Abugidas In Strings
This Fuzzer has 2 flavours depending on the --sanitizationStrategy.
Abugidas in String Fields SANITIZE_AND_VALIDATE
| Item | Description |
|---|---|
| Full Fuzzer Name | AbugidasInStringFieldsSanitizeValidateFuzzer |
| Log Key | AISF |
| Description | This fuzzer inserts abugida characters (జ్ఞా and স্রু) in valid values. The expectation is that APIs will sanitize the \u200c character and leave only the జ్ఞ and ా. |
| Enabled by default? | Yes |
| Target field types | OpenAPI type string |
| Expected result when fuzzed field is required | 2XX |
| Expected result when fuzzed field is optional | 2XX |
| Expected result when fuzzed value is not matching field pattern | 4XX |
| Fuzzing logic | Iteratively inserts abugigas characters in string fields |
| Conditions when this fuzzer will be skipped | When field is not of type string OR field is an enum OR field is a discriminator OR field is reference data |
| HTTP methods that will be skipped | None |
| Reporting | Reports error if: 1. response code is 404; 2. response code is documented, but not expected; 3. any unexpected exception. Reports warn if: 1. response code is expected and documented, but not matches response schema; 2. response code is expected, but not documented; 3. response code is 501. Reports success if: 1. response code is expected, documented and matches response schema. |
Abugidas in String Fields VALIDATE_AND_SANITIZE
| Item | Description |
|---|---|
| Full Fuzzer Name | AbugidasInStringFieldsValidateSanitizeFuzzer |
| Log Key | AISF |
| Description | This fuzzer inserts abugida characters (జ్ఞా and স্রু) in valid values. As the sanitization is assumed post-validation, the expectation is that APIs reject the request as invalid. |
| Enabled by default? | Yes |
| Target field types | OpenAPI type string |
| Expected result when fuzzed field is required | 4XX |
| Expected result when fuzzed field is optional | 4XX |
| Expected result when fuzzed value is not matching field pattern | 4XX |
| Fuzzing logic | Iteratively inserts abugigas characters in string fields |
| Conditions when this fuzzer will be skipped | When field is not of type string OR field is an enum OR field is a discriminator OR field is reference data |
| HTTP methods that will be skipped | None |
| Reporting | Reports error if: 1. response code is 404; 2. response code is documented, but not expected; 3. any unexpected exception. Reports warn if: 1. response code is expected and documented, but not matches response schema; 2. response code is expected, but not documented; 3. response code is 501. Reports success if: 1. response code is expected, documented and matches response schema. |