Test YAML Syntax (One pager)
Name | Desciption |
|---|---|
id | The ID field serves as a unique, descriptive identifier for a particular test YAML file. |
Name | Desciption |
|---|---|
info | Name, Description, Details, Impact, Category, SubCategory, Severity, Tags |
Name | Desciption |
|---|---|
api_selection_filters | This section describes the conditions that act as selection criteria for choosing APIs that are eligible for a particular test. It also filters out APIs that are not eligible. |
Parent Operators | response_code, method, url, request_payload, response_payload, request_headers, response_headers, query_param |
Data Operators | regex, eq, neq, gt, gte, lt, lte
not_contains, not_contains_either, contains_jwt, contains_all, contains_either |
Collection Operators | for_one |
Combining Conditions using Boolean Operators | or, and |
Name | Desciption |
|---|---|
execute | add_body_param, modify_body_param, delete_body_param, add_query_param, modify_query_param, delete_query_parammodify_url,modify_method,replace_body,add_header, modify_header, delete_header, remove_auth_header,follow_redirect |
Combining Conditions using Boolean Operators | or, and |
Name | Desciption |
|---|---|
auth | This section describes the conditions that serve as validation criteria for determining whether a particular endpoint is vulnerable to a given test. |
Name | Description |
|---|---|
validate | This section describes the conditions that serve as validation criteria for determining whether a particular endpoint is vulnerable to a given test. |
Parent Operators | response_code, method, url, request_payload, response_payload, request_headers, response_headers, query_param |
Data Operators | regex, eq, neq, gt, gte, lt, lte
not_contains, not_contains_either, contains_jwt, contains_all, contains_either |
Collection Operators | for_one |
Combining Conditions using Boolean Operators | or, and |
Example API
1
POST https://xyz.abc.com/api/v1/users?userId=500&creationFlow=true
2
Request Payload
3
4
{
5
"userData": {
6
"name": "user1"
7
"status": "normalUser"
8
"age": 20
9
},
10
"profileData": {
11
"isActive": true,
12
"createdAt": 1254345343
13
}
14
}
15
16
Response Payload
17
{
18
"id": 500,
19
"created": true,
20
"username": "user1",
21
}
22
23
Request Headers
24
25
Content-Type: application/json
26
Authorization: <Bearer-Token>
27
Host: https://xyz.abc.com
28
29
Response Headers
30
31
access-control-allow-origin: "*"
32
date: "Wed, 05 Jul 2023 09:53:32 GMT"
33
content-length: "14871"
34
server: "uvicorn"
35
access-control-allow-credentials: "true"
36
content-type: "application/json"
Let’s have a comprehensive look at all the possible operators in 1 single yaml.
YAML with all operators
1
id: Vulnerable_Test
2
info:
3
name: "" # specifies the name or title of the test
4
description: "" # provides a detailed explanation of the test. describes objectives, methodologies, and scope of the test
5
details: "" # allows inclusion of additional information and context about the test
6
impact: "" # describes the potential risks or consequences associated with the identified vulnerabilities
7
category: # classifies the test into a specific category or domain
8
name: ""
9
shortName: ""
10
displayName: ""
11
subCategory: "" # this key also specifies the name or title of the test. should always contain the same value as id key
12
severity: "" # indicates the severity level assigned to the identified vulnerabilities
13
tags: "" # provides descriptive labels or keywords associated with the test
14
references: "" # contains a list of relevant resources, documentation, or external links related to the test
15
auth:
16
authenticated: true # makes sure that only authentiated api's get considered for a test.
17
api_selection_filters:
18
response_code: # Filters API calls that return a response code between 200 and 300 (inclusive).
19
gte: 200
20
lte: 300
21
url:
22
contains_all: # Filters API calls that contain the word "user" in the URL.
23
- user
24
extract: urlVar # extracts the url value into a variable named urlVar
25
method:
26
contains_either: # Filters API calls that use either the POST, PATCH, or PUT HTTP methods
27
- POST
28
- PATCH
29
- PUT
30
request_payload: # Filters API calls whose request payload contains a key-value pair where the key matches the regex ".*age*." and the value is between 15 and 40 (inclusive)
31
for_one:
32
key:
33
regex: .*age*.
34
extract: ageVar # extracts the matching key value into a variable named ageVar
35
value:
36
gt: 15
37
lt: 40
38
response_payload: # Filters API calls whose response payload does not contain the string "user2."
