commit 2364e84646f6e3cf68cb0dfb57fd96bd414b7f4c Author: Zhongwei Li Date: Sun Nov 30 08:22:55 2025 +0800 Initial commit diff --git a/.claude-plugin/plugin.json b/.claude-plugin/plugin.json new file mode 100644 index 0000000..3863cad --- /dev/null +++ b/.claude-plugin/plugin.json @@ -0,0 +1,15 @@ +{ + "name": "api-fuzzer", + "description": "Fuzz testing for APIs with malformed inputs, edge cases, and security vulnerability detection", + "version": "1.0.0", + "author": { + "name": "Claude Code Plugin Hub", + "email": "[email protected]" + }, + "skills": [ + "./skills" + ], + "commands": [ + "./commands" + ] +} \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..e759bab --- /dev/null +++ b/README.md @@ -0,0 +1,3 @@ +# api-fuzzer + +Fuzz testing for APIs with malformed inputs, edge cases, and security vulnerability detection diff --git a/commands/fuzz-api.md b/commands/fuzz-api.md new file mode 100644 index 0000000..8d4fe99 --- /dev/null +++ b/commands/fuzz-api.md @@ -0,0 +1,779 @@ +--- +description: Fuzz test APIs with malformed inputs and edge cases +shortcut: fuzz +--- + +# API Fuzzer + +Automated fuzz testing for REST APIs to discover vulnerabilities, crashes, and unexpected behavior through malformed inputs, boundary values, and random payloads. This command generates comprehensive fuzz test suites targeting injection attacks, input validation failures, and edge cases. + +## Design Decisions + +**Why fuzz testing matters:** +- **Security**: Discovers SQL injection, XSS, command injection vulnerabilities +- **Robustness**: Finds crashes from unexpected inputs before users do +- **Edge cases**: Uncovers boundary conditions developers didn't consider +- **Compliance**: Validates input sanitization meets security standards + +**Alternatives considered:** +- **Manual testing**: Too slow, can't cover mutation space +- **Property-based testing**: Good for unit tests, less suited for API integration +- **Penetration testing tools**: Expensive, requires security expertise +- **Static analysis**: Misses runtime-only issues + +**This approach balances**: Automation, coverage, security focus, and integration with CI/CD. + +## When to Use + +Use API fuzzing when: +- Testing security-critical APIs (auth, payment, admin endpoints) +- Validating input sanitization and validation logic +- Finding edge cases before production incidents +- Meeting security compliance requirements (PCI-DSS, SOC 2) +- Testing third-party API integration error handling +- Preparing for penetration testing or security audits + +Don't use when: +- API has no user input (static data endpoints) +- Building proof-of-concept with no security requirements +- Input validation is already exhaustively tested +- Time-sensitive release without CI/CD integration + +## Prerequisites + +- Existing REST API with endpoints to test +- Node.js 16+ or Python 3.8+ for fuzzing scripts +- API documentation (OpenAPI/Swagger or manual endpoint list) +- (Optional) Authentication credentials or test accounts +- (Optional) CI/CD pipeline for automated fuzzing +- (Optional) Security monitoring tools (SIEM, IDS) + +## Process + +1. **Identify Attack Surface** + - List all API endpoints accepting user input + - Identify input types (strings, numbers, JSON, files) + - Prioritize high-risk endpoints (auth, admin, payment) + +2. **Generate Fuzz Inputs** + - Malformed data (null, undefined, empty, overflow) + - Injection payloads (SQL, XSS, command injection) + - Boundary values (max int, negative, infinity) + - Type confusion (string as int, object as array) + +3. **Execute Fuzz Tests** + - Send fuzz inputs to all endpoints + - Monitor responses for crashes, 500 errors, timeouts + - Capture stack traces and error details + +4. **Analyze Results** + - Categorize vulnerabilities by severity (critical, high, medium) + - Create reproducible test cases for failures + - Generate security report with findings + +5. **Remediate and Retest** + - Fix discovered vulnerabilities + - Add regression tests for fixed issues + - Rerun fuzzer to verify fixes + +## Output Format + +### Jest Fuzz Test Suite (Node.js) + +```javascript +// tests/api-fuzzer.test.js +const axios = require('axios'); + +const API_BASE = process.env.API_URL || 'http://localhost:3000'; + +// Fuzz input generators +const fuzzInputs = { + // String mutations + strings: [ + '', // Empty + null, + undefined, + ' ', // Whitespace + 'A'.repeat(10000), // Very long + 'A'.repeat(1000000), // Extremely long + '', // XSS + '', // XSS variant + '${7*7}', // Template injection + '{{7*7}}', // Template injection variant + '\x00', // Null