RestFuzz - an API tester

December 8, 2015 · View on GitHub

Features

  • Support REST json based API
  • Requires a description of methods inputs/outputs
  • Randomly generate inputs
  • Outputs/inputs of type resources are collected and reused
  • Health monitoring extract traceback from logs

Usage example

This unit test output shows example of randomly generated api call. A fake API is used, no actual request is performed::

$ python restfuzz/tests/test_fuzzer.py

A demo server and description is also included::

pythondemo/demoserver.pypython demo/demo_server.py restfuzz --api demo/demo.yaml

A typical fuzzing session goes like this:

./tools/packstackprep.sh./tools/packstack_prep.sh restfuzz --api ./api/network.yaml --health ./tools/health_localhost.py --db ./neutron_(date+...C(date '+%s') ... ^C ./tools/read_dump.py --stats ./neutron_*

Based on the method that always failed, or weird return code

$ ./tools/read_dump.py --name faulty_method ./samples/neutron_*

Returns all the call from this method

Looks for inconsistent cloud behavior using another account and then

$ ./tools/read_dump.py ./samples/* | grep "bad_uuid"

Todo

Bugs reported