Fuzzing with Postman
For the ones who have never heard about fuzzing, here goes the short explanation:
It is an automated Black Box test technique, where we are testing the program by feeding it with randomly generated, unexpected, and often invalid data and then observing how it reacts.
This technique can be used to find different kinds of vulnerabilities and bugs in input fields. Input fields, in general, are very difficult to test manually, cause very often there can be too many input combinations. Normally testers choose the most common combinations, ignoring the other ones, mainly due to the shortage of time. This can sometimes have very bad consequences like in the case of the famous Skype input bug when a user found out that when sending “http://” characters(without the quotes) in a message, the application would immediately crash. It was so bad, that the only way to make the app work again was to reinstall the application. To avoid such problems, the fuzzing technique can be used to automate the process.
Let’s say we have an app with search functionality. Our app has a search input field, where you can type the text to search and a button, that you can click and get search results. You can test the input field either manually by typing different values, clicking the search button, and observing how it reacts or you can also be smart 😎 and automate the process by using fuzzing.
In this article, I’m going to describe how to use the fuzzing technique with API test in Postman by using the app example, that has the search functionality.
So what do we have?
We have a getSearchResults api endpoint, which is used to get search results and we use searchQ request parameter for the search input value.
What do we need to test?
We would like to send let’s say 10 different values for searchQ parameter to start with and then observe the response to detect abnormalities. In this example, we will use 10 different special characters instead of usual alphabetic or numeric characters.
How to do it?
Step 1
We start with defining the characters in a .csv file.
As you can see in the example of csv file, input values for searchQ parameter are arranged in a column, where the first row defines the name of the parameter. If you want to add one more parameter, you just need to end an extra column arranged in the same way.
In this example I’m making my own data file with the 10 values I want to test with, but you can also use a pre-defined list of random input values like the famous big list of naughty strings.
Step 2
Add the value for the input parameter there, where you have defined all the other parameters for the getSearchResults API call. I have defined mine in the body, so I add the searchQ parameter in curly brackets into the list of all the other parameters.
Step 3
When I run the test, I want to be able to see why exactly my test failed. So I define my test in a way, that in case of fail it will tell me, which special character made it fail.
let response = JSON.parse(responseBody);pm.test(“Request passes with success”, function() {if (response.info!=”Success”){pm.expect.fail(“Test fails with the following special character: “+ pm.request.body.formdata.get(“searchQ”)+ “ “ + “Errorcode:” + “ “ + response.error);
}
});
Step 4
In order to run our fuzzing test, we are going to use Postmans Collection Runner. We open the collection that includes our getSearchResults request, add the csv file, that we made earlier and just click on Run button.
In the collection runner window you can choose configuration parameters for your run, such as delay, the number of iterations, etc. You can read more about the different configurations and how to use them in postman’s documentation.
If you don’t specify the number of iterations, Postman will by default choose the number of rows in your csv file, that is the number of parameter input values. And when you have already attached the file, you get the chance to preview it before you run it.
After running the tests results can be shown in a nice detailed summary report, where you can see results for each iteration.
Now go ahead and give it a try ;)
