FuzzTheREST: An Intelligent Automated Black-box RESTful API Fuzzer
This work addresses software security concerns for developers by providing an automated testing tool, but it is incremental as it builds on existing fuzzing techniques with a focus on code coverage.
The paper tackled the problem of detecting vulnerabilities in RESTful APIs by introducing a black-box fuzzer that uses Reinforcement Learning, achieving 55% code coverage and finding six unique vulnerabilities on the Petstore API.
Software's pervasive impact and increasing reliance in the era of digital transformation raise concerns about vulnerabilities, emphasizing the need for software security. Fuzzy testing is a dynamic analysis software testing technique that consists of feeding faulty input data to a System Under Test (SUT) and observing its behavior. Specifically regarding black-box RESTful API testing, recent literature has attempted to automate this technique using heuristics to perform the input search and using the HTTP response status codes for classification. However, most approaches do not keep track of code coverage, which is important to validate the solution. This work introduces a black-box RESTful API fuzzy testing tool that employs Reinforcement Learning (RL) for vulnerability detection. The fuzzer operates via the OpenAPI Specification (OAS) file and a scenarios file, which includes information to communicate with the SUT and the sequences of functionalities to test, respectively. To evaluate its effectiveness, the tool was tested on the Petstore API. The tool found a total of six unique vulnerabilities and achieved 55\% code coverage.