コンテンツにスキップ

Configuring Your API For More Detailed Issues

In this section we will examine how to configure specific frameworks to help Mayhem find problems, such as possible SQL Injection, that might not be as discoverable with default application settings. These configuration changes are optional and are rarely safe for production; however, they can provide more value out of Mayhem when enabled in a safe environment such as part of your CI/CD pipeline.

These changes typically involve adjusting your API configuration to return additional information in the response whenever an internal error occurs, such as the stack trace.

This will help you get to the root cause of buggy endpoints faster and can help the fuzzer identify security threats more accurately such as error-based SQL Injection attacks:

  • Spring Boot (Java)
  • Flask (Python)

Feedback

If you do not see your API framework here yet, please let us know: support@forallsecure.com

Spring Boot (Java)

Various properties can be specified inside your application.properties file, inside your application.yml file, or as command line switches. please visit https://docs.spring.io/spring-boot/docs/current/reference/html/application-properties.html for a comprehensive list of properties.

For the following configurations, assume we are working with application.properties file.

Warning

These settings are appropriate for development testing, but should not be used in production.

Include Stack Trace on Server Error

Update your application.properties file with the following line:

server.error.include-stacktrace=always

Whenever the fuzzer triggers an error, Spring Boot will include a stack trace in the response.

Flask (Python)

When developing a Flask-based API, the built-in Werkzeug development server provides a debugger which shows an interactive traceback in the browser when an unhandled error occurs during a request.

For more information, visit https://flask.palletsprojects.com/en/latest/debugging/.

Warning

These settings are appropriate for development testing, but should not be used in production.

Include Traceback on Server Error

Either set the FLASK_ENV=development environment variable prior to running your app:

$ export FLASK_ENV=development
$ flask run

Or, include the debug=true flag when running from Python code

from flask import Flask
app = Flask(__name__)

if __name__ == '__main__':
    app.run(debug=True)

Whenever the fuzzer triggers an error, Flask will include the traceback in the response.