Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Workflow/wuppiefuzz target fuzzing singlerunner #55

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

Workflow/wuppiefuzz target fuzzing singlerunner #55

wants to merge 3 commits into from

Conversation

silv3rshi3ld
Copy link

This commit introduces a GitHub Actions workflow named "WuppieFuzz CI Pipeline" for performing automated fuzzing of a target OpenAPI specification.

Key features of the pipeline:

  • Triggers on pushes and pull requests to the main branch.
  • Utilizes a self-hosted runner for execution.
  • Includes Docker setup to manage services using Docker Compose.
  • Builds and runs WuppieFuzz using the Rust toolchain.
  • Generates an initial corpus and performs fuzzing based on the provided OpenAPI spec.
  • Uploads a detailed WuppieFuzz report as an artifact.
  • Cleans up Docker resources after the workflow completes.

This pipeline enables efficient and automated fuzz testing to ensure API security.

@silv3rshi3ld
Add WuppieFuzz CI Pipeline for automated fuzzing
9262bec 
This commit introduces a GitHub Actions workflow named "WuppieFuzz CI Pipeline" for performing automated fuzzing, with a single runner, of a target OpenAPI specification. 

Key features of the pipeline:
- Triggers on pushes and pull requests to the `main` branch.
- Utilizes a self-hosted runner for execution.
- Includes Docker setup to manage services using Docker Compose.
- Builds and runs WuppieFuzz using the Rust toolchain.
- Generates an initial corpus and performs fuzzing based on the provided OpenAPI spec.
- Uploads a detailed WuppieFuzz report as an artifact.
- Cleans up Docker resources after the workflow completes.

This pipeline enables efficient and automated fuzz testing to ensure API security
@silv3rshi3ld
Update fuzz_target_single_runner
e94cfab 
This commit introduces a GitHub Actions workflow named "WuppieFuzz CI Pipeline" for performing automated fuzzing of a target OpenAPI specification. 

Key features of the pipeline:
- Triggers on pushes and pull requests to the `main` branch.
- Utilizes a self-hosted runner for execution.
- Includes Docker setup to manage services using Docker Compose.
- Builds and runs WuppieFuzz using the Rust toolchain.
- Generates an initial corpus and performs fuzzing based on the provided OpenAPI spec.
- Uploads a detailed WuppieFuzz report as an artifact.
- Cleans up Docker resources after the workflow completes.

This pipeline enables efficient and automated fuzz testing to ensure API security.
@ThomasTNO
Copy link
Contributor

Awesome thanks @silv3rshi3ld, great configuration for implementing additional integration / acceptance testing. A small list of to do's

-[ ] Pick a target
-[ ] Test various configurations of WuppieFuzz

  • Blackbox
  • Whitebox
    • Validate reporting --report flag
    • Validate logging, i.e.
      • Does the exec/s make sense?
      • Does the coverage make sense (both endpoint and code)
      • Does the req/s make sense?
      • ...

@grebnetiew, @ringoTNO, @ArthurMelissen (and @silv3rshi3ld) feel free to add your suggestions :)

@silv3rshi3ld
Copy link
Author

silv3rshi3ld commented Dec 12, 2024
edited
Loading

Thanks, @ThomasTNO, for the kind words! I'm glad the CI configuration is helpful for integration and acceptance testing.

To make it easier for others to use WuppieFuzz with their own applications, here’s an example of how a Dockerfile and Docker
Compose setup could be used:

Dockerfile for WuppieFuzz

# Use the official Rust image as the base
FROM rust:latest

# Set the working directory
WORKDIR /wuppiefuzz

# Copy the source code
COPY . .

# Install dependencies
RUN apt-get update && apt-get install -y pkg-config libssl-dev

# Build WuppieFuzz
RUN cargo build --release

# Set the entrypoint to the built fuzzer
ENTRYPOINT ["./target/release/wuppiefuzz"]

Docker Compose Example

version: '3.8'
services:
  target-app:
    build:
      context: .
      dockerfile: ./Dockerfile.target
    container_name: target-app
    ports:
      - "5001:5000" # Replace with your application's ports
    networks:
      - fuzzing_network
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:5000/health"]
      interval: 10s
      retries: 3

  wuppiefuzz:
    build:
      context: .
      dockerfile: ./Dockerfile.wuppiefuzz
    container_name: wuppiefuzz
    environment:
      TARGET_URL: http://target-app:5000 # Replace with your target's URL
    networks:
      - fuzzing_network
    volumes:
      - ./reports:/wuppiefuzz/reports # Store fuzzing results
      - ./openapi.yaml:/workspace/openapi.yaml:ro # OpenAPI spec for WuppieFuzz

networks:
  fuzzing_network:
    driver: bridge

How to Use
Commit to repo (Main as example)

WuppieFuzz will connect to target-app and start fuzzing based on the provided OpenAPI spec.

Results will be stored in the ./reports directory.

This setup provides a simple way to run WuppieFuzz with custom applications. Let me know if there’s anything more I can add

@ThomasTNO ThomasTNO marked this pull request as draft January 23, 2025 09:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@silv3rshi3ld @ThomasTNO