REST API Fuzzing by Coverage Level Guided Blackbox Testing

TL;DR

This paper introduces a coverage-guided black box fuzz testing approach for REST APIs that improves mutation strategies using test coverage feedback, leading to more effective bug detection.

Contribution

It presents a novel REST API fuzzing method that leverages coverage level feedback to guide mutation strategies, enhancing bug detection efficiency.

Findings

Reported 89 bugs in open-source projects

Discovered 351 bugs in remote API services

Improved test case relevance and coverage

Abstract

With the growth of web applications, REST APIs have become the primary communication method between services. In order to ensure system reliability and security, software quality can be assured by effective testing methods. Black box fuzz testing is one of the effective methods to perform tests on a large scale. However, conventional black box fuzz testing generates random data without judging the quality of the input. We implement a black box fuzz testing method for REST APIs. It resolves the issues of blind mutations without knowing the effectiveness by Test Coverage Level feedback. We also enhance the mutation strategies by reducing the testing complexity for REST APIs, generating more appropriate test cases to cover possible paths. We evaluate our method by testing two large open-source projects and 89 bugs are reported and confirmed. In addition, we find 351 bugs from 64 remote API services in APIs.guru. The work is in https://github.com/iasthc/hsuan-fuzz.