FuzzTheREST: An Intelligent Automated Black-box RESTful API Fuzzer

TL;DR

FuzzTheREST is an automated black-box RESTful API fuzzer that uses Reinforcement Learning to detect vulnerabilities and improve code coverage, demonstrated on the Petstore API.

Contribution

It introduces a novel RL-based fuzzing tool for RESTful APIs that tracks code coverage and automates vulnerability detection using OpenAPI specifications.

Findings

Detected six unique vulnerabilities in the Petstore API

Achieved 55% code coverage during testing

Demonstrated effectiveness of RL in API fuzzing

Abstract

Software's pervasive impact and increasing reliance in the era of digital transformation raise concerns about vulnerabilities, emphasizing the need for software security. Fuzzy testing is a dynamic analysis software testing technique that consists of feeding faulty input data to a System Under Test (SUT) and observing its behavior. Specifically regarding black-box RESTful API testing, recent literature has attempted to automate this technique using heuristics to perform the input search and using the HTTP response status codes for classification. However, most approaches do not keep track of code coverage, which is important to validate the solution. This work introduces a black-box RESTful API fuzzy testing tool that employs Reinforcement Learning (RL) for vulnerability detection. The fuzzer operates via the OpenAPI Specification (OAS) file and a scenarios file, which includes information to communicate with the SUT and the sequences of functionalities to test, respectively. To evaluate its effectiveness, the tool was tested on the Petstore API. The tool found a total of six unique vulnerabilities and achieved 55\% code coverage.