"Breaking Cloud Native Web APIs in their natural habitat."
Fuzzing web APIs in their fully converged Cloud Native state renders more representative results, just like it would have been deployed in production.
cnfuzz is a project written in Golang that automates fuzzing web APIs deployed in Kubernetes clusters. By tracking hashes of all container images, (re)deployed web API versions will be fuzzed - to detect potential security and stability issues and stores its results in a data lake.
By using Pod Annotations, OpenAPI and RESTler by Microsoft both discovery and fuzzing is being completely automated.
- You want to fuzz web API logic where they actually operate, especially when fuzzing complete Service Meshes
- You want to integrate and/or build data lakes with fuzzing data on top of AWS S3 based storage
- You want to save expensive Cloud CI/CD pipeline credits by using idle Kubernetes cluster resources
- You want fuzzing te be done outside of your CI/CD pipeline
- You have heavy performance requirements for your fuzzing and Cloud based CI/CD pipelines do not suffice
- You want to fuzz web API's of services which are interconnected and are being deployed by different teams in the same Kubernetes cluster
- You want to automatically fuzz existing opensource software for instability issues
- You get excited over fuzzing farms
helm repo add cnfuzz https://suecodelabs.github.io/cnfuzz
helm repo update
helm install cnfuzz cnfuzz/cnfuzzAll it takes to getting started after installation of cnfuzz on your Kubernetes cluster is to annotate your Kubernetes Pods, Deployments, DaemonSets, etc like in the following example:
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-api
spec:
selector:
matchLabels:
app: my-api
replicas: 1
template:
metadata:
labels:
app: my-api
annotations:
cnfuzz/enable: "true"
cnfuzz/open-api-doc: "/swagger/swagger.json"
cnfuzz/secret: "0d5989ed-d60c-470e-b1b5-576fcf0f5d8c"
spec:
containers:
- name: myapi
image: my-api
imagePullPolicy: Always
ports:
- containerPort: 80-
Install Kind and/or Rancher Desktop
-
Install Helm
# don't forget to commit your changes locally before deploying to Kind.
make kind-init# don't forget to commit your changes locally before deploying to Rancher Desktop.
make rancher-initThese commands do the following:
- Setup initial deployment of
cnfuzz - Build a container image and load it into
Kubernetes - Install
cnfuzzvia helm with the local built image - Create example webapi deployment to fuzz
# don't forget to commit your changes locally before deploying to Kind.
make kind-build# don't forget to commit your changes locally before deploying to Kind.
make rancher-buildThese commands do the following:
- (re)-build
cnfuzzand upgrade deployment with latest image
This command does the following:
- delete the
cnfuzzinstallation fromKubernetes
make k8s-clean
# If you did a git pull between the above build and the below k8s-clean
# you will see an error. Specify the release as follows:
make k8s-clean GIT_COMMIT=f4fd3d2For building the project you can use the Makefile.
CNFUZZ_IMAGE=myrepo/cnfuzz RESTLERWRAPPER_IMAGE=myrepo/restlerwrapper make image# Compile project to binaries in dist/
make allUseful flags for debugging:
# cnfuzz
--debug # extra logging
--local-config # cnfuzz will use your local config in $HOME/.kube/config (by default)
--config "hack/default_config.yaml"
--ddoc-ip localhost # overwrite the OpenApi doc source IP
--ddoc-port 8080 # overwrite the OpenApi doc source port
# restlerwrapper
--debug
--pod todo-api-xxxxxxxxxx-xxxxx
--port 8080 # set the port of the target service
--ddoc-ip localhost # overwrite the IP that is used to get the OpenApi doc
--dry-run # don't do anything, just print the commands to the console
--local-config
--time-budget 0.001 # RESTler jobs complete almost instantlyNOTE: The Devspace setup is currently broken :(
see issue #84
The code can be debugged in your IDE (outside the cluster) with the --inside-cluster=false flag.
But you can also attach a debugger to a running pod inside a cluster using DevSpace.
- Start by installing DevSpace
- Run
devspace devin the root directory of this repository - Run
air -c air.tomlinside the container - Edit the code and set breakpoints
- Attach your IDE to the debugger inside the container
cd docs
helm package ../chart/cnfuzz
helm repo index --url https://suecodelabs.github.io/cnfuzz/ .- Opensource graduation research project ❤️
- Get more control over the Restler runtime
- Convert the output of Restler to a format that is easier to consume
- Integrate more tightly with Kubernetes
- Autodiscovery of possible URI prefixes
- Add some form of dashboarding
- Luuk van den Maagdenberg, Lead Developer
- Pim Merks, Developer
- Robert Scholts, Developer
- Sylvia van Os, Developer
- Ofer Chen, Developer
- Serge van Namen, Developer / Community Lead
- Hans Strijker, Maintainer
- Sam Crauwels, Maintainer
- Michiel Westerink, Maintainer
Create an issue, open up a PR or contact us via engineering@sue.nl
Every first Thursday of the month at 18:30 CET there will be a hybrid community meetup for users, developers and maintainers of the project hosted at Sue B.V. in the Netherlands.
Google Meet or see you at Sue B.V. including lovely drinks and food before the meetup!
Do you want swag that our awesome marketing team created for this project? Come to our community meetup on prem or contact marketing@sue.nl to receive your swag!
Do you need support that cannot be handled via issue tracking? Please contact us at engineering@sue.nl or via the contact form on this page.