Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Fuzzing / 9 Sep 2020
GitLab / Fuzzing / 9 Sep 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: GitLab 13 4 introduces API Fuzz Testing

Description

GitLab 13.4 releases API fuzz testing! This technique can find bugs and security vulnerabilities in your APIs that other approaches may miss.

A

Tim kerr, I'm a principal product manager here at git lab and today I'm going to be talking to you about the new api fuzz testing capability being released with git lab 13.4 api fuzz testing is a great way to find bugs and security vulnerabilities in your application that other processes and tools might have missed the way this works is by looking at your application and what its typical inputs and output combinations are and try new combinations of automatically generated inputs to find edge cases that will cause those bugs to appear.

A

So I'm going to walk you through an example and show you how you can use this inside of gitlab 13.4 on your own applications. I'm sharing my screen and this repository is a basic python application. It's using the flask framework, so you can see in this code it's defining a few different endpoints for this home page. It has an api set of endpoints as well, and each of those endpoints does a few different things, but so now what we want to do is look at. How will I fuzz test this application?

A

One of the great things about git labs, api fuzz testing- is that if you already have an open api specification for your application, which many apps do you can use that function or you can use that file directly. Luckily, our example- repo has one of these, so we can actually look, and this is the open api definition.

A

That's describing what our flask application is doing, rather than looking at that python code, you can easily see it has a number of apis related to users and getting them updating information as well as deleting them.

A

So we can actually take this open api definition and provide that directly to the fuzz testing inside of git lab, I'm looking at the get lab ci file that defines how pipelines are run inside of git lab. All you need to do to add. Fuzz testing to your apps is include the api fuzz testing template as part of your ci pipeline and then from there define several required variables.

A

These are to point out the location of that open api file, as well as what the url of your application will be hosted. This example has a number of other optional configuration parameters. These are going to be in the documentation. This is just related to the specific demo, I'm showing you right now. These are not required. The only required ones are going to be again that open api definition and the target url once we've added this to our pipeline.

A

Let's take a look and see what this will look like. So I've run this job a little while ago and we can see our one api fuzzer job ran after it ran it, populated our test tab with the results that it found. So, let's take a look at that, so we can see that it ran one test: fuzzy injection on this api users, api and it found something.

A

So if we look at it, it'll give us a description a little bit more about what it's doing. It'll talk about the mutation or what that randomly randomly generated value it created was in this case it originally started with one and change it into this string of ones.

A

If we scroll down, we can see that we get an internal server error or an http 500 error when this long string of ones was used- and this is fuzz testing finding a bug. This is exactly what we're trying to do with api. Fuzz testing is find these sorts of bugs so that you can then take the next step to figure out why this caused http, http 500 error, figure out why this crashed the application, and so you can fix it before it gets to a production environment.

A

So this is great and we're really excited to be offering api fuzz testing when with an open api specifications, but a question might be what do I do? If I don't have an open api specification, can I still use api fuzz testing and the answer is yes, so, let's take a look at another way that you can use open ap, you can use api fuzz testing in git lab 13.4.

A

We know that not all users have open api specs, so we also support using an har file or an http archive file as an input to inform the fuzzer. There are a number of different resources online. You can look at to figure out how to generate this file, but essentially it's a recording of all of the different traffic that goes through a browser to an application.

A

So if you don't have an open api spec, what you can do is re record yourself or automatically interact with an application to generate all the different endpoints that you would want to begin. Fuzz testing against.

A

So if you see in this repo here's the har file that we'll use this testrest target.har and let's look at how we would provide that to our fuzz testing.

A

So again, we would include this template file, the api, fuzzing template and instead of defining an open api file, we'll define fuzz, api, har and points of that har file. Again, we'll tell the ci pipeline where our url is and again I'll, provide that optional configuration for this specific application.

A

So you can see it's very similar to use an har file or an api file when you're doing open api fuzz testing. So let's take a look again at what the fuzz tester found you can see. I found a number of different things um in this case.

A

One interesting one I wanted to show uh the fuzz tester is trying this api user slash two endpoint and in this case, rather than try two, the fuzz tester generated 65 576. and again this found a similar. If not the same error that we saw with the open api specification, this internal server error came up.

A

um We can see some more details here and then we get to that 500 internal server error, and so this is just an example of how you might use open api.

A

uh You might use api fuzz testing on your applications. We're really excited to be shipping this, as our first iteration in gitlab 13.4. We've got a lot more on the way. A couple things you can look forward to are making this workflow even more straightforward.

A

We plan on populating these testing results in our security dashboard, so you can take advantage of all the other powerful vulnerability management and security functionality inside of gitlab. That you're already used to we'd love to hear your feedback about api fuzz testing, whether it's positive or negative, we'd love to hear from you, we'd love to have a conversation again. Thank you so much for your time really appreciate it.