Fuzzing REST APIs for Bugs: An Empirical Analysis

Kumar, Sunil; Gajrani, Jyoti; Tripathi, Meenakshi

doi:10.1007/978-981-19-7513-4_28

Sunil Kumar⁷,
Jyoti Gajrani⁷ &
Meenakshi Tripathi⁸

Part of the book series: Smart Innovation, Systems and Technologies ((SIST,volume 326))

Included in the following conference series:

International Conference on Frontiers of Intelligent Computing: Theory and Applications

224 Accesses

Abstract

Today every application needs to interact with many other applications to function. APIs are bringing applications together in order to perform a designed function built around exchanging data and executing pre-defined processes. With the increasing use of APIs, concern about API security is also increasing. Organizations use various testing techniques for security testing of their APIs including fuzzing. Fuzzing is an effective technique in security and recent research shows fuzzing will be an effective technique in API security as well. In this paper, we study various available open-source API fuzzers, their fuzzing methodologies, and issues security researchers face with these fuzzers, and empirical analysis of findings of these fuzzers on a vulnerable API. We present our experimental results and propose the concept of a better API fuzzer with better surface detection, fuzz input generation, and speedy fuzzing.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 229.00; Price excludes VAT (USA)

Hardcover Book: USD 299.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

Chen, Y., Yang, Y., Lei, Z., Xia, M., Qi, Z.: Bootstrapping automated testing for RESTful web services (2021). https://doi.org/10.1007/978-3-030-71500-7_3
OWASP: OWASP API Top 10 (2019). https://www.owasp.org/
Araujo, F., Medeiros, I., Neves, N.: Generating tests for the discovery of security flaws in product variants. In: Proceedings of the IEEE International Conference on Software Testing, Verification and Validation Workshops, pp. 133–142 (2020)
Google Scholar
Sutton, M., Greene, A., Amini, P.: Fuzzing: Brute Force Vulnerability Discovery. Addison-Wesley Professional (2007)
Google Scholar
vAPI. https://github.com/appknox/vapi. Last Accessed 20 Apr 2022
Seagle Jr, R.L.: A framework for file format fuzzing with genetic algorithms (2012)
Google Scholar
Atlidakis, V., Godefroid, P., Polishchuk, M.: RESTler: stateful REST API fuzzing. In: 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE). IEEE (2019)
Google Scholar
CATS. https://github.com/Endava/cats. Last Accessed 20 Apr 2022
Burp Intruder. https://portswigger.net/burp/documentation/desktop/tools/intruder. Last Accessed 20 Apr 2022
API-Fuzzer. https://github.com/Fuzzapi/API-fuzzer. Last Accessed 20 Apr 2022
TnT-Fuzzer. https://github.com/Teebytes/TnT-Fuzzer. Last Accessed 20 Apr 2022
Zhao, D.: Fuzzing technique in web applications and beyond. J. Phys.: Conf. Ser. 1678(1) (2020) (IOP Publishing)
Google Scholar
Ding, Z.Y., Le Goues, C.: An empirical study of OSS-Fuzz bugs. In: 2021 IEEE/ACM 18th International Conference on Mining Software Repositories (MSR). IEEE (2021)
Google Scholar
Atlidakis, V., et al.: Pythia: grammar-based fuzzing of REST APIs with coverage-guided feedback and learning-based mutations. arXiv Preprint (2020). arXiv:2005.11498
Viglianisi, E., Dallago, M., Ceccato, M.: RESTTESTGEN: automated black-box testing of RESTful APIs. In: 2020 IEEE 13th International Conference on Software Testing, Validation and Verification (ICST). IEEE (2020)
Google Scholar
Arcuri, A.: Evomaster: evolutionary multi-context automated system test generation. In: 2018 IEEE 11th International Conference on Software Testing, Verification and Validation (ICST). IEEE (2018)
Google Scholar
Microsoft Azure. https://azure.microsoft.com/en-in/. Last Accessed 20 Apr 2022

Download references

Author information

Authors and Affiliations

Engineering College Ajmer, Ajmer, Rajasthan, India
Sunil Kumar & Jyoti Gajrani
Malaviya National Institute of Technology, Jaipur, Rajasthan, India
Meenakshi Tripathi

Authors

Sunil Kumar
View author publications
You can also search for this author in PubMed Google Scholar
Jyoti Gajrani
View author publications
You can also search for this author in PubMed Google Scholar
Meenakshi Tripathi
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jyoti Gajrani .

Editor information

Editors and Affiliations

Department of Electronics Engineering, Faculty of Engineering and Technology, Veer Bahadur Singh Purvanchal University, Jaunpur, Uttar Pradesh, India
Vikrant Bhateja
School of Science and Technology, Middlesex University London, London, UK
Xin-She Yang
Western Norway University of Applied Sciences, Bergen, Norway
Jerry Chun-Wei Lin
Department of Computer Science and Engineering, National Institute of Technology Agartala, Agartala, West Tripura, India
Ranjita Das

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Kumar, S., Gajrani, J., Tripathi, M. (2023). Fuzzing REST APIs for Bugs: An Empirical Analysis. In: Bhateja, V., Yang, XS., Lin, J.CW., Das, R. (eds) Evolution in Computational Intelligence. FICTA 2022. Smart Innovation, Systems and Technologies, vol 326. Springer, Singapore. https://doi.org/10.1007/978-981-19-7513-4_28

Download citation

DOI: https://doi.org/10.1007/978-981-19-7513-4_28
Published: 26 April 2023
Publisher Name: Springer, Singapore
Print ISBN: 978-981-19-7512-7
Online ISBN: 978-981-19-7513-4
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)

Publish with us

Policies and ethics

Fuzzing REST APIs for Bugs: An Empirical Analysis