string-format-wrong-values
Run cats list --formats for a full list of supported formats.
String Format Totally Wrong Values
| Item | Description |
|---|---|
| Full Fuzzer Name | StringFormatTotallyWrongValuesFuzzer |
| Log Key | SFTWV |
| Description | This fuzzer will target string fields with defined formats. It will generate values which are invalid for the given format, hopping that the validation regexes of the APIs will fail. The expectation is that APIs will reject the requests as invalid. |
| Enabled by default? | Yes |
| Target field types | OpenAPI type string |
| Expected result when fuzzed field is required | 4XX |
| Expected result when fuzzed field is optional | 4XX |
| Expected result when fuzzed value is not matching field pattern | 4XX |
| Fuzzing logic | Iteratively replaces string with defined formats with values which are invalid for the given format. Target formats: date, date-time, password, uuid, email, hostname, ip, uri, byte, binary, etc. (run cats list --formats for a full list of supported formats) |
| Conditions when this fuzzer will be skipped | When field is not a recognized format: date, date-time, password, uuid, email, hostname, ip, uri, byte, binary, etc (run cats list --formats for a full list of supported formats) |
| HTTP methods that will be skipped | None |
| Reporting | Reports error if: 1. response code is 404; 2. response code is documented, but not expected; 3. any unexpected exception. Reports warn if: 1. response code is expected and documented, but not matches response schema; 2. response code is expected, but not documented; 3. response code is 501. Reports success if: 1. response code is expected, documented and matches response schema. |