Support HTTP Basic authentication in API Fuzzing

Problem to solve

As a user, I want to test web APIs authenticated with HTTP Basic authentication, so I can get better results from API Fuzzing.

Current support for HTTP Basic requires the user to perform an extra steps. The user must pre encode the password and create an overrides json file or environment variable.

Intended users

Users who determine if API Fuzzing is usable as a solution for testing their web APIs and users who configure API Fuzzing.

• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Sam (Security Analyst)

User experience goal

Provide an easy way to configure HTTP Basic authentication in the .gitlab-ci.yml file.

Proposal

Directly support both HTTP Basic authentication mechanism.

New configuration parameters:

• FUZZAPI_HTTP_USERNAME
• FUZZAPI_HTTP_PASSWORD

Modify runner create the correct header value and add it to the overrides list internally.

HTTP Basic authentication sets the Authorization HTTP header with the value:

"Basic " + Base64("username:password")

1. Modify peachrunner adding new command line options:
   1. Auth type --auth with a supported value of httpbasic
   2. Username --username
   3. Password --password
2. Calculate and update overrides adding Authorization header entry
3. Modify worker-entry to add needed command line options
4. Unit tests for runner and worker-entry
5. Integration test
   1. Add new APIs to flask target with http basic auth
   2. Add new integration test using http basic auth
6. Update template to include new variables
7. Update documentation and add changelog entry
8. Address password leaking through gl-apifuzzing-ci logs.
9. Add test for unicode username
10. Add test for spaces in password

Documentation

The new environment variables will require documentation.

Availability & Testing

• Unit test changes
  • Test when overrides provided by user
  • Test when no overrides has been provided
• Integration test changes

What does success look like, and how can we measure that?

Setting new variables allows API Fuzzer to perform authenticated scans of a target with HTTP Basic authentication.

Links / references

HTTP Auth: https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication

The following page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.