Forum Discussion

mikefrank1's avatar
mikefrank1
Occasional Contributor
3 years ago

HTTP Method Fuzzing - 404 error

Hi,

 

I'm new to ReadyAPI, and I would like to know if it is typical to receive a 404 (Not Found) error when running HTTP method fuzzing security test? Is this normal.

The tests don't fail, they all pass. That doesn't make sense to me.

Please enlighten me.

Thank you.

 

  • KarelHusa's avatar
    KarelHusa
    Champion Level 1

    mikefrank1,

    if you are fuzzing API path or path parameters, HTTP 404 Not Found can be the correct answer.

     

    Let's use BankGround API as an example:

    • We have GET /accounts/{account_id} path
    • If you use the existing account_id, which belongs to your user, you will get HTTP 200 and a response body.
    • If you use fuzzy string, you should get HTTP 404 (resource does not exist) or HTTP 400 (incorrect parameter format).
    •  

    Similarly, If you are fuzzing the request body, you should usually get 400 or 422 response, etc.

     

    I hope it helps.

     

    • mikefrank1's avatar
      mikefrank1
      Occasional Contributor

      Hi Karel,

      Thank you for getting back to me.

      I am HTTP fuzzing a GET request, but (as I'm sure you know) there are different methods being tested,

      Having worked with HTTP for many years, it just took a little thought to come to the conclusion that what I am seeing in the response is acceptable for each method.

      This link provides me with information about the various HTTP codes that exist    https://www.restapitutorial.com/httpstatuscodes.html with descriptions about what each code means.

      In today's run I see 404 for a number of responses and a couple of 415s for a PUT and a POST. The PUT resulted in a Warning after 26ms, and the POST resulted in a PASS after 2734ms.

      It would be nice if I could see the entire response code with the method included, but I don't think that is possible in ReadyAPI. Is it possible?

       

      • KarelHusa's avatar
        KarelHusa
        Champion Level 1

        mikefrank1,

        you can see the request (with the HTTP method) and response details; see the following screenshot.