After determining that an endpoint is eligible for a YAML Test, it is forwarded to the execution step. This section is used to describe actions/modifications to achieve the desired test request body.

Syntax

Execute operators can be of the following types -

add_body_param

Used for adding a new key/value pair in the request payload at the root. This takes 2 params, key and value.

Example 1

Original request body of the endpoint you are trying to test:

{
  "user": "John Doe",
  "email": "johndoe@example.com"
}

Let’s say we want to add key (”status”) with value → “admin”

Sample Yaml to modify request body

execute:
	add_body_param:
		status: admin

Modified request body of the endpoint you are trying to test:

{
  "user": "John Doe",
  "email": "johndoe@example.com",on
	"status": "admin"
}

modify_body_param

Used for modifying value of an existing key in the request payload at any position. If the key is missing, executor engine ignores the step and moves on to next operation. This takes 2 params, key and value.

Example 1

Original request body of the endpoint you are trying to test:

{
  "user": "John Doe",
  "email": "johndoe@example.com"
}

Let’s say we want to modify key (”user”) with value → “admin”

Sample Yaml to modify request body

execute:
  type: single
  requests:
    - req: 	
			-	modify_body_param:
					user: admin

Modified request body of the endpoint you are trying to test:

{
  "user": "admin",
  "email": "johndoe@example.com"
}

delete_body_param

Used for deleting an existing key in the request payload at any position. If the key is missing, executor engine ignores the step and moves on to next operation. This takes single param, key.

Example 1

Original request body of the endpoint you are trying to test:

{
  "user": "John Doe",
  "email": "johndoe@example.com"
	"isActive": false
}

Let’s say we want to remove key (”isActive”)

Sample Yaml to modify request body

execute:
  type: single
  requests:
    - req: 	
				- delete_body_param: isActive

Modified request body of the endpoint you are trying to test:

{
  "user": "admin",
  "email": "johndoe@example.com"
}

replace_body

Used for replacing the entire request body with the supplied input. This takes 1 param, new payload.

Original request body of the endpoint you are trying to test:

{
  "user": "John Doe",
  "email": "johndoe@example.com",
	"isActive": false
}

Let’s say we want to replace the above payload with below new payload

{
		"id": 5,
		"admin": true
}

Sample Yaml to modify request body

execute:
  type: single
  requests:
    - req: 	
			 - replace_body: '{"id": 5, "admin": true}'

add_header

Used for adding a new key/value pair in the request headers. This takes 2 params, key and value.

Example 1

original header of the endpoint you are trying to test:

Content-Type: application/json
Authorization: <Bearer-Token>

Let’s say we want to add a new header (”Host”) with value → “xyz.evil.com”

Sample Yaml to modify request header

execute:
  type: single
  requests:
    - req: 
				- add_header:
						Host: xyz.evil.com

Modified request header of the endpoint you are trying to test:

Content-Type: application/json
Authorization: <Bearer-Token>
Host: xyz.evil.com

modify_header

Used for modifying value of an existing header key in the request headers. If the header key is missing, executor engine ignores the step and moves on to next operation. This takes 2 params, key and value.

Example

original header of the endpoint you are trying to test:

Content-Type: application/json
Authorization: <Bearer-Token>

Let’s say we want to modify key (”Authorization”) with a different user token value →

Sample Yaml to modify request header

jsexecute:
  type: single
  requests:
    - req: 
				- modify_header:
						Authorization: <Bearer-Token2>

Modified request header of the endpoint you are trying to test:

Content-Type: application/json
Authorization: <Bearer-Token2>

delete_header

Used for deleting an existing header key in the request headers. If the header key is missing, executor engine ignores the step and moves on to next operation. This takes a single param, key.

Example 1

original header of the endpoint you are trying to test:

Content-Type: application/json
Authorization: <Bearer-Token>

Let’s say we want to modify key (”Authorization”) with a different user token value →

Sample Yaml to delete request header

execute:
  type: single
  requests:
    - req: 	
				- delete_header: Authorization

Modified request header of the endpoint you are trying to test:

Content-Type: application/json

add_query_param

Used for adding a new key/value pair in the query params. This takes 2 params, key and value.

Example 1

original url of the endpoint you are trying to test:

http://xyz.com?user=1

Let’s say we want to add a new query param (”admin”) with value → true

Sample Yaml to add query params

execute:
  type: single
  requests:
    - req: 
			- add_query_param:
					admin: true

New query params in the url of the endpoint you are trying to test:

http://xyz.com?user=1&admin=true

modify_query_param

Used for modifying value of an existing key in the query params. If the key is missing, executor engine ignores the step and moves on to next operation. This takes 2 params, key and value.

Example 1

original url of the endpoint you are trying to test:

http://xyz.com?user=1

Let’s say we want to modify query param (”user”) with value → 4

Sample Yaml to modify query params

execute:
  type: single
  requests:
    - req: 
				- modify_query_param:
						user: 4

modified query params in the url of the endpoint you are trying to test:

http://xyz.com?user=4

delete_query_param

Used for deleting an existing key in the query params. If the key is missing, executor engine ignores the step and moves on to next operation. This takes single params, key.

Example 1

original url of the endpoint you are trying to test:

http://xyz.com?user=1&active=true

Let’s say we want to delete query param (”active”)

Sample Yaml to modify query params

execute:
  type: single
  requests:
    - req: 	
			- delete_query_param: active

modified query params in the url of the endpoint you are trying to test:

http://xyz.com?user=1

modify_url

Used for modifying url to desired value. Supports entire url replacement, as well as replacing just a substring.

