HTTP Method Fuzzing - 404 error
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HTTP Method Fuzzing - 404 error
Hi,
I'm new to ReadyAPI, and I would like to know if it is typical to receive a 404 (Not Found) error when running HTTP method fuzzing security test? Is this normal.
The tests don't fail, they all pass. That doesn't make sense to me.
Please enlighten me.
Thank you.
- Labels:
-
Assertions
-
Security Tests
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if you are fuzzing API path or path parameters, HTTP 404 Not Found can be the correct answer.
Let's use BankGround API as an example:
- We have GET /accounts/{account_id} path
- If you use the existing account_id, which belongs to your user, you will get HTTP 200 and a response body.
- If you use fuzzy string, you should get HTTP 404 (resource does not exist) or HTTP 400 (incorrect parameter format).
Similarly, If you are fuzzing the request body, you should usually get 400 or 422 response, etc.
I hope it helps.
https://apimate.eu
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Karel,
Thank you for getting back to me.
I am HTTP fuzzing a GET request, but (as I'm sure you know) there are different methods being tested,
Having worked with HTTP for many years, it just took a little thought to come to the conclusion that what I am seeing in the response is acceptable for each method.
This link provides me with information about the various HTTP codes that exist https://www.restapitutorial.com/httpstatuscodes.html with descriptions about what each code means.
In today's run I see 404 for a number of responses and a couple of 415s for a PUT and a POST. The PUT resulted in a Warning after 26ms, and the POST resulted in a PASS after 2734ms.
It would be nice if I could see the entire response code with the method included, but I don't think that is possible in ReadyAPI. Is it possible?
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you can see the request (with the HTTP method) and response details; see the following screenshot.
https://apimate.eu
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you worked with Smart Assertion?
If you have, then do you know how to restore Received Metadata?
I removed the information without copying the information down before removal.
