Shulou(Shulou.com)05/31 Report--

How to use RESTler to vaguely test REST API in cloud services. In view of this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a simpler and easier way.

RESTler

RESTler is the first stateful fuzzy testing tool for REST API, which can automate fuzzy testing of the target cloud service through the REST API of the cloud service, and find possible security vulnerabilities and other threat attack surfaces in the target service. If the target cloud service has an OpenAPI/Swagger specification, then RESTler analyzes the entire service specification and then generates and executes the complete service test through its REST API.

RESTler intelligently infers producer-consumer dependencies between request types from the Swagger specification. During testing, it checks for specific types of vulnerabilities and dynamically parses the behavior of the service from previous service responses. This intelligent approach enables RESTler to explore deeper service states that can only be achieved through a specific request sequence, and to find more security vulnerabilities.

RESTler is developed by the Microsoft research team, and the project is still in active development.

RESTler configuration

RESTler currently only supports running on 64-bit Windows and Linux operating systems.

Construction guidelines

Tool requirements: install Python 3.8.2 and .NET Core SDK 3.1.

Next, create a directory to store the RESTler source code:

Mkdir restler_bin

Change to the project root and run the following Python script:

Python. / build-restler.py-- dest_dir

Note: if you receive a Nuget error NU1403 during the source code build, try cleaning the cache using the following command:

Dotnet nuget locals all-clearRESTler can run in the following four modes using RESTler:

Compile: generates a RESTler syntax from a Swagger JSON or YAML specification.

C:\ RESTler\ restler\ Restler.exe compile-- api_spec C:\ restler-test\ swagger.json

Test: quickly execute all the endpoints+methods in the compiled RESTler syntax to debug the test settings and calculate which parts of the Swagger specification are covered. This mode is also known as smoketest.

C:\ RESTler\ restler\ restler.exe test-grammar_file C:\ restler-test\ Compile\ grammar.py-dictionary_file C:\ restler-test\ Compile\ dict.json-settings C:\ restler-test\ Compile\ engine_settings.json-no_ssl

Fuzz-lean: in the compiled RESTler syntax, each endpoints+methods is executed once and a set of default checker is used to see if security vulnerabilities can be found quickly.

C:\ RESTler\ restler\ restler.exe fuzz-lean-grammar_file C:\ restler-test\ Compile\ grammar.py-dictionary_file C:\ restler-test\ Compile\ dict.json-settings C:\ restler-test\ Compile\ engine_settings.json-no_ssl

Fuzz: find vulnerabilities and use the RESTler fuzzy syntax of the intelligent breadth-first search pattern (more in-depth search patterns) to find more security vulnerabilities.

C:\ RESTler\ restler\ restler.exe fuzz-grammar_file C:\ restler-test\ Compile\ grammar.py-dictionary_file C:\ restler-test\ Compile\ dict.json-settings C:\ restler-test\ Compile\ engine_settings.json-no_ssl-time_budget 1 tool workflow

This is the answer to the question on how to use RESTler to fuzzy test the REST API in cloud services. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.