Replace entire url

original url of the endpoint you are trying to test:

http://xyz.com/api/v1/user

Let’s say you want to replace this with the below url -

http://xyz.evil.com/api/v2/users

Sample Yaml to modify url

execute:
  type: single
  requests:
    - req: 
				- modify_url: http://xyz.evil.com/api/v2/users

Replace based on regex

original url of the endpoint you are trying to test:

http://xyz.com/api/v2/user

Let’s say i just want to replace v2 with v1 in the above url -

Sample Yaml to modify url

execute:
  type: single
  requests:
    - req: 
      - modify_url:
          regex_replace:
            regex: v[\d+]/
            replace_with: v1/

👉🏻 **In simple language:** The above yaml syntax is modifying request url by replacing specified regex string match with v1/

modified url of the endpoint you are trying to test:

http://xyz.com/api/v1/user

Insert token in url

You can use token_insert to insert a token (Eg 123) in the url.

eg. if you want to convert /api/v1/user/orders to /api/v1/user/123/orders, you can do:

  - modify_url:
      token_insert:
        location: 4
        replace_with: 123

Replace token in url

You can use token_replace to insert a token (Eg 123) in the url.

eg. if you want to convert /api/v1/user/456/orders to /api/v1/user/123/orders, you can do:

  - modify_url:
      token_replace:
        location: 4
        replace_with: 123

modify_method

Used for modifying http method to desired method value. This takes a single param, new method value.

Example 1

original url of the endpoint you are trying to test:

POST http://xyz.com/api/v1/user

Let’s say we want to modify method value to PUT

Sample Yaml to modify method

execute:
  type: single
  requests:
    - req: 
      - modify_method: PUT

modified url of the endpoint you are trying to test:

PUT http://xyz.com/api/v1/user

remove_auth_header

Used for Removing Auth Headers in the request headers. If auth headers are missing, this operation throws an error and aborts the test for the endpoint. (Refer to Auth section for better understanding on how auth headers are picked by yaml execution engine.)

Example 1

original headers of the endpoint you are trying to test:

Content-Type: application/json
Authorization: <Bearer-Token>

Let’s say we want to remove the auth header for the test request(in this case auth header is - “Authorization”). Prerequisite: the auth has to be configured in auth types in the dashboard for the below execute section to identify authorization key.

Sample Yaml to remove auth headers

execute:
  type: single
  requests:
    - req: 	
				- remove_auth_header: true

modified headers of the endpoint you are trying to test:

Content-Type: application/json

replace_auth_header

Used in many tests where we need to replace the auth header and inject a malicous auth header instead. This flag removes all the auth headers (including custom auth types) before adding malicious auth headers.

Example 1 - replace auth token by attacker's token

This assumes you have set attacker credentials in User config section.

Sample YAML to replace headers by attacker's tokens

execute:
  type: single
  requests:
    - req:
	- replace_auth_header : true

modified headers will now look like:

Authorization: Bearer attacker.token.here

Example 2 - modify JWT auth token

Used in Broken Authentication tests to exploit JWT-related vulnerabilities. For example, invalidating signature, setting algo to None etc. Possible values are

• ${auth_context.none_algo_token} - modify JWT token and set algo=NONE

• ${auth_context.invalid_signature_token} - modify JWT token and make signature invalid (by appending extra characters to signature)

• ${auth_context.jku_added_token} - modify JWT token by adding a JKU parameter in headers

• ${auth_context.jwk_added_token} - modify JWT token by adding JWK-related parameters in headers

• ${auth_context.kid_added_token} - modify JWT token by adding kid parameter in headers

Sample YAML to use the above instructions -

execute:
  type: single
  requests:
    - req:
	- replace_auth_header : ${auth_context.invalid_signature_token}

Modifies the headers by invalidating signature

Authorization: Bearer eyJewqafsd.eafsdzcx.some_invalid_signature_here

follow_redirect

Used for specifying whether the test attempt should follow redirect or not, in case the response received if of redirect type. By default follow redirect is set to true. This takes a single boolean argument(true/false)

Sample Yaml ****For Disabling Redirect

execute:
  type: single
  requests:
    - req:
	- follow_redirect: false

attach_file

Used to replace the request body by the contents of the file. This is useful for APIs that take file an input. Users can test such APIs by passing files with malicious content.

Sample Yaml for attach_file

execute:
  type: single
  requests:
    - req:
        - attach_file: https://some.url.here/file.pdf

jwt_replace_body

Used to replace the jwt body. This just replaces the payload. It keeps headers and signature the same as original JWT token

Sample yaml

execute:
  type: single
  requests:
  - req:
    - jwt_replace_body: ey.new_body.new_signature

Modified token looks like -

Authorization: ey.new_body.old_signature

Combining multiple conditions in Execute

Let’s see a few examples on how we can combine multiple execution operations into a test -

Example 1

Scenario -

1. add body_param (”status”) with value → “admin” in request payload

2. modify Request Method To Post

3. delete QueryParam with key (”userId”)

Sample Yaml -

execute:
	type: single
  requests:
    - req:
      - add_body_param:
      	  status: admin
      - modify_method: POST
      - delete_query_param: userId

Example 2

Scenario -

1. delete auth header from request

2. add Header (”origin”) with value → xyz.evil.com

Sample Yaml -

auth:
  authenticated: true
execute:
  type: single
  requests:
    - req:
        - delete_auth_header: true
        - add_header:
            origin: xyz.evil.com 
        - delete_query_param: userId