Open Problems in Fuzzing RESTful APIs: A Comparison of Tools

TL;DR

This paper compares seven state-of-the-art RESTful API fuzzers on multiple APIs, analyzing their effectiveness and limitations, and identifies key challenges for future research to improve fuzzing techniques.

Contribution

It provides a comprehensive comparison of existing fuzzers and highlights their limitations through source code analysis, guiding future improvements.

Findings

Fuzzers often fail to cover significant parts of APIs.

Current fuzzers have clear limitations in test generation.

The study identifies concrete challenges for future research.

Abstract

RESTful APIs are a type of web services that are widely used in industry. In the last few years, a lot of effort in the research community has been spent in designing novel techniques to automatically fuzz those APIs to find faults in them. Many real faults were automatically found in a large variety of RESTful APIs. However, usually the analyzed fuzzers treat the APIs as black-box, and no analysis of what is actually covered in these systems is done. Therefore, although these fuzzers are clearly useful for practitioners, we do not know what are their current limitations and actual effectiveness. Solving this is a necessary step to be able to design better, more efficient and effective techniques. To address this issue, in this paper we compare seven state-of-the-art fuzzers on 18 open-source and one industrial RESTful APIs. We then analyzed the source code of which parts of these APIs the fuzzers fail to generate tests for. This analysis points to clear limitations of these current fuzzers, listing concrete challenges for the research community to follow up on.