REST API Fuzz Testing (RAFT): Source code for self-hosted service developed for Azure, including the API, orchestration engine, and default set of security tools (including MSR's RESTler), that enables developers to embed security tooling into their CI/CD workflows

api devops fuzz fuzzing fuzzing-framework rest rest-api

Перейти к файлу

Stas 6336c84ff5 Convert RESTler bug buckets to Postman collections (#168 ) Co-authored-by: stas <statis@microsoft.com>		2021-03-24 14:50:05 -07:00
Scripts	Update version for release 3.0 #161 (#162 )	2021-03-17 15:23:18 -07:00
ado	Convert RESTler bug buckets to Postman collections (#168 )	2021-03-24 14:50:05 -07:00
cli	Convert RESTler bug buckets to Postman collections (#168 )	2021-03-24 14:50:05 -07:00
docs	Update index. (#165 )	2021-03-18 12:31:09 -07:00
src	Convert RESTler bug buckets to Postman collections (#168 )	2021-03-24 14:50:05 -07:00
.gitignore	dotnet5 (#157 )	2021-03-16 10:21:08 -07:00
CODE_OF_CONDUCT.md	Initial CODE_OF_CONDUCT.md commit	2020-10-05 09:55:01 -07:00
CONTRIBUTING.md	initial commit (#1 )	2020-10-21 16:25:45 -07:00
GeoPol.xml	initial commit (#1 )	2020-10-21 16:25:45 -07:00
LICENSE.txt	initial commit (#1 )	2020-10-21 16:25:45 -07:00
NOTICE.md	dotnet5 (#157 )	2021-03-16 10:21:08 -07:00
PRIVACY.md	initial commit (#1 )	2020-10-21 16:25:45 -07:00
README.md	Schemathesis (#118 )	2021-01-21 15:26:53 -08:00
SECURITY.md	Initial SECURITY.md commit	2020-10-05 09:55:05 -07:00

README.md

REST API Fuzz Testing (RAFT)

A self hosted REST API Fuzzing-As-A-Service platform

RAFT enables painless fuzzing of REST API's using multiple fuzzers in parallel. Using a single command line baked into your CI/CD pipeline developers can launch fuzz jobs against their services.

Following Swagger/OpenAPI tools are currently supported by RAFT

Tool	Description
RESTler	RAFT has first class integration with this Microsoft Research tool - the first stateful fuzzing tool designed to automatically test your REST API's driven by your swagger/OpenApi specification.
ZAP	RAFT supports Swagger/OpenAPI scanning functionality provided by ZAP
Dredd	RAFT supports Swagger/OpenAPI scanning functionality provided by Dredd
Schemathesis	RAFT supports Swagger/OpenAPI scanning functionality provided by Schemathesis

As a platform, RAFT is designed to host any API fuzzers that are packaged into a docker container. These can be configured and used in the system via configuration files and require no code changes to integrate.

Getting Started

This project is designed to run on Azure. See https://azure.com/free to create a free subscription and receive $200 in credits. You can run this service (and much more!) free for 30 days!

To deploy the service download the CLI release and run python raft.py service deploy. See the documentation for more details and the video tutorials linked below.

Once deployed, read about how to submit a job and use the samples to try out the service and fuzzers!

Documentation

Swagger Documentation

Once the service is created, you can examine the REST interface of the service by browsing to the swagger page at https://<deploymentName>-raft-apiservice.azurewebsites.net/swagger

Interesting in native code fuzzing?

Take a look at our sibling project OneFuzz

Microsoft Open Source Code of Conduct

https://opensource.microsoft.com/codeofconduct

Trademarks

Trademarks This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.

Preferred Languages

We prefer all communications to be in English.