istio.io/istio@v0.0.0-20240520182934-d79c90f27776/tests/integration/security/fuzz/README.md (about)

     1  # Fuzz test for security policy
     2  
     3  The directory includes fuzz tests for security policy:
     4  
     5  - request authentication: test potential bypass and crash in the JWT filter caused by malformed JWT token and common
     6    vulnerabilities in JWT validation.
     7  
     8  - authorization policy: test potential policy bypass issues caused by path normalization issues in Istio and Envoy.
     9  
    10  This test is currently optional and not executed in the normal integration test. It is recommended to run the test
    11  before each new Istio release and make sure all fuzz tests pass.
    12  
    13  ## Overview
    14  
    15  ![](overview.jpg)
    16  
    17  The fuzz test uses specialized web vulnerability fuzzers ([jwt_tool](https://github.com/ticarpi/jwt_tool),
    18  [dotdotpwn](https://github.com/wireghoul/dotdotpwn)) and [wfuzz](https://github.com/xmendez/wfuzz) to generate a
    19  large number of fuzzed requests. The mutation is based on a predefined path (`/private/secret.html`) that should be
    20  rejected by either the request authentication or the authorization policy.
    21  
    22  The test backend uses real Web servers (`apache`, `nginx` and `tomcat`) configured to serve at the above predefined path.
    23  If a fuzzer generated request successfully gets the data at the predefined path, it means a policy bypass has happened
    24  otherwise it should have been rejected with 403 by the policy.
    25  
    26  We use the real backends instead of the existing test apps in order to test against unknown new normalization behaviors
    27  in real backend servers.
    28  
    29  The fuzz test is configured to run every day at 07:00AM UTC, check the results in
    30  [integ-security-fuzz-k8s-tests_istio_periodic](https://prow.istio.io/?job=integ-security-fuzz-k8s-tests_istio_periodic).
    31  
    32  ## Usage
    33  
    34  1. Run the test with existing Istio deployment:
    35  
    36      ```bash
    37      go test ./tests/integration/security/fuzz/... -p 1 -v -tags="integfuzz integ" -test.run "TestFuzzAuthorization|TestRequestAuthentication" \
    38        --istio.test.nocleanup --istio.test.env kube  --istio.test.kube.deploy=false - -timeout 30m \
    39        --istio.test.pullpolicy=IfNotPresent --istio.test.kube.loadbalancer=false --log_output_level=tf:debug
    40      ```
    41  
    42  1. Wait for the test to complete and check the results, the test usually takes about 5 minutes.
    43  
    44  ## Next Steps
    45  
    46  1. Support authorization ALLOW policy in addition to the DENY policy.
    47  
    48  1. Cover more fields in the authorization policy.