byte + '\n\r\t', // Control characters + '../../etc/passwd', // Path traversal + '../../../etc/passwd', // Path traversal variant + '\\x41\\x42\\x43', // Hex encoding + ], + + // SQL injection payloads + sqlInjection: [ + "' OR '1'='1", + "' OR '1'='1' --", + "' OR '1'='1' /*", + "1; DROP TABLE users--", + "1' UNION SELECT NULL, NULL--", + "admin'--", + "' OR 1=1--", + "1' ORDER BY 10--", // Column enumeration + ], + + // Number mutations + numbers: [ + 0, + -1, + 1, + 999999999999999999, // Large positive + -999999999999999999, // Large negative + Infinity, + -Infinity, + NaN, + Number.MAX_SAFE_INTEGER, + Number.MIN_SAFE_INTEGER, + Number.MAX_VALUE, + Number.MIN_VALUE, + 3.14159265358979323846, // Floating point + ], + + // Boolean mutations + booleans: [ + true, + false, + 'true', + 'false', + 1, + 0, + 'yes', + 'no', + ], + + // Object/Array mutations + structures: [ + {}, + [], + { __proto__: { polluted: true } }, // Prototype pollution + { constructor: { prototype: { polluted: true } } }, + [[[[[]]]]]], // Deeply nested + new Array(10000).fill('x'), // Large array + ], + + // Special characters + special: [ + '!@#$%^&*()', + '">', + '%00', // URL-encoded null byte + '%0A', // URL-encoded newline + '\\', // Backslash + '/', // Forward slash + '..\\..\\..\\', // Windows path traversal + ], +}; + +describe('API Fuzz Testing', () => { + describe('POST /api/users - Create User', () => { + it('handles malformed string inputs gracefully', async () => { + for (const input of fuzzInputs.strings) { + try { + const response = await axios.post(`${API_BASE}/api/users`, { + name: input, + email: 'test@example.com', + }, { validateStatus: () => true }); // Accept all status codes + + // Should not crash (500) or hang + expect(response.status).not.toBe(500); + expect(response.status).toBeLessThan(500); + + // Should return proper error for invalid input + if (response.status >= 400) { + expect(response.data).toHaveProperty('error'); + } + } catch (error) { + // Network errors are acceptable (timeouts, connection refused) + if (error.code !== 'ECONNABORTED' && error.code !== 'ECONNREFUSED') { + throw error; + } + } + } + }); + + it('prevents SQL injection', async () => { + for (const payload of fuzzInputs.sqlInjection) { + const response = await axios.post(`${API_BASE}/api/users`, { + name: payload, + email: payload, + }, { validateStatus: () => true }); + + // Should not execute SQL + expect(response.status).not.toBe(200); + expect(response.status).toBe(400); // Should be validation error + + // Should not leak database errors + if (response.data.error) { + expect(response.data.error.toLowerCase()).not.toMatch(/sql|database|query/); + } + } + }); + + it('handles numeric boundary values', async () => { + for (const input of fuzzInputs.numbers) { + const response = await axios.post(`${API_BASE}/api/users`, { + age: input, + name: 'Test User', + email: 'test@example.com', + }, { validateStatus: () => true }); + + expect(response.status).not.toBe(500); + // Should validate range + if (input < 0 || input > 150) { + expect(response.status).toBe(400); + } + } + }); + + it('validates deeply nested objects', async () => { + for (const input of fuzzInputs.structures) { + const response = await axios.post(`${API_BASE}/api/users`, { + metadata: input, + name: 'Test', + email: 'test@example.com', + }, { validateStatus: () => true }); + + expect(response.status).not.toBe(500); + } + }); + }); + + describe('GET /api/users/:id - Get User', () => { + it('handles malformed ID parameters', async () => { + const idInputs = [ + ...fuzzInputs.strings, + ...fuzzInputs.sqlInjection, + ...fuzzInputs.special, + ]; + + for (const input of idInputs) { + const response = await axios.get( + `${API_BASE}/api/users/${encodeURIComponent(input)}`, + { validateStatus: () => true } + ); + + expect(response.status).not.toBe(500); + // Should be 400 (bad request) or 404 (not found) + expect([400, 404]).toContain(response.status); + } + }); + }); + + describe('Query Parameter Fuzzing', () => { + it('handles malformed query parameters', async () => { + for (const input of fuzzInputs.strings) { + const response = await axios.get(`${API_BASE}/api/users`, { + params: { search: input }, + validateStatus: () => true, + }); + + expect(response.status).not.toBe(500); + } + }); + + it('prevents injection via query params', async () => { + for (const payload of fuzzInputs.sqlInjection) { + const response = await axios.get(`${API_BASE}/api/users`, { + params: { filter: payload }, + validateStatus: () => true, + }); + + expect(response.status).not.toBe(500); + // Should