APIRL: Deep Reinforcement Learning for REST API Fuzzing
This addresses the challenge of automated and efficient REST API fuzzing for web service security, representing a novel method rather than an incremental improvement.
The authors tackled the problem of logic flaws and security vulnerabilities in REST APIs by developing APIRL, a deep reinforcement learning tool that uses a transformer module pre-trained on JSON data to improve testing. They showed that APIRL finds significantly more bugs than state-of-the-art methods while minimizing the number of test cases required.
REST APIs have become key components of web services. However, they often contain logic flaws resulting in server side errors or security vulnerabilities. HTTP requests are used as test cases to find and mitigate such issues. Existing methods to modify requests, including those using deep learning, suffer from limited performance and precision, relying on undirected search or making limited usage of the contextual information. In this paper we propose APIRL, a fully automated deep reinforcement learning tool for testing REST APIs. A key novelty of our approach is the use of feedback from a transformer module pre-trained on JSON-structured data, akin to that used in API responses. This allows APIRL to learn the subtleties relating to test outcomes, and generalise to unseen API endpoints. We show APIRL can find significantly more bugs than the state-of-the-art in real world REST APIs while minimising the number of required test cases. We also study how reward functions, and other key design choices, affect learnt policies in a thorough ablation study.