SpringerLink
Log in

Fuzzing REST APIs forĀ Bugs: An Empirical Analysis

  • Conference paper
  • First Online:
Evolution in Computational Intelligence (FICTA 2022)

Part of the book series: Smart Innovation, Systems and Technologies ((SIST,volume 326))

  • 267 Accesses

Abstract

Today every application needs to interact with many other applications to function. APIs are bringing applications together in order to perform a designed function built around exchanging data and executing pre-defined processes. With the increasing use of APIs, concern about API security is also increasing. Organizations use various testing techniques for security testing of their APIs including fuzzing. Fuzzing is an effective technique in security and recent research shows fuzzing will be an effective technique in API security as well. In this paper, we study various available open-source API fuzzers, their fuzzing methodologies, and issues security researchers face with these fuzzers, and empirical analysis of findings of these fuzzers on a vulnerable API. We present our experimental results and propose the concept of a better API fuzzer with better surface detection, fuzz input generation, and speedy fuzzing.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
EUR 29.95
Price includes VAT (Germany)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
EUR 234.33
Price includes VAT (Germany)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
EUR 299.59
Price includes VAT (Germany)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free ship** worldwide - see info
Hardcover Book
EUR 299.59
Price includes VAT (Germany)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free ship** worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Chen, Y., Yang, Y., Lei, Z., ** automated testing for RESTful web services (2021). https://doi.org/10.1007/978-3-030-71500-7_3

  2. OWASP: OWASP API Top 10 (2019). https://www.owasp.org/

  3. Araujo, F., Medeiros, I., Neves, N.: Generating tests for the discovery of security flaws in product variants. In: Proceedings of the IEEE International Conference on Software Testing, Verification and Validation Workshops, pp. 133ā€“142 (2020)

    Google ScholarĀ 

  4. Sutton, M., Greene, A., Amini, P.: Fuzzing: Brute Force Vulnerability Discovery. Addison-Wesley Professional (2007)

    Google ScholarĀ 

  5. vAPI. https://github.com/appknox/vapi. Last Accessed 20 Apr 2022

  6. Seagle Jr, R.L.: A framework for file format fuzzing with genetic algorithms (2012)

    Google ScholarĀ 

  7. Atlidakis, V., Godefroid, P., Polishchuk, M.: RESTler: stateful REST API fuzzing. In: 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE). IEEE (2019)

    Google ScholarĀ 

  8. CATS. https://github.com/Endava/cats. Last Accessed 20 Apr 2022

  9. Burp Intruder. https://portswigger.net/burp/documentation/desktop/tools/intruder. Last Accessed 20 Apr 2022

  10. API-Fuzzer. https://github.com/Fuzzapi/API-fuzzer. Last Accessed 20 Apr 2022

  11. TnT-Fuzzer. https://github.com/Teebytes/TnT-Fuzzer. Last Accessed 20 Apr 2022

  12. Zhao, D.: Fuzzing technique in web applications and beyond. J. Phys.: Conf. Ser. 1678(1) (2020) (IOP Publishing)

    Google ScholarĀ 

  13. Ding, Z.Y., Le Goues, C.: An empirical study of OSS-Fuzz bugs. In: 2021 IEEE/ACM 18th International Conference on Mining Software Repositories (MSR). IEEE (2021)

    Google ScholarĀ 

  14. Atlidakis, V., et al.: Pythia: grammar-based fuzzing of REST APIs with coverage-guided feedback and learning-based mutations. ar**v Preprint (2020). ar**v:2005.11498

  15. Viglianisi, E., Dallago, M., Ceccato, M.: RESTTESTGEN: automated black-box testing of RESTful APIs. In: 2020 IEEE 13th International Conference on Software Testing, Validation and Verification (ICST). IEEE (2020)

    Google ScholarĀ 

  16. Arcuri, A.: Evomaster: evolutionary multi-context automated system test generation. In: 2018 IEEE 11th International Conference on Software Testing, Verification and Validation (ICST). IEEE (2018)

    Google ScholarĀ 

  17. Microsoft Azure. https://azure.microsoft.com/en-in/. Last Accessed 20 Apr 2022

Download references

Author information

Authors and Affiliations

  1. Engineering College Ajmer, Ajmer, Rajasthan, India

    Sunil KumarĀ &Ā Jyoti Gajrani

  2. Malaviya National Institute of Technology, Jaipur, Rajasthan, India

    Meenakshi Tripathi

Authors
  1. Sunil Kumar
    View author publications

    You can also search for this author in PubMedĀ Google Scholar

  2. Jyoti Gajrani
    View author publications

    You can also search for this author in PubMedĀ Google Scholar

  3. Meenakshi Tripathi
    View author publications

    You can also search for this author in PubMedĀ Google Scholar

Corresponding author

Correspondence to Jyoti Gajrani .

Editor information

Editors and Affiliations

  1. Department of Electronics Engineering, Faculty of Engineering and Technology, Veer Bahadur Singh Purvanchal University, Jaunpur, Uttar Pradesh, India

    Vikrant Bhateja

  2. School of Science and Technology, Middlesex University London, London, UK

    **n-She Yang

  3. Western Norway University of Applied Sciences, Bergen, Norway

    Jerry Chun-Wei Lin

  4. Department of Computer Science and Engineering, National Institute of Technology Agartala, Agartala, West Tripura, India

    Ranjita Das

Rights and permissions

Reprints and permissions

Copyright information

Ā© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Kumar, S., Gajrani, J., Tripathi, M. (2023). Fuzzing REST APIs forĀ Bugs: An Empirical Analysis. In: Bhateja, V., Yang, XS., Lin, J.CW., Das, R. (eds) Evolution in Computational Intelligence. FICTA 2022. Smart Innovation, Systems and Technologies, vol 326. Springer, Singapore. https://doi.org/10.1007/978-981-19-7513-4_28

Download citation

Publish with us

Policies and ethics

Search

Navigation