not return all users or execute SQL + if (response.status === 200) { + expect(response.data.length).toBe(0); // No results for invalid filter + } + } + }); + }); +}); +``` + +### Python REST-Assured Fuzzer + +```python +# tests/test_api_fuzzer.py +import pytest +import requests +from typing import Any, List +import string +import random + +API_BASE = "http://localhost:3000" + +class FuzzInputGenerator: + """Generate various fuzz inputs for API testing""" + + @staticmethod + def string_mutations() -> List[Any]: + return [ + "", # Empty + None, + " ", # Whitespace + "A" * 10000, # Very long + "", # XSS + "${7*7}", # Template injection + "../../etc/passwd", # Path traversal + "\x00", # Null byte + ] + + @staticmethod + def sql_injection_payloads() -> List[str]: + return [ + "' OR '1'='1", + "' OR '1'='1' --", + "1; DROP TABLE users--", + "admin'--", + ] + + @staticmethod + def number_mutations() -> List[Any]: + return [ + 0, -1, 999999999999999999, + -999999999999999999, + float('inf'), float('-inf'), + ] + + @staticmethod + def generate_random_string(length: int = 100) -> str: + """Generate random string with special characters""" + chars = string.ascii_letters + string.digits + string.punctuation + return ''.join(random.choice(chars) for _ in range(length)) + +class TestAPIFuzzing: + """Comprehensive API fuzz tests""" + + def test_string_input_handling(self): + """Test API handles malformed string inputs""" + for input_value in FuzzInputGenerator.string_mutations(): + response = requests.post( + f"{API_BASE}/api/users", + json={"name": input_value, "email": "test@example.com"}, + timeout=5 + ) + + # Should not crash (500) + assert response.status_code < 500, \ + f"Server error with input: {repr(input_value)}" + + # Should return proper error for invalid input + if response.status_code >= 400: + assert "error" in response.json() + + def test_sql_injection_prevention(self): + """Test API prevents SQL injection""" + for payload in FuzzInputGenerator.sql_injection_payloads(): + response = requests.post( + f"{API_BASE}/api/users", + json={"name": payload, "email": payload}, + timeout=5 + ) + + # Should reject malicious input + assert response.status_code != 200, \ + f"Accepted SQL injection: {payload}" + + # Should not leak database errors + if response.status_code >= 400: + error_text = response.text.lower() + assert "sql" not in error_text + assert "database" not in error_text + + def test_numeric_boundary_values(self): + """Test numeric input boundaries""" + for value in FuzzInputGenerator.number_mutations(): + response = requests.post( + f"{API_BASE}/api/users", + json={ + "name": "Test User", + "email": "test@example.com", + "age": value + }, + timeout=5 + ) + + assert response.status_code < 500 + + def test_random_fuzzing(self): + """Random fuzz testing with generated inputs""" + for _ in range(100): # 100 random tests + random_data = { + "name": FuzzInputGenerator.generate_random_string(random.randint(1, 1000)), + "email": FuzzInputGenerator.generate_random_string(20), + "age": random.randint(-1000, 1000), + } + + response = requests.post( + f"{API_BASE}/api/users", + json=random_data, + timeout=5 + ) + + # Should handle gracefully + assert response.status_code < 500 + + def test_header_injection(self): + """Test header injection vulnerabilities""" + malicious_headers = { + "X-Forwarded-For": "' OR '1'='1", + "User-Agent": "", + "Referer": "javascript:alert(1)", + } + + response = requests.get( + f"{API_BASE}/api/users", + headers=malicious_headers, + timeout=5 + ) + + assert response.status_code < 500 +``` + +## Example Usage + +### Example 1: Automated Fuzzing in CI/CD + +```javascript +// .github/workflows/fuzz-tests.yml +name: API Fuzz Testing + +on: [push, pull_request] + +jobs: + fuzz: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Start API server + run: npm run start:test & + - name: Wait for API + run: npx wait-on http://localhost:3000/health + - name: Run fuzz tests + run: npm run test:fuzz + - name: Upload fuzz report + if: failure() + uses: actions/upload-artifact@v2 + with: + name: fuzz-report + path: ./fuzz-report.html +``` + +### Example 2: Custom Fuzzer with OpenAPI Spec + +```javascript +// fuzzer/openapi-fuzzer.js +const SwaggerParser = require('@apidevtools/swagger-parser'); +const axios = require('axios'); + +async function fuzzFromOpenAPI(specPath) { + const api = await SwaggerParser.validate(specPath); + + for (const [path, methods] of Object.entries(api.paths)) { + for (const [method, operation] of Object.entries(methods)) { + if (method === 'get' || method === 'post') { + console.log(`Fuzzing ${method.toUpperCase()} ${path}`); + + // Generate fuzz inputs based on parameters + const fuzzInputs = generateFuzzInputs(operation.parameters); + + for (const input of fuzzInputs) { + const response = await axios[method]( + `${api.servers[0].url}${path}`, + input, + { validateStatus: () => true } + ); + + if (response.status === 500) { + console.error(`CRASH FOUND: ${method} ${path}`, input); + } + } + } + } + } +} + +function generateFuzzInputs(parameters) { + // Generate based on parameter schemas + return [ + /* fuzz inputs */ + ]; +} + +fuzzFromOpenAPI('./openapi.yaml'); +``` + +### Example 3: Continuous Fuzzing with AFL-inspired Approach + +```python +# fuzzer/continuous_fuzzer.py +import requests +import random +import json +from datetime import datetime + +class ContinuousFuzzer: + """Continuously fuzz API endpoints with mutations""" + + def __init__(self, base_url: str, endpoints: list): + self.base_url = base_url + self.endpoints = endpoints + self.crashes = [] + + def mutate_string(self, s: str) -> str: + """Mutate string with random changes""" + mutations = [ + lambda x: x + chr(random.randint(0, 255)), # Append random char + lambda x: x[:len(x)//2], # Truncate + lambda x: x * 100, # Repeat + lambda x: x.replace('a', '`] +* **Description:** [**Placeholder:** Describe the vulnerability in detail. Explain how the payload triggered the vulnerability and the potential impact. Example: "The `id` parameter is vulnerable to XSS. The provided payload injects JavaScript code into the API response, which could allow an attacker to steal user cookies or redirect the user to a malicious website."] +* **Severity:** [**Placeholder:** Assign a severity level to the vulnerability. Example: Critical, High, Medium, Low] +* **Recommendation:** [**Placeholder:** Provide recommendations for remediating the vulnerability. Example: "Implement output encoding to prevent XSS attacks."] + +[**Repeat the above Vulnerability section for each vulnerability found.**] + +## 5. Non-Vulnerability Findings + +This section details any unexpected behaviors or potential issues that were identified during the fuzzing process, but do not necessarily constitute a vulnerability. + +* **Issue #1:** [**Placeholder:** Describe the issue. Example: "The API returned a 500 error when a very long string was provided as input. While this is not a vulnerability, it could indicate a potential denial-of-service vulnerability."] +* **Recommendation:** [**Placeholder:** Provide recommendations for addressing the issue. Example: "Implement input validation to limit the maximum length of input strings."] + +[**Repeat the above Issue section for each non-vulnerability finding.**] + +## 6. Conclusion + +[**Placeholder:** Summarize the overall results of the fuzzing process and provide recommendations for next steps. Example: "The API fuzzing process identified several potential vulnerabilities that require further investigation and remediation. It is recommended that the development team prioritize addressing these vulnerabilities to improve the security of the API."] + +## 7. Appendix + +[**Placeholder:** Include any additional information that may be relevant to the report, such as: + +* Detailed logs of the fuzzing process +* Sample API responses +* Links to relevant documentation +* Contact information for the fuzzing team +] \ No newline at end of file diff --git a/skills/api-fuzzer/references/README.md b/skills/api-fuzzer/references/README.md new file mode 100644 index 0000000..49f3e92 --- /dev/null +++ b/skills/api-fuzzer/references/README.md @@ -0,0 +1,7 @@ +# References + +Bundled resources for api-fuzzer skill + +- [ ] api_fuzzing_best_practices.md: Document outlining best practices for API fuzzing, including common vulnerabilities to look for. +- [ ] payload_examples.md: Document containing examples of different types of payloads used in fuzzing. +- [ ] api_schema.md: Document describing the expected API schema for the target API (if available). diff --git a/skills/api-fuzzer/scripts/README.md b/skills/api-fuzzer/scripts/README.md new file mode 100644 index 0000000..5c31445 --- /dev/null +++ b/skills/api-fuzzer/scripts/README.md @@ -0,0 +1,7 @@ +# Scripts + +Bundled resources for api-fuzzer skill + +- [ ] fuzz_api.py: Script to execute the fuzzing process, taking API endpoint and payload types as input. +- [ ] generate_payloads.py: Script to generate various types of payloads (malformed, boundary, random) for fuzzing. +- [ ] report_generator.py: Script to generate a detailed report of the fuzzing results, including vulnerabilities found.