39
not_contains: user2
40
request_headers: # Filters API calls whose request header contains a whose value has a JWT token in it.
41
for_one:
42
key:
43
contains_jwt: true
44
response_headers: # Filters API calls whose response header contains a key that exactly matches "server" and a value that matches the regex "nginx/1.8.0."
45
for_one:
46
key:
47
eq: server
48
value:
49
regex: nginx/1.8.0
50
execute:
51
type: single
52
requests:
53
- req:
54
- modify_url: https://xyz.abc.com/api/v2/users # Changes the URL of the API call to "[https://xyz.abc.com/api/v2/users."](https://xyz.abc.com/api/v2/users.%22)
55
- modify_method: PATCH # Changes the HTTP method of the API call to PATCH.
56
- add_body_param: # Adds a key-value pair "k1: v1" to the request body.
57
k1: v1
58
- modify_body_param: # Changes the value of the "status" key in the request body to "admin."
59
status: admin
60
- delete_body_param: age # Deletes the "age" key-value pair from the request body.
61
- add_header: # Adds a "h1: v2" key-value pair to the request header.
62
h1: v2
63
- modify_header: # Changes the value of the "host" key in the request header to "[https://xyz.evil.com](https://xyz.evil.com/)."
64
host: https://xyz.evil.com
65
- delete_header: authorization # Deletes the "authorization" key-value pair from the request header.
66
- add_query_param: # Adds a "q1: v3" key-value pair to the query string.
67
q1: v3
68
- modify_query_param: # Changes the value of the "userId" key in the query string to "501."
69
userId: 501
70
- delete_query_param: creationFlow # Deletes the "creationFlow" key-value pair from the query string.
71
- replace_body: '{"user": "newUser", "status": "admin"}'
72
- remove_auth_header: true # Replaces the entire request body with the JSON object
73
- follow_redirect: true # Follows any HTTP redirects returned by the API call.
74
validate:
75
response_code: # Validates that the response code of the API call is 201.
76
eq: 201
77
response_payload: # Validates that the response payload is not empty and contains atleast one key named "success". Also it checks whether test response payload and sample response payload content are not similar(difference should be higher than 50%)
78
length:
79
gt: 0
80
percentage_match:
81
lt: 50
82
contains_either:
83
for_one:
84
key: success
This section contains a set of filters that can be used to select specific API calls based on various criteria. The filters include:
response_code: Filters API calls that return a response code between 200 and 300 (inclusive).url: Filters API calls that contain the word "user" in the URL.method: Filters API calls that use either the POST, PATCH, or PUT HTTP methods.request_payload: Filters API calls whose request payload contains a key-value pair where the key matches the regex ".age." and the value is between 15 and 40 (inclusive).response_payload: Filters API calls whose response payload does not contain the string "user2."request_headers: Filters API calls whose request header contains a key that matches "contains_jwt."response_headers: Filters API calls whose response header contains a key that exactly matches "server" and a value that matches the regex "nginx/1.8.0."
This section contains a set of operations that can be performed on API calls that match the selection criteria specified above. The operations include:
modify_url: Changes the URL of the API call to "https://xyz.abc.com/api/v2/users."modify_method: Changes the HTTP method of the API call to PATCH.add_body_param: Adds a key-value pair "k1: v1" to the request body.modify_body_param: Changes the value of the "status" key in the request body to "admin."delete_body_param: Deletes the "age" key-value pair from the request body.add_header: Adds a "h1: v2" key-value pair to the request header.modify_header: Changes the value of the "host" key in the request header to "https://xyz.evil.com."delete_header: Deletes the "authorization" key-value pair from the request header.add_query_param: Adds a "q1: v3" key-value pair to the query string.modify_query_param: Changes the value of the "userId" key in the query string to "501."delete_query_param: Deletes the "creationFlow" key-value pair from the query string.replace_body: Replaces the entire request body with the JSON object{"user": "newUser", "status": "admin"}.remove_auth_header: Removes the "authorization" header from the request.follow_redirect: Follows any HTTP redirects returned by the API call.
This section contains a set of validation criteria that can be used to validate the response of the API call after it has been modified by the operations specified in the "Execute" section. The validation criteria include:
response_code: Validates that the response code of the API call is 201.response_payload: Validates that the response payload is not empty and contains either a key "success".
Last modified 2mo ago