idbeta opened a new issue #3340: URL: https://github.com/apache/apisix/issues/3340
The current test method of Apache APISIX pays more attention to normal input/output, in order to test the robustness of the program, fuzz testing can be used. There are many types of fuzzing, you can fuzzing the source code, you can also fuzzing the interface service. I have investigated some popular fuzzing tools, the results are in the table below, hoping to help Apache APISIX improve its ability in this area. I have two questions and welcome everyone to discuss: 1. Does Apache APISIX need to fuzzing? 2. How to perform fuzzing? @moonming @membphis @spacewander | Tool name | Program language | Actual combat | Conclusion | | ------------- | ------------- | ------------- | ------------- | | go-fuzz | go | To fuzz the go source code, you need to write a corresponding fuzz function for each function | not applicable | | peach | java | Crash itself Unhandled Exception: ... ...for parameter of type 'System.Object' of method 'Void SetValue(System.Object, System.Object)' | not applicable | | SSRFmap | python | Use Burp request to perform fuzz test on the specified module, there is no apisix, but you can customize the apisix module, which is difficult to get started | not applicable | | PyJFuzz | python | Support fuzzing the admin api, The principle is Construct Payload by automatically fuzzing the provided request body (json) and then sending the request to the target | applicable | | wfuzz | python | A lot of dictionary files are provided to traverse the content of the dictionary and send it to the target, but these dictionaries are not json | applicable | | restler-fuzzer | python | The support for linux is not good, dotnet is needed, I failed to install it | not applicable | | boofuzz | python | Supports fuzzing of admin api, it uses the http request data example set in the case code to automatically fuzz all the request parameters to construct the payload, and then send the request to the target | applicable | | ffuf | go | Need to find a way to generate the payload first, and then use it to send. so you need to use another tool to generate the fuzzing data first | not applicable | ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
