The main goal of this repository is providing easy to use docker image with RESTler fuzzer.
This docker image should be used as black box solution and it could be used on your local machine or your CI/CD. If you use Azure services or GitHub, I encourage you to take a look at REST API Fuzz Testing (RAFT).
RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services. In order to find more details about RESTler you should check out RESTler github repository.
docker build -t wkoszolkoo/restler-fuzzer-getting-started .docker run --rm -v $(pwd):/fuzzer:rw wkoszolkoo/restler-fuzzer-getting-started fuzz --api_spec=api-docs.jsonBefore you try to work with this docker image, I encourage you to take a look at provided examples:
Docker imagerestler-fuzzer-getting-started supports parameters:
| Parameter name | Required | Description |
|---|---|---|
| api_spec | false | Path to Swagger specification. |
| compilation_config | false | Compilation configuration. One parameter of (api_spec, compilation_config) has to be set. Both api_spec and compilation_config can not be set at the same time. |
| dictionary_file | false | Path to dictionary file. |
| settings | false | Path to engine configuration. |
| no_ssl | false | Possible values: true/false. Disable SSL. If your API is expose over HTTP, you should use this flag. |
- add CI/CD
- add a new parameter
urlin order to override API url - add ability to run only
smoke-testfuzzorfuzz-lean - add ability to fetch swagger/OpenApi docs from web
- extend information regarding RESTler
- explain how to analyze RESTler output
- explain common problems of docker network
- use
getoptin startups script instead of custom code for parsing input parameters - add example with authentication