Fuzzing REST APIs in Industry: Necessary Features and Open Problems

TL;DR

This paper reports on Volkswagen's experience using the EvoMaster open-source fuzzer for REST API testing, highlighting industrial challenges, necessary features, and open research problems.

Contribution

It provides practical insights from industry on integrating academic API fuzzing tools like EvoMaster and identifies key features and challenges for industrial adoption.

Findings

Feedback from Volkswagen on 4 APIs using EvoMaster.

User study with 11 testing specialists from 4 companies.

Identification of open research challenges in industrial API fuzzing.

Abstract

REST APIs are widely used in industry, in all different kinds of domains. An example is Volkswagen AG, a German automobile manufacturer. Established testing approaches for REST APIs are time consuming, and require expertise from professional test engineers. Due to its cost and importance, in the scientific literature several approaches have been proposed to automatically test REST APIs. The open-source, search-based fuzzer EvoMaster is one of such tools proposed in the academic literature. However, how academic prototypes can be integrated in industry and have real impact to software engineering practice requires more investigation. In this paper, we report on our experience in using EvoMaster at Volkswagen AG, as an EvoMaster user from 2023 to 2026. We share our learnt lessons, and discuss several features needed to be implemented in EvoMaster to make its use in an industrial context successful. Feedback about value in industrial setups of EvoMaster was given from Volkswagen AG about 4 APIs. Additionally, a user study was conducted involving 11 testing specialists from 4 different companies. We further identify several real-world research challenges that still need to be solved.