From 6ff2991437a74e9d801b997a6aee73582db440ca Mon Sep 17 00:00:00 2001 From: arcuri82 Date: Tue, 9 Jun 2026 12:07:12 +0200 Subject: [PATCH 1/3] starting preparing create-users option --- src/main/resources/wfc/schemas/auth.yaml | 36 ++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/src/main/resources/wfc/schemas/auth.yaml b/src/main/resources/wfc/schemas/auth.yaml index 53440a5..836aaed 100644 --- a/src/main/resources/wfc/schemas/auth.yaml +++ b/src/main/resources/wfc/schemas/auth.yaml @@ -81,8 +81,44 @@ $defs: $ref: "#/$defs/Header" loginEndpointAuth: $ref: "#/$defs/LoginEndpoint" + createUsers: + $ref: "#/$defs/CreateUsers" x-required: ["name"] ### + CreateUsers: + description: "For some example APIs, it might be possible to create new users with a single HTTP request. \ + In these cases, instead of relying on knowledge of existing users, the fuzzer can create them on \ + the fly. This can be useful when endpoints might modify data of existing users, whose auth info \ + could get invalidated during the fuzzing session." + type: object + properties: + endpoint: + description: "The endpoint path (eg '/users') where to execute the create user action. \ + It assumes it is on same server of API.\ + If not, rather use 'externalEndpointURL'." + type: string + externalEndpointURL: + description: "If the create endpoint is on a different server, here can rather specify the full URL for it." + type: string + payloadRaw: + description: "The raw payload to send, as a string. This will need to contain the template placeholders \ + defined in the generators. " + type: string + verb: + $ref: "#/$defs/HttpVerb" + contentType: + description: "Specify the format in which the payload is sent to the login endpoint. \ + A common example is 'application/json'." + type: string + generators: + description: "List of generators for unique/random names to use in payload template resolution." + type: array + items: + @ref + TODO + x-required: + allOf: ["verb","contentType","payloadRaw"] + oneOf: ["endpoint","externalEndpointURL"] LoginEndpoint: description: "Used to represent the case in which a login endpoint is used to obtain the authentication credentials. \ These can be cookies, or a token extracted from the login endpoint's response. \ From cd07e6e6fe55fd06a775674615b29bf033045d85 Mon Sep 17 00:00:00 2001 From: arcuri82 Date: Tue, 9 Jun 2026 14:28:17 +0200 Subject: [PATCH 2/3] definition of create-users --- src/main/resources/wfc/schemas/auth.yaml | 40 ++++++++++++++++++++++-- 1 file changed, 37 insertions(+), 3 deletions(-) diff --git a/src/main/resources/wfc/schemas/auth.yaml b/src/main/resources/wfc/schemas/auth.yaml index 836aaed..c9e46b1 100644 --- a/src/main/resources/wfc/schemas/auth.yaml +++ b/src/main/resources/wfc/schemas/auth.yaml @@ -113,12 +113,46 @@ $defs: generators: description: "List of generators for unique/random names to use in payload template resolution." type: array + minLength: 1 items: - @ref - TODO + $ref: "#/$defs/Generator" x-required: - allOf: ["verb","contentType","payloadRaw"] + allOf: ["verb","contentType","payloadRaw","generators"] oneOf: ["endpoint","externalEndpointURL"] + + Generator: + description: "Parametric producer of unique string values. \ + This is needed for example when creating user-names dynamically in the authentication configurations." + type: object + properties: + placeHolder: + description: "Placeholder tag used to represent a value generated with this generator. \ + String interpolation will be applied to the raw payloads to replace any found instance of \ + this placeholder with the generated value." + type: string + examples: + - "{$username}" + - "{$email}" + minLength: + description: "Minimum length of the generated string" + type: number + min: 0 + maxLength: + description: "Maximum length of the generated string" + type: number + min: 0 + prefix: + description: "Fixed prefix shared by all generated strings" + type: string + examples: + - "user_" + postfix: + description: "Fixed postfix shared by all generated strings" + type: string + examples: + - "@example.com" + x-required: ["placeHolder"] + LoginEndpoint: description: "Used to represent the case in which a login endpoint is used to obtain the authentication credentials. \ These can be cookies, or a token extracted from the login endpoint's response. \ From 125877bbff06832a31bb7a431d9691ecb7097eae Mon Sep 17 00:00:00 2001 From: arcuri82 Date: Tue, 9 Jun 2026 14:39:14 +0200 Subject: [PATCH 3/3] added constraint --- src/main/resources/wfc/schemas/auth.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/src/main/resources/wfc/schemas/auth.yaml b/src/main/resources/wfc/schemas/auth.yaml index c9e46b1..8380138 100644 --- a/src/main/resources/wfc/schemas/auth.yaml +++ b/src/main/resources/wfc/schemas/auth.yaml @@ -130,6 +130,7 @@ $defs: String interpolation will be applied to the raw payloads to replace any found instance of \ this placeholder with the generated value." type: string + minLength: 1 examples: - "{$username}" - "{$email}"