Commit 9faac7c2 authored by Michael Eddington's avatar Michael Eddington Committed by Nick Gaskill

Document new HTTP basic authentication variables for API Fuzzing

parent 8ee02e75
---
title: Direct support for HTTP basic authentication in API Fuzzing
merge_request: 42266
author:
type: changed
...@@ -194,7 +194,7 @@ target API to test: ...@@ -194,7 +194,7 @@ target API to test:
variables: variables:
FUZZAPI_PROFILE: Quick-10 FUZZAPI_PROFILE: Quick-10
FUZZAPI_HAR: test-api-specification.json FUZZAPI_HAR: test-api-recording.har
``` ```
1. The target API instance's base URL is also required. Provide it by using the `FUZZAPI_TARGET_URL` 1. The target API instance's base URL is also required. Provide it by using the `FUZZAPI_TARGET_URL`
...@@ -214,7 +214,7 @@ target API to test: ...@@ -214,7 +214,7 @@ target API to test:
variables: variables:
FUZZAPI_PROFILE: Quick-10 FUZZAPI_PROFILE: Quick-10
FUZZAPI_HAR: test-api-specification.json FUZZAPI_HAR: test-api-recording.har
FUZZAPI_TARGET_URL: http://test-deployment/ FUZZAPI_TARGET_URL: http://test-deployment/
``` ```
...@@ -237,47 +237,28 @@ provide a script that performs an authentication flow or calculates the token. ...@@ -237,47 +237,28 @@ provide a script that performs an authentication flow or calculates the token.
#### HTTP Basic Authentication #### HTTP Basic Authentication
[HTTP basic authentication](https://en.wikipedia.org/wiki/Basic_access_authentication) [HTTP basic authentication](https://en.wikipedia.org/wiki/Basic_access_authentication)
works by setting the `Authorization` header with the Base64-encoded username and password. The is an authentication method built into the HTTP protocol and used in-conjunction with
resulting header looks like this: [transport layer security (TLS)](https://en.wikipedia.org/wiki/Transport_Layer_Security).
To use HTTP basic authentication, two variables are added to your `.gitlab-ci.yml` file:
```http - `FUZZAPI_HTTP_USERNAME`: The username for authentication.
Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ= - `FUZZAPI_HTTP_PASSWORD`: The password for authentication.
```
To have API fuzzing include this header during a scan, set an overrides environment variable.
Base64-encode your username and password, separated with a `:` (for example, `username:password`).
On Linux, create a text file with the username and password separated by `:`. Make sure the file has
a single line with no return at the end. Then use the command line tool `base64` to encode it.
```shell
$ base64 ~/test.txt
dXNlcm5hbWU6cGFzc3dvcmQ=
```
The output `dXNlcm5hbWU6cGFzc3dvcmQ=` is the Base64-encoded credentials.
DANGER: **Warning:**
Base64 is **not** encryption. This string can be easily decoded and should not be considered a safe
way to protect or store credentials.
[Next create a CI/CD variable](../../../ci/variables/README.md#create-a-custom-variable-in-the-ui),
for example `TEST_API_BASICAUTH`, with the value
`{"headers":{"Authorization":"Basic dXNlcm5hbWU6cGFzc3dvcmQ="}}` (substitute your Base64-encoded
credential string). You can create CI/CD variables from the GitLab projects page at
**Settings > CI/CD** in the **Variables** section.
Set `FUZZAPI_OVERRIDES_ENV` in your `.gitlab-ci.yml` file: For the password, we recommended that you [create a CI/CD variable](../../../ci/variables/README.md#create-a-custom-variable-in-the-ui)
(for example, `TEST_API_PASSWORD`) set to the password. You can create CI/CD variables from the
GitLab projects page at **Settings > CI/CD**, in the **Variables** section.
```yaml ```yaml
include: include:
- template: API-Fuzzing.gitlab-ci.yml - template: API-Fuzzing.gitlab-ci.yml
variables: variables:
FUZZAPI_PROFILE: Quick FUZZAPI_PROFILE: Quick-10
FUZZAPI_OPENAPI: test-api-specification.json FUZZAPI_HAR: test-api-recording.har
FUZZAPI_TARGET_URL: http://test-deployment/ FUZZAPI_TARGET_URL: http://test-deployment/
FUZZAPI_OVERRIDES_ENV: $TEST_API_BASICAUTH FUZZAPI_HTTP_USERNAME: testuser
FUZZAPI_HTTP_PASSWORD: $TEST_API_PASSWORD
``` ```
#### Bearer Tokens #### Bearer Tokens
...@@ -421,6 +402,8 @@ increases as the numbers go up. To use a configuration file, add it to your repo ...@@ -421,6 +402,8 @@ increases as the numbers go up. To use a configuration file, add it to your repo
|[`FUZZAPI_OVERRIDES_ENV`](#overrides) |JSON string containing headers to override. | |[`FUZZAPI_OVERRIDES_ENV`](#overrides) |JSON string containing headers to override. |
|[`FUZZAPI_OVERRIDES_CMD`](#overrides) |Overrides command. | |[`FUZZAPI_OVERRIDES_CMD`](#overrides) |Overrides command. |
|[`FUZZAPI_OVERRIDES_INTERVAL`](#overrides) |How often to run overrides command in seconds. Defaults to `0` (once). | |[`FUZZAPI_OVERRIDES_INTERVAL`](#overrides) |How often to run overrides command in seconds. Defaults to `0` (once). |
|[`FUZZAPI_HTTP_USERNAME`](#http-basic-authentication) |Username for HTTP authentication. |
|[`FUZZAPI_HTTP_PASSWORD`](#http-basic-authentication) |Password for HTTP authentication. |
<!--|[`FUZZAPI_D_TARGET_IMAGE`](#target-container) |API target docker image | <!--|[`FUZZAPI_D_TARGET_IMAGE`](#target-container) |API target docker image |
|[`FUZZAPI_D_TARGET_ENV`](#target-container) |Docker environment options | |[`FUZZAPI_D_TARGET_ENV`](#target-container) |Docker environment options |
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment