-
Notifications
You must be signed in to change notification settings - Fork 503
Generators that allow for multiple requests and websockets #1291
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Conversation
Added WebSocket generator and a Rest generator that can execute multiple requests. None should run properly
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These are both patterns the project is interested in getting support for. Please see #878 and the conversations about needing some publicly available application stack to test against to maintain official generators.
Previous comments such as this one offered patterns for possibly lifting that class into a generic class configurable via --generator_options_file
. The implementation here based on burp exported XML looks reasonable. I would be interested in opinions on if it can support the use cases described in the previous PR's comments.
I took a look at that previous pull request, I'm not entirely sure if there is anything publicly available, but let me check back on this we might have something. If not, an idea I had was testing it with multiple endpoints with high availability (like test if you can reach google first and then subsequently make a request to wikipedia).
I think it can with a few edits. The generator creates its own data structure for requests and responses from an external file. I just used burpsuite because its popular to proxy requests and save them from there. I think it would be a function similar to I should be able to send another commit with those changes requested sometime before the end of the week. 👍 |
Okay, I just went ahead and re wrote it. It should support manually putting the requests and stuff in a config file, I followed the discourse in that other pull request and tried to make it as close as the last suggestion you gave on that thread. The format of the config can be changed, I'm open to all suggestions. I also moved that example file to the directory you specified as well. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Need to do some testing on an arbitrary websocket/streaming generator in real life to validate but this looks ok to me.
tests/generators/test_multirest.py
Outdated
|
||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should apply black
on this file just for cleanup. I'd consider this a nit but others may consider the code style more important.
tests/generators/test_multirest.py
Outdated
requests_mock.get(url2, headers={"Content-Type": "application/json"}, status_code=400, json={"message": "error details"}) | ||
|
||
output = mr_gen_burpfile_config.run("Hello") | ||
assert output == "error details" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Newline at end of file
For adding it to the
And then for
|
I don't think using |
Alright, I just went ahead and moved them into |
Co-authored-by: Jeffrey Martin <[email protected]> Signed-off-by: CJ Anih <[email protected]>
Signed-off-by: CJ Anih <[email protected]>
Co-authored-by: Jeffrey Martin <[email protected]> Signed-off-by: CJ Anih <[email protected]>
Co-authored-by: Jeffrey Martin <[email protected]> Signed-off-by: CJ Anih <[email protected]>
Signed-off-by: CJ Anih <[email protected]>
This change adds support for sending multiple request/response pairs as well as websockets. This was influenced by a couple of web app implementations our practice has seen over the past couple of months.
MultiRestGenerator:
There are times where the initial request with the user input doesn't immediately return a generated output. Instead another request has to be made to a specified endpoint to get the results of the input. For example, one implementation we have come across had the user send an input and a query id was returned. The succeeding request used this query id as a value for a GET parameter. The response to this GET request then contained the generated output.
It also relies on Burpsuite XML files, as Burpsuite is one of the most popular web application testing tool. This might be a stepping stone into adding garak as a dedicated burp extension some time in the future?
WebSocketGenerator:
There have been times where chatbots would communicate with websockets. I've only encountered pretty basic implementations of this, which is why this one is pretty rudimentary