Breaking Cloud Native Web APIs in their natural habitat.
APACHE-2.0 License
"Breaking Cloud Native Web APIs in their natural habitat."
Fuzzing web APIs in their fully converged Cloud Native state renders more representative results, just like it would have been deployed in production.
cnfuzz
is a project written in Golang that automates fuzzing web APIs deployed in Kubernetes clusters. By tracking hashes of all container images, (re)deployed web API versions will be fuzzed - to detect potential security and stability issues and stores its results in a data lake.
By using Pod Annotations, OpenAPI and RESTler by Microsoft both discovery and fuzzing is being completely automated.
helm repo add cnfuzz https://suecodelabs.github.io/cnfuzz
helm repo update
helm install cnfuzz cnfuzz/cnfuzz
All it takes to getting started after installation of cnfuzz
on your Kubernetes cluster is to annotate
your Kubernetes Pods
, Deployments
, DaemonSets
, etc like in the following example:
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-api
spec:
selector:
matchLabels:
app: my-api
replicas: 1
template:
metadata:
labels:
app: my-api
annotations:
cnfuzz/enable: "true"
cnfuzz/open-api-doc: "/swagger/swagger.json"
cnfuzz/secret: "0d5989ed-d60c-470e-b1b5-576fcf0f5d8c"
spec:
containers:
- name: myapi
image: my-api
imagePullPolicy: Always
ports:
- containerPort: 80
Install Kind and/or Rancher Desktop
Install Helm
# don't forget to commit your changes locally before deploying to Kind.
make kind-init
# don't forget to commit your changes locally before deploying to Rancher Desktop.
make rancher-init
These commands do the following:
cnfuzz
Kubernetes
cnfuzz
via helm with the local built image# don't forget to commit your changes locally before deploying to Kind.
make kind-build
# don't forget to commit your changes locally before deploying to Kind.
make rancher-build
These commands do the following:
cnfuzz
and upgrade deployment with latest imageThis command does the following:
cnfuzz
installation from Kubernetes
make k8s-clean
# If you did a git pull between the above build and the below k8s-clean
# you will see an error. Specify the release as follows:
make k8s-clean GIT_COMMIT=f4fd3d2
For building the project you can use the Makefile
.
CNFUZZ_IMAGE=myrepo/cnfuzz RESTLERWRAPPER_IMAGE=myrepo/restlerwrapper make image
# Compile project to binaries in dist/
make all
Useful flags for debugging:
# cnfuzz
--debug # extra logging
--local-config # cnfuzz will use your local config in $HOME/.kube/config (by default)
--config "hack/default_config.yaml"
--ddoc-ip localhost # overwrite the OpenApi doc source IP
--ddoc-port 8080 # overwrite the OpenApi doc source port
# restlerwrapper
--debug
--pod todo-api-xxxxxxxxxx-xxxxx
--port 8080 # set the port of the target service
--ddoc-ip localhost # overwrite the IP that is used to get the OpenApi doc
--dry-run # don't do anything, just print the commands to the console
--local-config
--time-budget 0.001 # RESTler jobs complete almost instantly
NOTE: The Devspace setup is currently broken :( see issue #84
The code can be debugged in your IDE (outside the cluster) with the --inside-cluster=false
flag.
But you can also attach a debugger to a running pod inside a cluster using DevSpace.
devspace dev
in the root directory of this repositoryair -c air.toml
inside the containercd docs
helm package ../chart/cnfuzz
helm repo index --url https://suecodelabs.github.io/cnfuzz/ .
Create an issue, open up a PR or contact us via [email protected]
Every first Thursday of the month at 18:30 CET there will be a hybrid community meetup for users, developers and maintainers of the project hosted at Sue B.V. in the Netherlands.
Google Meet or see you at Sue B.V. including lovely drinks and food before the meetup!
Do you want swag that our awesome marketing team created for this project? Come to our community meetup on prem or contact [email protected] to receive your swag!
Do you need support that cannot be handled via issue tracking? Please contact us at [email protected] or via the contact form on this page.