Fuzzing PrestaShop Webservice with GitLab API fuzzer#


Original author	Sara Jokela
Last checked by
Status	In progress
Last updated	20.5.2025

Notes#

PrestaShop is compatible with Postman. Read more about that from PrestaShop documentation.
Familiarize yourself with GitLab's API fuzzing functionality.
Read also more about using Postman collection in GitLab.

Prerequisites#

PrestaShop installation that is deployed from GitLab CI/CD
PrestaShop Webservice is enabled & a Webservice key is created
Postman account

1 Create a Postman collection#

1.Decide, which PrestaShop Webservice resources you want to test. You must also decide, which HTTP methods you want to use.

2.Go to PrestaShop's Github.

Select a template, eg. demo_product_collection.json. Download that template.

3.Next, import that json file to your Postman Collections. Go to your Postman account workspace. Select Collections -> Import. Add your json template.

Postman workspace

4.After you have loaded the json template, you should have a collection named as PrestaShop Webservice. Go to the Variables tab.

Presta collection

5.Add your own Webservice key under Current value. Add your virtual machine's floating IP address as well. Don't forget to click Save!

Add key and ip address

6.You can also change the resource! Here, the resource is changed from "Products" to "Addresses".

Change resource to be tested

7.Export the collection. Click on the three dots, select More -> Export.

Exporting collection

Select Collection v2.1, and click Export

Collection version

2 Preparing GitLab API fuzzing#

This guide assumes that you have a project with working GitLab pipeline that is used to deploy PrestaShop.

1.Go to your GitLab project that you want to fuzz. Open your .gitlab-ci.yml file, and add fuzz as a stage.

Fuzzing should be placed after deployment!

Adding fuzz stage

2.Add a template for API fuzz testing.

Template for fuzz testing

3.Add variables for API fuzzing.

FUZZAPI_PROFILE: Fuzz profile defines how many tests are run. In this example, Quick-10 was chosen.

FUZZAPI_TARGET_URL: Your PrestaShop deployment's address. If you use Pouta virtual machine, it is that machines floating IP address or domain.

FUZZAPI_POSTMAN_COLLECTION: Define the Postman collection name that is used as a basis for fuzzing.

Fuzzing variables

4.Now .gitlab-ci.yml should be ready and can be saved. This should automatically start the pipeline. Fuzz testing should be executed last, after deployment. It might take some time. You can check the pipeline to see how the test is going.

Fuzzing in pipeline