Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
9faac7c2
Commit
9faac7c2
authored
Sep 15, 2020
by
Michael Eddington
Committed by
Nick Gaskill
Sep 15, 2020
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Document new HTTP basic authentication variables for API Fuzzing
parent
8ee02e75
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
22 additions
and
34 deletions
+22
-34
changelogs/unreleased/227721-httpbasic-api-fuzzing-docs.yml
changelogs/unreleased/227721-httpbasic-api-fuzzing-docs.yml
+5
-0
doc/user/application_security/api_fuzzing/index.md
doc/user/application_security/api_fuzzing/index.md
+17
-34
No files found.
changelogs/unreleased/227721-httpbasic-api-fuzzing-docs.yml
0 → 100644
View file @
9faac7c2
---
title
:
Direct support for HTTP basic authentication in API Fuzzing
merge_request
:
42266
author
:
type
:
changed
doc/user/application_security/api_fuzzing/index.md
View file @
9faac7c2
...
@@ -194,7 +194,7 @@ target API to test:
...
@@ -194,7 +194,7 @@ target API to test:
variables
:
variables
:
FUZZAPI_PROFILE
:
Quick-10
FUZZAPI_PROFILE
:
Quick-10
FUZZAPI_HAR
:
test-api-
specification.json
FUZZAPI_HAR
:
test-api-
recording.har
```
```
1.
The target API instance's base URL is also required. Provide it by using the
`FUZZAPI_TARGET_URL`
1.
The target API instance's base URL is also required. Provide it by using the
`FUZZAPI_TARGET_URL`
...
@@ -214,7 +214,7 @@ target API to test:
...
@@ -214,7 +214,7 @@ target API to test:
variables
:
variables
:
FUZZAPI_PROFILE
:
Quick-10
FUZZAPI_PROFILE
:
Quick-10
FUZZAPI_HAR
:
test-api-
specification.json
FUZZAPI_HAR
:
test-api-
recording.har
FUZZAPI_TARGET_URL
:
http://test-deployment/
FUZZAPI_TARGET_URL
:
http://test-deployment/
```
```
...
@@ -237,47 +237,28 @@ provide a script that performs an authentication flow or calculates the token.
...
@@ -237,47 +237,28 @@ provide a script that performs an authentication flow or calculates the token.
#### HTTP Basic Authentication
#### HTTP Basic Authentication
[
HTTP basic authentication
](
https://en.wikipedia.org/wiki/Basic_access_authentication
)
[
HTTP basic authentication
](
https://en.wikipedia.org/wiki/Basic_access_authentication
)
works by setting the
`Authorization`
header with the Base64-encoded username and password. The
is an authentication method built into the HTTP protocol and used in-conjunction with
resulting header looks like this:
[
transport layer security (TLS)
](
https://en.wikipedia.org/wiki/Transport_Layer_Security
)
.
To use HTTP basic authentication, two variables are added to your
`.gitlab-ci.yml`
file:
```
http
-
`FUZZAPI_HTTP_USERNAME`
: The username for authentication.
Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=
-
`FUZZAPI_HTTP_PASSWORD`
: The password for authentication.
```
To have API fuzzing include this header during a scan, set an overrides environment variable.
Base64-encode your username and password, separated with a
`:`
(for example,
`username:password`
).
On Linux, create a text file with the username and password separated by
`:`
. Make sure the file has
a single line with no return at the end. Then use the command line tool
`base64`
to encode it.
```
shell
$
base64
~/test.txt
dXNlcm5hbWU6cGFzc3dvcmQ
=
```
The output
`dXNlcm5hbWU6cGFzc3dvcmQ=`
is the Base64-encoded credentials.
DANGER:
**Warning:**
Base64 is
**not**
encryption. This string can be easily decoded and should not be considered a safe
way to protect or store credentials.
[
Next create a CI/CD variable
](
../../../ci/variables/README.md#create-a-custom-variable-in-the-ui
)
,
for example
`TEST_API_BASICAUTH`
, with the value
`{"headers":{"Authorization":"Basic dXNlcm5hbWU6cGFzc3dvcmQ="}}`
(substitute your Base64-encoded
credential string). You can create CI/CD variables from the GitLab projects page at
**Settings > CI/CD**
in the
**Variables**
section.
Set
`FUZZAPI_OVERRIDES_ENV`
in your
`.gitlab-ci.yml`
file:
For the password, we recommended that you
[
create a CI/CD variable
](
../../../ci/variables/README.md#create-a-custom-variable-in-the-ui
)
(for example,
`TEST_API_PASSWORD`
) set to the password. You can create CI/CD variables from the
GitLab projects page at
**Settings > CI/CD**
, in the
**Variables**
section.
```
yaml
```
yaml
include
:
include
:
-
template
:
API-Fuzzing.gitlab-ci.yml
-
template
:
API-Fuzzing.gitlab-ci.yml
variables
:
variables
:
FUZZAPI_PROFILE
:
Quick
FUZZAPI_PROFILE
:
Quick
-10
FUZZAPI_
OPENAPI
:
test-api-specification.json
FUZZAPI_
HAR
:
test-api-recording.har
FUZZAPI_TARGET_URL
:
http://test-deployment/
FUZZAPI_TARGET_URL
:
http://test-deployment/
FUZZAPI_OVERRIDES_ENV
:
$TEST_API_BASICAUTH
FUZZAPI_HTTP_USERNAME
:
testuser
FUZZAPI_HTTP_PASSWORD
:
$TEST_API_PASSWORD
```
```
#### Bearer Tokens
#### Bearer Tokens
...
@@ -421,6 +402,8 @@ increases as the numbers go up. To use a configuration file, add it to your repo
...
@@ -421,6 +402,8 @@ increases as the numbers go up. To use a configuration file, add it to your repo
|
[
`FUZZAPI_OVERRIDES_ENV`
](
#overrides
)
|JSON string containing headers to override. |
|
[
`FUZZAPI_OVERRIDES_ENV`
](
#overrides
)
|JSON string containing headers to override. |
|
[
`FUZZAPI_OVERRIDES_CMD`
](
#overrides
)
|Overrides command. |
|
[
`FUZZAPI_OVERRIDES_CMD`
](
#overrides
)
|Overrides command. |
|
[
`FUZZAPI_OVERRIDES_INTERVAL`
](
#overrides
)
|How often to run overrides command in seconds. Defaults to
`0`
(once). |
|
[
`FUZZAPI_OVERRIDES_INTERVAL`
](
#overrides
)
|How often to run overrides command in seconds. Defaults to
`0`
(once). |
|
[
`FUZZAPI_HTTP_USERNAME`
](
#http-basic-authentication
)
|Username for HTTP authentication. |
|
[
`FUZZAPI_HTTP_PASSWORD`
](
#http-basic-authentication
)
|Password for HTTP authentication. |
<!--|
[
`FUZZAPI_D_TARGET_IMAGE`
](
#target-container
)
|API target docker image |
<!--|
[
`FUZZAPI_D_TARGET_IMAGE`
](
#target-container
)
|API target docker image |
|
[
`FUZZAPI_D_TARGET_ENV`
](
#target-container
)
|Docker environment options |
|
[
`FUZZAPI_D_TARGET_ENV`
](
#target-container
)
|Docker environment options |
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment