Black-box fuzzer that fuzzes APIs based on OpenAPI specification. All you need to do is to supply URL of the API and its specification.
To build the fuzzer, you will need to have rust installed.
```sh
cargo install openapi-fuzzer
git clone git@github.com:matusf/openapi-fuzzer.git cd openapi-fuzzer
cargo install --path .
cargo build ```
After installation you will have two binaries in your $PATH. openapi-fuzzer will fuzz the API according to the specification and report any findings. All findings will be located in a results directory and
-i flag./v1 or /api. The specification is writen without it. Do not forget to include the path prefix in the url-H flag. It may be useful when you would like to increase coverage by providing some sort of authorization.```txt
$ openapi-fuzzer --help
Usage: openapi-fuzzer -s
OpenAPI fuzzer
Options: -s, --spec path to OpenAPI specification -u, --url url of api to fuzz -i, --ignore-status-code status codes that will not be considered as finding -H, --header additional header to send --help display usage information
$ openapi-fuzzer -s spec.yaml -u http://127.0.0.1:8200/v1/ -i 404 ```
When you are done fuzzing you can replay the findings. All findings are stored in the results folder in path according to finding's endpoint and method. To resend the same payload to API, you simply run openapi-fuzzer-resender with path to the finding file as an argument. You can overwrite the headers with -H flag as well, which is useful for example, when the authorization token expired.
```txt $ tree -L 3 results/ results/ ├── sys-leases-renew │ └── POST │ └── 500 └── sys-seal └── POST └── 500
$ openapi-fuzzer-resender --help
Usage: openapi-fuzzer-resender
Resender of openapi-fuzzer results
Options: -H, --header extra header --help display usage information
$ openapi-fuzzer-resender results/sys-seal/POST/500/1b4e8a77.json Response[status: 500, status_text: Internal Server Error, url: http://127.0.0.1:8200/v1/sys/seal] "{\"errors\":[\"1 error occurred:\n\t* missing client token\n\n\"]}\n" ```