Yelp · domanchi · Apr 10, 2020 · Jan 4, 2020 · Jan 7, 2020 · Jan 8, 2020
diff --git a/fuzz_lightyear/plugins/idor.py b/fuzz_lightyear/plugins/idor.py
@@ -34,13 +34,19 @@ def is_vulnerable(
         request_sequence: List[FuzzingRequest],
         response_sequence: List[Any],
     ) -> bool:
-        last_request = request_sequence[-1]
-        try:
-            last_request.send(
-                auth=get_abstraction().get_attacker_session(),  # type: ignore
-                should_log=False,
-            )
-
-            return True
-        except (HTTPError, SwaggerMappingError, ValidationError):
-            return False
+        # We have the attacker execute the same request sequence with different
+        # values except for the last request.
+        for request in request_sequence[:-1]:
+            if request.fuzzed_input:
+                for query_key in request.fuzzed_input:
+                    request.fuzzed_input[query_key] += 1
+        for request in request_sequence:
+            try:
+                request.send(
+                    auth=get_abstraction().get_attacker_session(),  # type: ignore
+                    should_log=False,
+                )
+
+            except (HTTPError, SwaggerMappingError, ValidationError):
+                return False
+        return True
diff --git a/testing/vulnerable_app/models/thing.py b/testing/vulnerable_app/models/thing.py
@@ -0,0 +1,8 @@
+from ..core.database import Base
+
+
+class Thing(Base):
+    """
+    This is separate from Widget since reusing it causes flakiness.
+    """
+    pass
diff --git a/testing/vulnerable_app/views/__init__.py b/testing/vulnerable_app/views/__init__.py
@@ -3,6 +3,7 @@
     'complex',
     'constant',
     'location',
+    'nonvulnerable',
     'sequence',
     'types',
     'user',

diff --git a/testing/vulnerable_app/views/models/database.py b/testing/vulnerable_app/views/models/database.py
@@ -20,3 +20,10 @@
         'id': fields.Integer(required=True),
     },
 )
+
+thing_model = api.model(
+    'Thing',
+    {
+        'id': fields.Integer(required=True),
+    },
+)
diff --git a/testing/vulnerable_app/views/nonvulnerable.py b/testing/vulnerable_app/views/nonvulnerable.py
@@ -0,0 +1,69 @@
+"""
+These endpoints focus on testing the stateful-ness of the fuzzer.
+
+The `alpha` series of endpoints enforce basic stateful-ness.
+"""
+from flask import abort
+from flask_restplus import Resource
+from sqlalchemy.orm.exc import NoResultFound
+
+from ..core import database
+from ..core.auth import requires_user
+from ..core.extensions import api
+from ..models.thing import Thing
+from ..util import get_name
+from .models.database import thing_model
+
+
+ns = api.namespace(
+    get_name(__name__),
+    url_prefix='/{}'.format(get_name(__name__)),
+)
+
+
+# This tests that https://github.com/Yelp/fuzz-lightyear/issues/11 has been fixed.
+@ns.route('/no-vuln/create')
+class CreateNoVuln(Resource):
+    @api.doc(security='apikey')
+    @api.response(200, 'Success', model=thing_model)
+    @requires_user
+    def post(self, user):
+
+        with database.connection() as session:
+            entry = Thing()
+
+            session.add(entry)
+            session.commit()
+
+            user.created_resource = [entry.id]
+            user.save()
+
+        return {
+            'id': entry.id,
+        }
+
+
+@ns.route('/no-vuln/get/<int:id>')
+class GetNoVuln(Resource):
+    @api.doc(security='apikey')
+    @api.response(200, 'Success', model=thing_model)
+    @api.response(404, 'Not Found')
+    @api.response(403, 'Not Authorized')
+    @requires_user
+    def get(self, id, user):
+        if id not in user.created_resource:
+            abort(403)
+
+        with database.connection() as session:
+            try:
+                entry = session.query(Thing).filter(
+                    Thing.id == id,
+                ).one()
+            except NoResultFound:
+                abort(404)
+
+            widget_id = entry.id
+
+        return {
+            'id': widget_id,
+        }
diff --git a/testing/vulnerable_app/views/sequence.py b/testing/vulnerable_app/views/sequence.py
@@ -90,6 +90,7 @@ class GetWithSideEffect(Resource):
     @api.response(404, 'Not Found')
     @requires_user
     def get(self, id, user):
+        print(user.to_dict())
         if not user.has_created_resource:
             abort(401)
 

diff --git a/tests/integration/plugins/idor_test.py b/tests/integration/plugins/idor_test.py
@@ -1,5 +1,3 @@
-import pytest
-
 from fuzz_lightyear.request import FuzzingRequest
 from fuzz_lightyear.response import ResponseSequence
 from fuzz_lightyear.runner import run_sequence
@@ -36,9 +34,6 @@ def test_skipped_due_to_no_inputs(mock_client):
     assert responses.test_results == {}
 
 
-@pytest.mark.xfail(
-    reason='https://github.com/Yelp/fuzz-lightyear/issues/11',
-)
 def test_side_effect(mock_api_client):
     responses = run_sequence(
         [
@@ -62,3 +57,26 @@ def test_side_effect(mock_api_client):
 
     assert responses.responses[1].has_created_resource
     assert responses.test_results['IDORPlugin']
+
+
+def test_no_vuln(mock_api_client):
+    responses = run_sequence(
+        [
+            FuzzingRequest(
+                tag='nonvulnerable',
+                operation_id='post_create_no_vuln',
+            ),
+            FuzzingRequest(
+                tag='user',
+                operation_id='get_get_user',
+            ),
+            FuzzingRequest(
+                tag='nonvulnerable',
+                operation_id='get_get_no_vuln',
+            ),
+        ],
+        ResponseSequence(),
+    )
+
+    assert responses.responses[1].created_resource
+    assert not responses.test_results['IDORPlugin']