java jb_java+JBroFuzz对restful api进行fuzz测试

@本文原创,转载请注明

0X00: 序言

fuzz测试作为安全测试的一个基本策略,被越来越多的引入整个测试过程,来避免一些简单的可能引发的安全问题. 如何将fuzzing测试引入软件自动化测试过程是本文将要阐述的主题。

0X01: 测试流程

使用JBroFuzz API来根据需求生成需要的测试数据, 这些数据来源与FuzzDB

然后将FuzzDB基于需要注入TestNG的DataProvider, 接口测试用例就可以调用DataProvider

0X02: JBroFuzz API

需要使用到的jar包

一个简单的例子：根据fuzz_id获取到注入数据

f_id:是需要使用到的fuzz类型的编号

f_len: fuzz数据的长度

public void fuzzDbZone(String f_ID,intf_len){//You have to construct an instance of the fuzzers database

Database fuzzDB = newDatabase();try{

Fuzzer f=fuzzDB.createFuzzer(f_ID, f_len);while(f.hasNext()) {

f.next();

System.out.println(" The maximum value is: " +f.getMaximumValue());

System.out.println(" The current value is: " +f.getCurrentValue());

}

}catch(NoSuchFuzzerException e) {

System.out.println("Could not find fuzzer " +e.getMessage());

}

}

查看所有fuzz的序列号和类型:

public voidfuzzDbList() {

Database fuzzDB= newDatabase();//Get a list of all the fuzzer IDs from the database

String[] fuzzer_IDs =fuzzDB.getAllPrototypeIDs();

System.out.println("The fuzzer IDs found are:");for(String fuzzerID : fuzzer_IDs) {

System.out.println("The fuzzer ID is: " +fuzzerID);//We pass of length of 1, irrelevant if we are//just going to access the first payload//of the fuzzer

Fuzzer fuzzer;try{

fuzzer= fuzzDB.createFuzzer(fuzzerID, 1);//Normally you should check for fuzzer.hasNext()

String payload =fuzzer.next();

System.out.println("\tThe name of the fuzzer is:\t\t\t" +fuzzer.getName() );

System.out.println("\tThe id of the fuzzer is:\t\t\t" +fuzzer.getId() );

System.out.println("\tThe of payloads it carries (it's alphabet) is:\t" +fuzzDB.getSize(fuzzerID));

System.out.println("\tIt has as 1st payload:\n\t\t" +payload );

}catch(NoSuchFuzzerException e) {

System.out.println("Could not find the specified fuzzer!");

System.out.println("Going to print all the fuzzer IDs I know:");//old vs new for loop :)//in case of an error, print just the//fuzzer IDs, accessed from the DB

for(int j = 0; j < fuzzer_IDs.length; j++) {

System.out.println("The fuzzer ID is: " +fuzzer_IDs[j]);

}

}

}

}

使用powerFuzzAPI来进行数据组合测试,根据power的值大小来输出多少个值

我当前是输出一个ArrayList>

public ArrayList> powerFuzzer (String f_ID,int f_len,int power) throwsNoSuchFuzzerException {

Database fuzzDB= newDatabase();

ArrayList> listArray = new ArrayList>();for(PowerFuzzer f =fuzzDB.createPowerFuzzer(f_ID, f_len, power); f.hasNext();) {

String[] identicalElements=f.nextPower();

ArrayList myList =Lists.newArrayList(identicalElements);

listArray.add(myList);

}returnlistArray;

}

结果类似这样：

....

I have5 elements: 4817 4817 4817 4817 4817I have5 elements: 4818 4818 4818 4818 4818I have5 elements: 4819 4819 4819 4819 4819I have5elements: 481a 481a 481a 481a 481a

I have5elements: 481b 481b 481b 481b 481b

I have5elements: 481c 481c 481c 481c 481c

I have5elements: 481d 481d 481d 481d 481d

I have5elements: 481e 481e 481e 481e 481e

I have5elements: 481f 481f 481f 481f 481f

I have5 elements: 4820 4820 4820 4820 4820I have5 elements: 4821 4821 4821 4821 4821I have5 elements: 4822 4822 4822 4822 4822I have5 elements: 4823 4823 4823 4823 4823I have5 elements: 4824 4824 4824 4824 4824I have5 elements: 4825 4825 4825 4825 4825I have5 elements: 4826 4826 4826 4826 4826....

使用Using the Double Fuzzer API来生成2个数据组合

//初始化public DoubleFuzzer createDoubleFuzzer(String id1, intlength1,

String id2,int length2) throws NoSuchFuzzerException {

注入的数据

String fuzzID1 = "031-B16-HEX";

String fuzzID2= "031-B16-HEX";int length1 = 4;int length2 = 2;

结果：I have 2 elements: fefb fb

I have 2 elements: fefc fc

I have 2 elements: fefd fd

I have 2 elements: fefe fe

I have 2 elements: feff ff

I have 2 elements: ff00 00

I have 2 elements: ff01 01

I have 2 elements: ff02 02

I have 2 elements: ff03 03FuzzerCross.java和FuzzerBigInteger.java暂时不写了,与上面类似可以参考官方文档.

0X03: FuzzDB注入到testng dataprovider

直接上干货,这是一个对登陆接口的注入测试数据集

TestNG就不细讲了,dataprovder会想单元测试用例提供2个类型的数据,一个是Object[][],另一个是Iterator

@DataProvider(name = "UserLoginFuzzing")public static Object[][] UserLoginFuzzing() throwsNoSuchFuzzerException{

FuzzDB fuzzdb= newFuzzDB();

ArrayList fuzzDb = fuzzdb.fuzzDbFind("015-XSS-101", 24);//新建一个JSONObject

JSONObject[] valueList = newJSONObject[fuzzDb.size()];for(int i =0;i < fuzzDb.size(); i++){

valueList[i]= newJSONObject();

valueList[i].put("LoginName", "admin");

valueList[i].put("Password", fuzzDb.get(i));

valueList[i].put("URI", "/UserLogin");

}//将JSONObject[]转为Object[][]

Object[][] obj = new Object[valueList.length][1];for(int i=0;i

obj[i][0]=valueList[i];

}returnobj;

}

0X04 参考文档