How to properly configure and use authentication tokens in Restler?
PIAy3R opened this issue · 1 comments
Description
I followed the guide in SettingsFile.md
to add a token for authentication in Restler. I configured the engine_settings.json
file as follows:
{
"per_resource_settings": {},
"max_combinations": 20,
"authentication": {
"token": {
"location": "token.txt",
"token_refresh_interval": 300
}
},
"no_tokens_in_logs": false
}
In this configuration, the token is expected to be stored in a file named token.txt
. Here's an example of how the token.txt
file looks like:
{u'api': {}}
Authorization: Bearer 5796defa170a0bd8d847ee91d116131ff3ff2014d58dfcbaee86dbc416b440b1
and the fuzzing command is
/home/MINER/restler_bin_atten/restler/Restler fuzz --grammar_file ./Compile/grammar.py --dictionary_file ./Compile/dict.json --settings ./Compile/engine_settings.json --no_ssl --time_budget 1 --disable_checkers payloadbody
However, this setup did not work as expected.
I also attempted another approach by using a Python script (token.py
) to generate the token dynamically. Here's the content of the token.py
file:
import sys
import json
def main(argv=None):
sys.stdout.write("{u'api': {}}\n")
sys.stdout.write("Authorization: Bearer 5796defa170a0bd8d847ee91d116131ff3ff2014d58dfcbaee86dbc416b440b1\n")
if __name__ == "__main__":
sys.exit(main())
I then modified the Restler command to include the token_refresh_command option:
/home/MINER/restler_bin_atten/restler/Restler fuzz --grammar_file ./Compile/grammar.py --dictionary_file ./Compile/dict.json --settings ./Compile/engine_settings.json --no_ssl --time_budget 1 --disable_checkers payloadbody --token_refresh_command 'python token.py' --token_refresh_interval 720
Even with this method, Restler still failed to authenticate properly.
Additionally, I tried adding the token directly into the dictionary file (dict.json
) using the restler_custom_payload_header
option:
"restler_custom_payload_header": {
"Authorization":
["Bearer 5796defa170a0bd8d847ee91d116131ff3ff2014d58dfcbaee86dbc416b440b1"]
}
However, none of these approaches resolved the authentication issue, there would always be a 401 status code in the responses of the requests I had sent.
And I never found the information in network log like the following content
2022-10-25 16:29:56.826: Will refresh token: python f:/restler-fuzzer-main/restler_workdir_1.0/auth.py
2022-10-25 16:29:56.913: New value: {u'api': {}}
Authorization: Bearer xxx
I have verified that the file paths are correct.
For me, my token.txt looks like:
{"id":{}}
Authorization: Bearer <Your_Token>
Maybe this will work also for you. Also make sure, your path in engine_settings.json
is set correctly. You need to specify the absolute path