suecodelabs/cnfuzz

To use cnfuzzy, I only need to prepare the following 3 points.?

zyd6 opened this issue · 7 comments

zyd6 commented

My project is the spring boot project

1、cnfuzz/enable: "true" Set to use cnfuzzy identification
2、cnfuzz/open-api-doc: "/swagger/swagger.json" I need to prepare the swagger document under the target project container directory
3、cnfuzz/secret: "0d5989ed-d60c-470e-b1b5-576fcf0f5d8c" I don't understand the meaning of this secret. Whether the key of cnfuzzy service or the key of target project

zyd6 commented

企业微信截图_16685792594032

Hi @zyd6!

1、cnfuzz/enable: "true" Set to use cnfuzzy identification
2、cnfuzz/open-api-doc: "/swagger/swagger.json" I need to prepare the swagger document under the target project container directory
3、cnfuzz/secret: "0d5989ed-d60c-470e-b1b5-576fcf0f5d8c" I don't understand the meaning of this secret. Whether the key of cnfuzzy service or the key of target project

  1. correct, from that moment on CNFuzz will start fuzzing the target once a new container image (hash) is being pushed.
  2. correct, so that HTTP path needs to be returning an OpenAPI spec document for the REST API running in the container.
  3. this secret string is being used as soon as CNFuzz encounters an endpoint which is secured by oauth, basic auth, etc. So it is about the target API that CNFuzz is going to fuzz. We are going to better document this feature.

#126 has been created to resolve this unclearity.

zyd6 commented

hi
On the second point, can I use such a swagger document, such as: http://dev.secp.127.0.0.1.nip.io/api/test/doc.html

hi On the second point, can I use such a swagger document, such as: http://dev.secp.127.0.0.1.nip.io/api/test/doc.html

Yes, as long as it is a JSON with an OpenAPI spec in it.

zyd6 commented

企业微信截图_16685877907427

zyd6 commented

ok thanks i will try it