How to set up a Java Spring Boot project for fuzzing
Download an example project
Setting up Fuzzing for Spring Boot Applications is even easier than fuzzing C++ or Plain Java Code. First you have to start the CI-Daemon. Open a new terminal and start it with:
Running the ci-daemon as root is not recommended since it can lead to problems when VS Code tries to connect to it. Furthermore, it is a good security practice to run software with the least privilege.
In this tutorial we are going to use WebGoat. WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. It is a demonstration of common server-side application flaws.
Download it via git:
$ git clone https://github.com/WebGoat/WebGoat.git
Creating the project
To set up fuzzing for Spring Boot Applications with CI Fuzz, open the project in VS Code:
If you have our extension installed, you can start it with clicking on our logo in the left sidebar. This will lead you from VS Code’s file browser sidebar to our CI Fuzz sidebar:
From here you can create the Fuzzing Project with a click on the Plus button next to “Create Fuzzing Project”
CI Fuzz will automatically detect most current build systems that can build Spring Boot Applications, including Maven, Gradle and Ant. If it recognizes a build system it will ask to l automatically create a script to build the project with sensible defaults.
But even if the build system is not detected you can just enter the steps needed to build the project manually.
Here you also need to provide the name of a docker image, which will allow CI Fuzz to create containers in which the fuzzing project and fuzz tests will be built. This image must contain all the dependencies. In case of WebGoat, the official Maven image can be used.
Alternatively, local mode creates distroless docker containers which will use dependencies installed on your system.
Additional Docker volume mounts in the Advanced Settings section will let you mount files and directories that reside on your local filesystem inside the docker container that will be used for building and fuzzing your project. WARNING: this only works when you are fuzzing on your own computer. It will not work if you load your fuzzing project in the CI Fuzz Web Interface for Continuous Fuzzing.
Initializing the project
Once all the steps to build the project have been indicated, it is time to initialize the project. In this step, we are simply building the project once, without any modification. This allows us to identify which parts of the code end up in which jar files and helps us to automatically detect the different endpoints defined in the code that can be tested with CI Fuzz. This is a lengthy process that could take a few minutes to complete.
To run the initialization, click on the Submit button below the docker configuration options.
Depending on the size of your project, this might take a while, since we are building the whole project by default. You can of course disable compilation of parts of the code that are not relevant for the fuzz tests, like already existing unit tests. For Maven, this can be done by adding "-DskipTests" to the mvn call.
Read next: How to create a spring boot fuzz test