REST API Fuzzing by Coverage Level Guided Blackbox Testing
This work addresses reliability and security issues in web applications by improving testing efficiency for REST APIs, though it is incremental as it enhances existing black box fuzzing methods.
The paper tackles the problem of blind mutations in black box fuzz testing for REST APIs by using test coverage level feedback to guide input generation, resulting in the discovery of 89 bugs in open-source projects and 351 bugs in remote API services.
With the growth of web applications, REST APIs have become the primary communication method between services. In order to ensure system reliability and security, software quality can be assured by effective testing methods. Black box fuzz testing is one of the effective methods to perform tests on a large scale. However, conventional black box fuzz testing generates random data without judging the quality of the input. We implement a black box fuzz testing method for REST APIs. It resolves the issues of blind mutations without knowing the effectiveness by Test Coverage Level feedback. We also enhance the mutation strategies by reducing the testing complexity for REST APIs, generating more appropriate test cases to cover possible paths. We evaluate our method by testing two large open-source projects and 89 bugs are reported and confirmed. In addition, we find 351 bugs from 64 remote API services in APIs.guru. The work is in https://github.com/iasthc/hsuan-fuzz.