CATS is a REST API Fuzzer and negative testing tool for OpenAPI endpoints. CATS automatically generates, runs and reports tests with minimum configuration and no coding effort. Tests are self-healing and do not require maintenance.
APACHE-2.0 License
Bot releases are hidden (Show)
Published by en-milie over 2 years ago
Release Notes:
targetFieldTypes
element in SecurityFuzzer
all
as path name in SecurityFuzzer
CustomFuzzer
to FunctionalFuzzer
Published by en-milie almost 3 years ago
Release Notes:
Published by en-milie almost 3 years ago
Release Notes:
refData
files using the CustomFuzzer
CustomFuzzer
and SecurityFuzzer
files can be now run using the cats run
commandFuzzers
skip matching response SchemaFuzzers
for headersvalidateAndSanitize
strategy to maintain sizeFuzzers
Fuzzers
cats-summary-report.json
--output
to change the folder where the CATS report is writtenNO_COLOR
environment variable is setPublished by en-milie almost 3 years ago
Release Notes:
--contentType
which is useful for content negociationreplay
command now support proxy and additional auth optionsreplay
commandPublished by en-milie almost 3 years ago
Release Notes:
CATS
is now migrated to Quarkus
. This brings the ability to have native binaries for Linux and Mac OS, so no need for Java to be installedQuarkus
is that CATS
is now fasterPicoCli
, CATS
is more command line friendly and offers the typical functionalities offered by any other command line tool: short arguments, autocomplete in bash and zsh, help, etc.VeryLargeXXX
fuzzers--blackbox
mode as a shortcut to --ignoreResponseCodes="2xx,4xx"
[Edit]
The native binaries will be available in 7.0.1 as the current versions had some issues caused by the native-image compilation.
Use java -jar cats.jar
instead of cats
.
Published by en-milie almost 3 years ago
Release Notes:
connectionTimeout, readTimeout and writeTimeout
as argumentsrequest#
--dryRun
in order to see how many tests will get generated for each pathmaxReqPerMinute
to 10000error
in order to encourage providing business context--reportingLevel
argument as it was redundant and extend --log
to pick up multiple packages--ignoreResponseCodes
. This will ignore WARNs and ERRORs reported when those codes are returned and mark them as successful--printExecutionStatistics=detailed
for details./cats.jar replay --tests=...
--help
, -h
and --version
, -v
for help and version--includeEmojis
, --includeWhitespaces
and --includeControlChars
to include themPublished by en-milie about 3 years ago
Release notes:
Published by en-milie about 3 years ago
Release Notes:
--maxRequestsPerMinute
Published by en-milie about 3 years ago
Release Notes:
Published by en-milie over 3 years ago
Release Notes:
maxLength
is equal to 2^31-1
, reported under #11Published by en-milie over 3 years ago
Release Notes:
--sanitizationStrategy
. This is used when sending ControlChars and Emojis inside valid values--httpMethods
to be fuzzed. You can exclude methods which you don't want to be fuzzedhttpMethod
is now mandatory for the CustomFuzzer
and SecurityFuzzer
Published by en-milie over 3 years ago
Release Notes:
NonRestHttpMethodsFuzzer
that was not running successful for all casesGET
byte
formatPublished by en-milie over 3 years ago
Release Notes:
NullValuesInHeaders
as it was similar with EmptyStringValuesInHeaders
verify
section of the CustomFuzzer
filePublished by en-milie over 3 years ago
Release Notes:
--reportFormat=htmlOnly
argument. Html only reports are easier to embed in CI server reports due to javascript content security policiescats-report
folder instead of test-report
(this was a bit generic and confusing)--skipPaths=LIST
which can be used to skip a list of paths from fuzzingLong
values are written in CATS report as String
as Javascript has issues parsing Long
numbersFuzzer
name in the CATS report summary tablePublished by en-milie over 3 years ago
Release Notes:
--timestampReports
is suppliedPublished by en-milie over 3 years ago
Release Notes:
test-report
based on timestamp. This way you can keep track of historical runsFuzzers
for contract checking: HttpStatusCodeInValidRangeFuzzer
, RecommendedHttpCodesContractInfoFuzzer
, SecuritySchemesContractInfoFuzzer
Scenario
and Expected Result
from the report. These were redundantScenario
title for all ContractInfo
Fuzzers
Published by en-milie almost 4 years ago
Release notes: