APIRL: Deep Reinforcement Learning for REST API Fuzzing

TL;DR

APIRL is an automated deep reinforcement learning tool that uses transformer-based feedback to effectively test REST APIs, uncovering more bugs with fewer test cases than existing methods.

Contribution

It introduces a novel use of transformer feedback in deep reinforcement learning for REST API fuzzing, improving bug detection and generalization to unseen endpoints.

Findings

APIRL finds more bugs than current state-of-the-art methods.

APIRL minimizes the number of test cases needed for effective testing.

The transformer feedback mechanism enhances learning and generalization.

Abstract

REST APIs have become key components of web services. However, they often contain logic flaws resulting in server side errors or security vulnerabilities. HTTP requests are used as test cases to find and mitigate such issues. Existing methods to modify requests, including those using deep learning, suffer from limited performance and precision, relying on undirected search or making limited usage of the contextual information. In this paper we propose APIRL, a fully automated deep reinforcement learning tool for testing REST APIs. A key novelty of our approach is the use of feedback from a transformer module pre-trained on JSON-structured data, akin to that used in API responses. This allows APIRL to learn the subtleties relating to test outcomes, and generalise to unseen API endpoints. We show APIRL can find significantly more bugs than the state-of-the-art in real world REST APIs while minimising the number of required test cases. We also study how reward functions, and other key design choices, affect learnt policies in a thorough ablation study.