API Fuzzing scanning base URL and returning 500

saumyasuman · January 26, 2024, 4:39pm

Hi,
I am on Gitlab 16.1.6 and using the Ultimate Edition. When trying to integrate API Fuzzing to my project, I am getting 500 Error since it is scanning the base URL on which no ReST API is exposed.
Below is the API fuzzing configuration

variables:
    # Setting this variable affects all Security templates
    # (SAST, Dependency Scanning, ...)
    SECURE_ANALYZERS_PREFIX: "$CI_TEMPLATE_REGISTRY_HOST/security-products"
    #
    FUZZAPI_VERSION: "3"
    FUZZAPI_IMAGE_SUFFIX: ""
    FUZZAPI_IMAGE: api-security

apifuzzer_fuzz:
    stage: fuzz
    image: $SECURE_ANALYZERS_PREFIX/$FUZZAPI_IMAGE:$FUZZAPI_VERSION$FUZZAPI_IMAGE_SUFFIX
    allow_failure: true
    rules:
        - if: $API_FUZZING_DISABLED == 'true' || $API_FUZZING_DISABLED == '1'
          when: never
        - if: $API_FUZZING_DISABLED_FOR_DEFAULT_BRANCH == 'true'  &&
                $CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME
          when: never
        - if: $API_FUZZING_DISABLED_FOR_DEFAULT_BRANCH == '1'  &&
                $CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME
          when: never
        - if: $CI_COMMIT_BRANCH &&
              $CI_GITLAB_FIPS_MODE == "true"
          variables:
              FUZZAPI_IMAGE_SUFFIX: "-fips"
        - if: $CI_COMMIT_TAG || $CI_COMMIT_BRANCH
    script:
            # Set target URL
        - if [ -z "$FUZZAPI_TARGET_URL" ]; then export FUZZAPI_TARGET_URL=$(cat environment_url.txt); fi
        - if [ ! -z "$FUZZ_API_SPECIFICATION_PATH" ]; then export FUZZAPI_OPENAPI=$FUZZAPI_TARGET_URL$FUZZ_API_SPECIFICATION_PATH; fi
        #
        - /peach/analyzer-fuzz-api
    artifacts:
        when: always
        paths:
            - gl-assets
            - gl-api-fuzzing-report.json
            - gl-*.log
        reports:
            api_fuzzing: gl-api-fuzzing-report.json

Gitlab CI File

variables:
  FUZZAPI_PROFILE: Quick-10
  FUZZ_API_SPECIFICATION_PATH: "/v3/api-docs"
  FUZZAPI_OPENAPI_ALL_MEDIA_TYPES: "ALL"
include:
  - file: 'Auto-DevOps.gitlab-ci.yml'
    project: 'pipeline-library'
    ref: master

Below is the API Fuzzing logs for reference

$ /peach/analyzer-fuzz-api
16:03:40 [INF] API Fuzzing: Gitlab API Fuzzing
16:03:40 [INF] API Fuzzing: -------------------
16:03:40 [INF] API Fuzzing: 
16:03:40 [INF] API Fuzzing: version: 3.7.0
16:03:40 [INF] API Fuzzing: api: http://127.0.0.1:5000
16:03:40 [INF] API Fuzzing: api port: 5000
16:03:40 [INF] API Fuzzing: config: /peach/configs/gitlab-api-fuzzing-config.yml
16:03:40 [INF] API Fuzzing: openapi: https://targetxxx.com/v3/api-docs
16:03:40 [INF] API Fuzzing: openapi_relaxed_validation: Enabled
16:03:40 [INF] API Fuzzing: openapi_all_media_types: Enabled
16:03:40 [INF] API Fuzzing: profile: Quick-10
16:03:40 [INF] API Fuzzing: project: xxxxx
16:03:40 [INF] API Fuzzing: security report: gl-api-fuzzing-report.json
16:03:40 [INF] API Fuzzing: security report asset path: gl-assets
16:03:40 [INF] API Fuzzing: ci_project_url: xxxxx
16:03:40 [INF] API Fuzzing: ci_job_id: 11111
16:03:40 [INF] API Fuzzing: service_start_timeout: 300
16:03:40 [INF] API Fuzzing: target_url: https://targetxxx.com
16:03:40 [INF] API Fuzzing: timeout: 30
16:03:40 [INF] API Fuzzing: verbose: False
16:03:40 [INF] API Fuzzing: 
16:03:40 [INF] API Fuzzing: Waiting for API Fuzzing (http://127.0.0.1:5000) to become available...
16:03:40 [INF] API Fuzzing: Backing off 0.5 seconds afters 1 tries
16:03:40 [INF] API Fuzzing: Backing off 0.8 seconds afters 2 tries
16:03:45 [INF] API Fuzzing: Waiting for scan target (https://targetxxx.com) to become available...
16:03:45 [INF] API Fuzzing: Backing off 0.2 seconds afters 1 tries
16:03:45 [INF] API Fuzzing: Backing off 0.1 seconds afters 2 tries
16:03:46 [INF] API Fuzzing: Backing off 1.4 seconds afters 3 tries
16:03:47 [INF] API Fuzzing: Backing off 3.6 seconds afters 4 tries
16:03:51 [INF] API Fuzzing: Backing off 11.8 seconds afters 5 tries
16:04:03 [INF] API Fuzzing: Backing off 2.2 seconds afters 6 tries
16:04:05 [INF] API Fuzzing: Backing off 38.4 seconds afters 7 tries
16:04:44 [INF] API Fuzzing: Backing off 15.1 seconds afters 8 tries
16:04:59 [INF] API Fuzzing: Backing off 99.7 seconds afters 9 tries
16:06:39 [INF] API Fuzzing: Backing off 126.2 seconds afters 10 tries
16:08:45 [WAR] API Fuzzing: Waiting for url 'https://targetxxx.com', failed: Error status code received: 500
16:08:45 [ERR] API Fuzzing: Error waiting for target 'https://targetxxx.com' to become available.
Stopping scanner...
/peach/analyzer-fuzz-api: line 58: kill: (38) - No such process

Since this Target URL only exposes /v1/demo URI, it is expected to throw 500 when base URL is accessed, but this make the Job to fail. I am not able to find any option to disable this check.