Fuzzing with Grammarinator and Swagger Petstore API Tutorial

How to write an ANTRL grammar from a REST API

docker run  --name swaggerapi-petstore3 -d -p 8080:8080 swaggerapi/petstore3:unstable

GET /pet/{petId} — Find Pet by ID

# interactive UI output
curl -X GET "http://localhost:8080/api/v3/pet/1" -H "accept: application/json"
grammar get
;
start
: 'curl -X GET "http://localhost:8080/api/v3/pet/' integerLiteral '" -H "accept: application/json"'
;
integerLiteral: INTEGER_LITERAL;INTEGER_LITERAL: '0' | [1-9][0-9]*;

POST /pet/{petId} — Post Pet by Id

# interactive UI output
curl -X POST “http://localhost:8080/api/v3/pet/1?name=Beethoven&status=available" -H “accept: */*” -d “”
grammar post
;
start
: 'curl -X POST "http://localhost:8080/api/v3/pet/' integerLiteral '?name=' text '&status=' status '" -H "accept: */*" -d ""'
;
integerLiteral: INTEGER_LITERAL;
text: TEXT;
status: 'available' | 'pending' | 'sold';
TEXT: [_a-zA-Z0-9]+;
INTEGER_LITERAL: '0' | [1-9][0-9]*;

PUT /pet — Put Pet

# interactive UI output
curl -X PUT "http://localhost:8080/api/v3/pet" -H "accept: application/json" -H "Content-Type: application/json" -d "{\"id\":10,\"name\":\"Roger\",\"category\":{\"id\":1,\"name\":\"Dogs\"},\"photoUrls\":[\"string\"],\"tags\":[{\"id\":0,\"name\":\"string\"}],\"status\":\"available\"}"
grammar put
;
start
:'curl -X PUT "http://localhost:8080/api/v3/pet" -H "accept: application/json" -H "Content-Type: application/json" -d "{\\"id\\":' integerLiteral ',\\"name\\":\\"' text '\\",\\"category\\":{\\"id\\":' integerLiteral ',\\"name\\":\\"'w text '\\"},\\"photoUrls\\":[\\"' listOfText '\\"],\\"tags\\":[' listOfTags '],\\"status\\":\\"' status '\\"}"'
;
listOfText: TEXT ( '\\" , \\"' TEXT)*;
text: TEXT;
listOfTags: tag ( ',' tag)*;
tag: '{\\"id\\":' integerLiteral ',\\"name\\":\\"' text '\\"}';
integerLiteral: INTEGER_LITERAL;
status: 'available' | 'pending' | 'sold';
TEXT: [_a-zA-Z0-9]+;
INTEGER_LITERAL: '0' | [1-9][0-9]*;

DELETE /pet/{petId} — Delete Pet by ID

# interactive UI output
curl -X DELETE "http://localhost:8080/api/v3/pet/1" -H "accept: */*" -H "api_key: any_key"
grammar delete
;
start
: 'curl -X DELETE "http://localhost:8080/api/v3/pet/' integerLiteral '" -H "accept: */*" -H "api_key: ' any '"'
;
integerLiteral: INTEGER_LITERAL;
any: ANY+;
INTEGER_LITERAL: '0' | [1-9][0-9]*;
ANY: .;

Result

grammar SwaggerPetstore
;
start: get | post | put | delete;get
: 'curl -X GET "http://localhost:8080/api/v3/pet/' integerLiteral '" -H "accept: application/json"'
;
post
: 'curl -X POST "http://localhost:8080/api/v3/pet/' integerLiteral '?name=' text '&status=' status '" -H "accept: */*" -d ""'
;
put
: 'curl -X PUT "http://localhost:8080/api/v3/pet" -H "accept: application/json" -H "Content-Type: application/json" -d "{\\"id\\":' integerLiteral ',\\"name\\":\\"' text '\\",\\"category\\":{\\"id\\":' integerLiteral ',\\"name\\":\\"' text '\\"},\\"photoUrls\\":[\\"' listOfText '\\"],\\"tags\\":[' listOfTags '],\\"status\\":\\"' status '\\"}"'
;
delete
: 'curl -X DELETE "http://localhost:8080/api/v3/pet/' integerLiteral '" -H "accept: */*" -H "api_key: ' any '"'
;
listOfText: TEXT ( '\\" , \\"' TEXT)*;
listOfTags: tag ( ',' tag)*;
tag: '{\\"id\\":' integerLiteral ',\\"name\\":\\"' text '\\"}';
integerLiteral: INTEGER_LITERAL;
text: TEXT;
any: ANY+;
status: 'available' | 'pending' | 'sold';
INTEGER_LITERAL: '0' | [1-9][0-9]*;
TEXT: [_a-zA-Z0-9]+;
ANY: .;

How to use Grammarinator with ANTRL grammar

pip3 install grammarinator
grammarinator-process ./SwaggerPetstore.g4 -o ./out --no-actions
grammarinator-generate -p ./out/SwaggerPetstoreUnparser.py -l ./out/SwaggerPetstoreUnlexer.py -o ./out/gen/ -n 100
#1
curl -X GET "http://localhost:8080/api/v3/pet/1" -H "accept: application/json"
#2
curl -X POST "http://localhost:8080/api/v3/pet/7?name=q&status=pending" -H "accept: */*" -d "
#3
curl -X PUT "http://localhost:8080/api/v3/pet" -H "accept: application/json" -H "Content-Type: application/json" -d "{\"id\":7,\"name\":\"zS\",\"category\":{\"id\":70,\"name\":\"v6\"},\"photoUrls\":[\"M1\"],\"tags\":[{\"id\":0,\"name\":\"U\"}],\"status\":\"pending\"}"
#4
curl -X DELETE "http://localhost:8080/api/v3/pet/9" -H "accept: */*" -H "api_key: Q{V]"

Conclusion

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store