Description
Why
The current test method of Apache APISIX pays more attention to normal input/output, in order to test the robustness of the program, fuzz testing can be used. There are many types of fuzzing, you can fuzzing the source code, you can also fuzzing the interface service.
Investigation process
I have investigated some popular fuzzing tools, the results are in the table below, hoping to help Apache APISIX improve its ability in this area.
| Tool name | Program language | Actual combat | Conclusion |
|---|---|---|---|
| go-fuzz | go | To fuzz the go source code, you need to write a corresponding fuzz function for each function | not applicable |
| peach | java | Crash itself Unhandled Exception: ... ...for parameter of type 'System.Object' of method 'Void SetValue(System.Object, System.Object)' | not applicable |
| SSRFmap | python | Use Burp request to perform fuzz test on the specified module, there is no apisix, but you can customize the apisix module, which is difficult to get started | not applicable |
| PyJFuzz | python | Support fuzzing the admin api, the principle is Construct Payload by automatically fuzzing the provided request body (json) and then sending the request to the target, like guided fuzzing | applicable |
| wfuzz | python | A lot of dictionary files are provided to traverse the content of the dictionary and send it to the target, but these dictionaries are not json, like blind fuzzing | applicable |
| restler-fuzzer | python | The support for linux is not good, dotnet is needed, I failed to install it | not applicable |
| boofuzz | python | Supports fuzzing of admin api, it uses the http request data example set in the case code to automatically fuzz all the request parameters to construct the payload, and then send the request to the target, like guided fuzzing | applicable |
| ffuf | go | Need to find a way to generate the payload first, and then use it to send. so you need to use another tool to generate the fuzzing data first | not applicable |
How
From the table above, we can see that there are three tools suitable for APISIX, and their fuzzing focus is different,
PyJFuzz can fuzzing the request body, belongs to guided fuzzing,
wfuzz provides many dictionaries for fuzzing the request body, belonging to blind fuzzing,
boofuzz can fuzzing all request fields, belonging to blind fuzzing,
so my thoughts is to combine them to fuzzing APISIX, the whole process is as follows:
This solution does not need to make our own wheels, it includes blind fuzzing and guided fuzzing.
The left side of the above flowchart is for testing APISIX CP, I think we can first fuzzing the most common [route interface] (https://github.com/apache/apisix/blob/master/doc/admin-api.md#route) with enable most common plugins, and then gradually add other interfaces and integrate them to CI.
The right side of the above flowchart is for testing APISIX DP, I think we can first test the situation of a large number of normal routes, then fuzzing them and verify them. Because there are many plugins, it will be very complicated to fuzz all situations.
I don’t know much about fuzzing. I really want to know if there are other suggestions in our community?
@moonming @membphis @spacewander