Suppressing Issues

Not all issues reported by Mayhem for API may be relevant or of interest to an API maintainer. Mayhem for API offers a mechanism to suppress issues discovered during fuzzing jobs.

The .mapi configuration file

A .mapi configuration file specifies rules for issue suppression:

# Example .mapi configuration file
version: "1.0"

# An array of rules for suppressing issues.
# If an issue matches any rule, it will be suppressed
# from reporting.
# Any issue will only match a rule if ALL statements for
# a rule match the issue.

- reason: "Suppress Internal API issues"
  path: /internal/.*
- reason: "Ignore flask debug exceptions"
  summary: flask\.debughelpers\.*

An issue suppress rule is composed of regular expressions which match on different issue fields:

- reason: "(required string) Description of why issues matches this rule are suppressed"
  method: "(optional regex) GET|PUT|POST|DELETE|PATCH... etc. Matches HTTP Method"
  path: "(optional regex) /foo|/tools/.* Matches the HTTP request path"
  rule_id: "(optional regex) internal-server-error|auth-bypass|server-crash... Matches mapi rule id"
  summary: "(optional regex) matches additional issue summary - such as stacktrace message"
  response: "(optional regex) Matches against the entire response, headers and payload. *"

Response matching

If a suppression rule has a response regular expression, that regular expression will be applied against the entire response from the server. This is the raw response seen over the TCP connection which starts with the headers and then proceeds to the payload, if a payload is sent.

You can see something close to the raw output from your server by accessing it with curl -v.

e.g. curl -v

< location:
< content-type: text/html; charset=UTF-8
< date: Thu, 24 Mar 1970 21:04:22 GMT
< expires: Sat, 23 Apr 1970 21:04:22 GMT
< cache-control: public, max-age=2592000
< server: gws
< content-length: 220
< x-xss-protection: 0
< x-frame-options: SAMEORIGIN
< alt-svc: h3=":443"; ma=2592000,h3-29=":443";
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<H1>301 Moved</H1>
The document has moved
<A HREF="">here</A>.

To match against a header in the response you would add a response field like:

server: gws

To match against part of the body, you would add a response field like:

The document has moved

Where to put .mapi file?

💡 We recommended checking the .mapi file into source control so that you may track changes to suppressed rules with your SCM tool.

The mapi CLI will resolve the .mapi file with the following order of precedence:

  1. Set with the --config <path-to-file> when calling mapi run
  2. Set with the MAPI_CONFIG_FILE environment variable
  3. Located in the working directory where mapi run is called
  4. Located in the project root (adjacent to the .git folder, if one exists)

How do I see suppressed issues?

mapi will still upload suppressed issues during a run, but they will be hidden by default. In order to see suppressed issues from the CLI, for instance, you will need to supply an extra flag --include-suppressed:

▶ mapi issue list <job-id>> --include-suppressed

 35717  internal-server-error           GET     pet/findByTags       true        Ignore all GETs
 35716  internal-server-error           GET     pet/{petId}          true        Ignore all GETs
 35715  internal-server-error           POST    user                 false
 35714  internal-server-error           POST    pet                  false