use
api
fuzz
testing
in
git
lab
13.4.
A
We
know
that
not
all
users
have
open
api
specs,
so
we
also
support
using
an
har
file
or
an
http
archive
file
as
an
input
to
inform
the
fuzzer.
There
are
a
number
of
different
resources
online.
You
can
look
at
to
figure
out
how
to
generate
this
file,
but
essentially
it's
a
recording
of
all
of
the
different
traffic
that
goes
through
a
browser
to
an
application.
A
A
So
again,
we
would
include
this
template
file,
the
api,
fuzzing
template
and
instead
of
defining
an
open
api
file,
we'll
define
fuzz,
api,
har
and
points
of
that
har
file.
Again,
we'll
tell
the
ci
pipeline
where
our
url
is
and
again
I'll,
provide
that
optional
configuration
for
this
specific
application.
A
A
One
interesting
one
I
wanted
to
show
the
fuzz
tester
is
trying
this
api
user
slash
two
endpoint
and
in
this
case,
rather
than
try
two,
the
fuzz
tester
generated
65
576.
and
again
this
found
a
similar.
If
not
the
same
error
that
we
saw
with
the
open
api
specification,
this
internal
server
error
came
up.
A
A
You
might
use
api
fuzz
testing
on
your
applications.
We're
really
excited
to
be
shipping
this,
as
our
first
iteration
in
gitlab
13.4.
We've
got
a
lot
more
on
the
way.
A
couple
things
you
can
look
forward
to
are
making
this
workflow
even
more
straightforward.
A
We
plan
on
populating
these
testing
results
in
our
security
dashboard,
so
you
can
take
advantage
of
all
the
other
powerful
vulnerability
management
and
security
functionality
inside
of
gitlab.
That
you're
already
used
to
we'd
love
to
hear
your
feedback
about
api
fuzz
testing,
whether
it's
positive
or
negative,
we'd
love
to
hear
from
you,
we'd
love
to
have
a
conversation
again.
Thank
you
so
much
for
your
time
really
appreciate
it.