|
7 | 7 | # Commons |
8 | 8 | Web Fuzzing Commons (WFC): A set of standards and library support for facilitating fuzzing Web APIs. |
9 | 9 |
|
10 | | -## THIS REPOSITORY IS CURRENTLY IN EARLY STAGE |
| 10 | +## DISCLAIMER |
| 11 | + |
| 12 | +This is a new project, for which we are writing documentation now. |
| 13 | +More will be added in the next coming weeks. |
| 14 | + |
| 15 | + |
| 16 | +## Overview |
| 17 | + |
| 18 | +WFC is for developers of Web API fuzzers, by providing utilies and library support for tasks that are common for all fuzzers. |
| 19 | +Currently, we focus on REST APIs. |
| 20 | +But future versions of WFC will likely be extended to support GraphQL and RPC as well. |
| 21 | + |
| 22 | +There are 4 main contributions in WFC: |
| 23 | + |
| 24 | +1) _WFC Authentication_: a JSON Schema definition to represent authentication information for fuzzers. Currently under [src/main/resources/wfc/schemas/auth.yaml](src/main/resources/wfc/schemas/auth.yaml). Documentation on how to use is can be found at [UNDER-CONSTRUCTION]. Examples of configurations files can be found in the [Web Fuzzing Dataset (WFD) repository](https://github.com/WebFuzzing/Dataset). |
| 25 | + |
| 26 | +2) _WFC Faults_: classification of existing automated oracles proposed in the literature of fuzzing web APIs. Currently under [src/main/resources/wfc/faults/fault_categories.json](src/main/resources/wfc/faults/fault_categories.json). |
| 27 | + |
| 28 | +3) _WFC Report_: a JSON schema definition to represent output information from the fuzzers. Currently under [src/main/resources/wfc/schemas/report.yaml](src/main/resources/wfc/schemas/report.yaml). |
| 29 | + |
| 30 | +4) _WFC Web Report_: a web application that is able to visualize and interact with fuzzer reports in WFC format. Currently under [web-report](web-report). |
| 31 | + |
| 32 | + |
| 33 | +## For Fuzzer Developers |
| 34 | + |
| 35 | +If you are a developer of a Web API fuzzer, there are 3 ways in which you can contribute: |
| 36 | + |
| 37 | +1) If you developed a novel automated oracle for detecting faults in APIs, you can make a PR (or send us a description) to add its information to _WFC Faults_. |
| 38 | + |
| 39 | +2) If there is some authentication mechanism not currently expressible with WFC, please open a new issue to describe it. |
| 40 | + |
| 41 | +3) If you tried to integrate WFC in your fuzzer, but got stuck with some issues, let us know! We welcome contributions and people that want to join the development and standardization of WFC. |
| 42 | + |
| 43 | + |
| 44 | +## Fuzzers Supporting WFC |
| 45 | + |
| 46 | +WFC has been initially developed by the authors of [EvoMaster](https://github.com/WebFuzzing/EvoMaster). |
| 47 | +If your fuzzer supports now WFC (e.g., implements authentication mechanisms based on WFC schema definition, and can output results in WFC report format), create a PR (or send us a message) and we will add it here. |
| 48 | + |
| 49 | +Current fuzzers (fully/partially) supporting WFC: |
| 50 | +* [EvoMaster](https://github.com/WebFuzzing/EvoMaster) |
| 51 | + |
| 52 | + |
| 53 | + |
11 | 54 |
|
12 | | -Documentation will be provided soon. |
|
0 commit comments