2024-02-08 –, RoboCon
The existence of REST APIs itself is a security threat, as easy programmable APIs are also an easy target for attackers. Often, they lack sufficient security design or testing. Learn about Vaisala's experience of integrating API fuzzing - a form of security testing - into existing RF automated testing and the results that came with it.
REST APIs are a common and attractive attack vector. Often they lack sufficient security design or security testing. It is common to rely a bit too much on client-side sanitization while neglecting the idea of direct API usage. This can cause a lot of security issues, like sensitive data exposure, broken authentication, and injection attacks.
So, how can we make sure an API cannot be exploited? The answer is to fuzz it. In this talk, you learn about Vaisala's experience of integrating API fuzzing - a form of security testing - into an existing Robot Framework system test automation process for one of company products.
We selected a third-party tool (Schemathesis, which builds on the property-based testing library Hypothesis) and implemented a Python package with post-processing functionality that allows us to effectively run fuzzing against our APIs. This Python package is then imported and used in RF test cases.
Since fuzzing can generate a lot of noise, because of its randomness, the post-processing step can validate the meaning of symptoms and help us make sense of test results better by integrating with existing robot framework automation assets. So when a bug is found with fuzzing, we can rerun the faulty test, and run any system checks we need, which will tell us what exactly is broken.
Overall, the talk explains how REST API fuzzing can be effectively integrated with existing RF tests, and shows examples of found problems.
In-person, but also available for the online conference.
Lessons Learned:The participants will learn about:
- why REST APIs can be dangerous
- what is fuzzing, and why one would want to use that
- a technique for REST API fuzzing used in a Vaisala's project:
- creating a Python package based on Schemathesis to use with Robot Framework
- fuzzing using the package
- post-processing that reuses existing test cases - to identify the reason for a bug
- examples of found bugs
People interested in automating security testing;
People working with REST APIs;
Beginner RF user, Intermediate RF user
I'm a cybersecurity student in the final year of my Master's program with over a year of experience in fuzzing. During my recent internship, I worked with Robot Framework and automated security testing while helping to integrate API fuzzing into existing RF test cases.