java+JBroFuzz对restful api进行fuzz测试
生活随笔
收集整理的這篇文章主要介紹了
java+JBroFuzz对restful api进行fuzz测试
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
@本文原創,轉載請注明
0X00: 序言
fuzz測試作為安全測試的一個基本策略,被越來越多的引入整個測試過程,來避免一些簡單的可能引發的安全問題. 如何將fuzzing測試引入軟件自動化測試過程是本文將要闡述的主題。
0X01: 測試流程
使用JBroFuzz API來根據需求生成需要的測試數據, 這些數據來源與FuzzDB
然后將FuzzDB基于需要注入TestNG的DataProvider, 接口測試用例就可以調用DataProvider
?
0X02: JBroFuzz API
需要使用到的jar包
一個簡單的例子:根據fuzz_id獲取到注入數據
f_id:是需要使用到的fuzz類型的編號
f_len: fuzz數據的長度
public void fuzzDbZone(String f_ID,int f_len){// You have to construct an instance of the fuzzers databaseDatabase fuzzDB = new Database();try {Fuzzer f = fuzzDB.createFuzzer(f_ID, f_len);while(f.hasNext()) {f.next();System.out.println(" The maximum value is: " + f.getMaximumValue());System.out.println(" The current value is: " + f.getCurrentValue());}} catch (NoSuchFuzzerException e) {System.out.println("Could not find fuzzer " + e.getMessage());} }查看所有fuzz的序列號和類型:
public void fuzzDbList() {Database fuzzDB = new Database();// Get a list of all the fuzzer IDs from the databaseString[] fuzzer_IDs = fuzzDB.getAllPrototypeIDs();System.out.println("The fuzzer IDs found are:");for(String fuzzerID : fuzzer_IDs) {System.out.println("The fuzzer ID is: " + fuzzerID);// We pass of length of 1, irrelevant if we are// just going to access the first payload// of the fuzzer Fuzzer fuzzer;try {fuzzer = fuzzDB.createFuzzer(fuzzerID, 1);// Normally you should check for fuzzer.hasNext() String payload = fuzzer.next();System.out.println("\tThe name of the fuzzer is:\t\t\t" + fuzzer.getName() );System.out.println("\tThe id of the fuzzer is:\t\t\t" + fuzzer.getId() );System.out.println("\tThe of payloads it carries (it's alphabet) is:\t" + fuzzDB.getSize(fuzzerID));System.out.println("\tIt has as 1st payload:\n\t\t" + payload );} catch (NoSuchFuzzerException e) {System.out.println("Could not find the specified fuzzer!");System.out.println("Going to print all the fuzzer IDs I know:");// old vs new for loop :)// in case of an error, print just the // fuzzer IDs, accessed from the DBfor(int j = 0; j < fuzzer_IDs.length; j++) {System.out.println("The fuzzer ID is: " + fuzzer_IDs[j]);}}}}使用powerFuzzAPI來進行數據組合測試,根據power的值大小來輸出多少個值
我當前是輸出一個ArrayList<ArrayList<String>>
public ArrayList<ArrayList<String>> powerFuzzer (String f_ID,int f_len,int power) throws NoSuchFuzzerException {Database fuzzDB = new Database();ArrayList<ArrayList<String>> listArray = new ArrayList<ArrayList<String>>(); for(PowerFuzzer f = fuzzDB.createPowerFuzzer(f_ID, f_len, power); f.hasNext();) {String[] identicalElements = f.nextPower();ArrayList<String> myList = Lists.newArrayList(identicalElements); listArray.add(myList);}return listArray;}結果類似這樣:
....I have 5 elements: 4817 4817 4817 4817 4817I have 5 elements: 4818 4818 4818 4818 4818I have 5 elements: 4819 4819 4819 4819 4819I have 5 elements: 481a 481a 481a 481a 481aI have 5 elements: 481b 481b 481b 481b 481bI have 5 elements: 481c 481c 481c 481c 481cI have 5 elements: 481d 481d 481d 481d 481dI have 5 elements: 481e 481e 481e 481e 481eI have 5 elements: 481f 481f 481f 481f 481fI have 5 elements: 4820 4820 4820 4820 4820I have 5 elements: 4821 4821 4821 4821 4821I have 5 elements: 4822 4822 4822 4822 4822I have 5 elements: 4823 4823 4823 4823 4823I have 5 elements: 4824 4824 4824 4824 4824I have 5 elements: 4825 4825 4825 4825 4825I have 5 elements: 4826 4826 4826 4826 4826 ....?
使用Using the Double Fuzzer API來生成2個數據組合
//初始化public DoubleFuzzer createDoubleFuzzer(String id1, int length1, String id2, int length2) throws NoSuchFuzzerException {注入的數據
String fuzzID1 = "031-B16-HEX"; String fuzzID2 = "031-B16-HEX";int length1 = 4; int length2 = 2;結果:
I have 2 elements: fefb fbI have 2 elements: fefc fcI have 2 elements: fefd fdI have 2 elements: fefe feI have 2 elements: feff ffI have 2 elements: ff00 00I have 2 elements: ff01 01I have 2 elements: ff02 02I have 2 elements: ff03 03?FuzzerCross.java和FuzzerBigInteger.java暫時不寫了,與上面類似可以參考官方文檔.?0X03: FuzzDB注入到testng dataprovider
直接上干貨,這是一個對登陸接口的注入測試數據集
TestNG就不細講了,dataprovder會想單元測試用例提供2個類型的數據,一個是Object[][],另一個是Iterator<Object[]>
@DataProvider(name = "UserLoginFuzzing")public static Object[][] UserLoginFuzzing() throws NoSuchFuzzerException{FuzzDB fuzzdb = new FuzzDB();ArrayList<String> fuzzDb = fuzzdb.fuzzDbFind("015-XSS-101", 24);//新建一個JSONObjectJSONObject[] valueList = new JSONObject[fuzzDb.size()]; for(int i =0;i < fuzzDb.size(); i++){valueList[i] = new JSONObject();valueList[i].put("LoginName", "admin");valueList[i].put("Password", fuzzDb.get(i));valueList[i].put("URI", "/UserLogin");}//將JSONObject[]轉為Object[][]Object[][] obj = new Object[valueList.length][1];for(int i=0;i<valueList.length;i++){obj[i][0]=valueList[i];}return obj;}0X04 參考文檔
https://www.owasp.org/index.php/OWASP_JBroFuzz_Tutorial#How_to_Use_JBroFuzz_as_a_Fuzzing_Library
轉載于:https://www.cnblogs.com/zelat/p/5389991.html
總結
以上是生活随笔為你收集整理的java+JBroFuzz对restful api进行fuzz测试的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 【时间管理】从零开始GTD——GTD原则
- 下一篇: BROCADE使用小技巧