Affiliation:
1. Kristiania University College and Oslo Metropolitan University, Oslo, Norway
2. Beihang University, Beijing, China
3. University of Buenos Aires, CONICET and Kristiania University College, Buenos Aires, Argentina
Abstract
Due to its importance and widespread use in industry, automated testing of REST APIs has attracted major interest from the research community in the last few years. However, most of the work in the literature has been focused on black-box fuzzing. Although existing fuzzers have been used to automatically find many faults in existing APIs, there are still several open research challenges that hinder the achievement of better results (e.g., in terms of code coverage and fault finding). For example, under-specified schemas are a major issue for black-box fuzzers. Currently,
EvoMaster
is the only existing tool that supports white-box fuzzing of REST APIs. In this paper, we provide a series of novel white-box heuristics, including for example how to deal with under-specified constrains in API schemas, as well as under-specified schemas in SQL databases. Our novel techniques are implemented as an extension to our open-source, search-based fuzzer
EvoMaster
. An empirical study on 14 APIs from the EMB corpus, plus one industrial API, shows clear improvements of the results in some of these APIs.
Funder
European Research Council
European Union’s Horizon 2020 research and innovation programme
UBACYT-2020
Publisher
Association for Computing Machinery (ACM)
Reference100 articles.
1. [n.d.]. APIs.guru. Online Accessed March 26 2024 https://apis.guru/
2. [n.d.]. EvoMaster. Online Accessed March 26 2024 https://github.com/EMResearch/EvoMaster
3. [n.d.]. EvoMaster Benchmark (EMB). Online Accessed March 26 2024 https://github.com/EMResearch/EMB
4. [n.d.]. Fuzz-lightyear: Stateful Fuzzing Framework. Online Accessed March 26 2024 https://github.com/Yelp/fuzz-lightyear
5. [n.d.]. GraphQL Foundation. Online Accessed March 26 2024 https://graphql.org/foundation/