Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

FuzzTheREST: An Intelligent Automated Black-box RESTful API Fuzzer

Tiago Dias, Eva Maia, Isabel Praça

TL;DR

This work addresses security testing of black-box RESTful APIs using fuzzing and identifies a gap in which code-coverage metrics are rarely reported, hindering validation of findings. It introduces FuzzTheREST, an RL-guided fuzzing tool that leverages an OpenAPI Specification and scenario descriptions to generate inputs and learn from HTTP responses within the TestLab ecosystem. The approach uses a Multi-table Q-Learning agent with an epsilon-greedy policy and a mutation-based input generator to explore vulnerabilities, validated on the Petstore API where six unique vulnerabilities were discovered and 55% code coverage was achieved. The results demonstrate the potential of coverage-informed, explainable RL-driven fuzzing to improve API security testing beyond simple status-code signals, with ongoing work to broaden data types and integrate coverage into decision-making.

Abstract

Software's pervasive impact and increasing reliance in the era of digital transformation raise concerns about vulnerabilities, emphasizing the need for software security. Fuzzy testing is a dynamic analysis software testing technique that consists of feeding faulty input data to a System Under Test (SUT) and observing its behavior. Specifically regarding black-box RESTful API testing, recent literature has attempted to automate this technique using heuristics to perform the input search and using the HTTP response status codes for classification. However, most approaches do not keep track of code coverage, which is important to validate the solution. This work introduces a black-box RESTful API fuzzy testing tool that employs Reinforcement Learning (RL) for vulnerability detection. The fuzzer operates via the OpenAPI Specification (OAS) file and a scenarios file, which includes information to communicate with the SUT and the sequences of functionalities to test, respectively. To evaluate its effectiveness, the tool was tested on the Petstore API. The tool found a total of six unique vulnerabilities and achieved 55\% code coverage.

FuzzTheREST: An Intelligent Automated Black-box RESTful API Fuzzer

TL;DR

This work addresses security testing of black-box RESTful APIs using fuzzing and identifies a gap in which code-coverage metrics are rarely reported, hindering validation of findings. It introduces FuzzTheREST, an RL-guided fuzzing tool that leverages an OpenAPI Specification and scenario descriptions to generate inputs and learn from HTTP responses within the TestLab ecosystem. The approach uses a Multi-table Q-Learning agent with an epsilon-greedy policy and a mutation-based input generator to explore vulnerabilities, validated on the Petstore API where six unique vulnerabilities were discovered and 55% code coverage was achieved. The results demonstrate the potential of coverage-informed, explainable RL-driven fuzzing to improve API security testing beyond simple status-code signals, with ongoing work to broaden data types and integrate coverage into decision-making.

Abstract

Software's pervasive impact and increasing reliance in the era of digital transformation raise concerns about vulnerabilities, emphasizing the need for software security. Fuzzy testing is a dynamic analysis software testing technique that consists of feeding faulty input data to a System Under Test (SUT) and observing its behavior. Specifically regarding black-box RESTful API testing, recent literature has attempted to automate this technique using heuristics to perform the input search and using the HTTP response status codes for classification. However, most approaches do not keep track of code coverage, which is important to validate the solution. This work introduces a black-box RESTful API fuzzy testing tool that employs Reinforcement Learning (RL) for vulnerability detection. The fuzzer operates via the OpenAPI Specification (OAS) file and a scenarios file, which includes information to communicate with the SUT and the sequences of functionalities to test, respectively. To evaluate its effectiveness, the tool was tested on the Petstore API. The tool found a total of six unique vulnerabilities and achieved 55\% code coverage.
Paper Structure (9 sections, 4 figures, 2 tables)

This paper contains 9 sections, 4 figures, 2 tables.

Table of Contents

  1. Introduction
  2. State-of-the-Art
  3. FuzzTheREST: A TestLab Module
  4. Reinforcement Learning Design
  5. Data Sources and Processing.
  6. Reinforcement Learning Environment and Agent
  7. Petstore API Case Study
  8. Conclusions
  9. Acknowledgements.

Figures (4)

  • Figure 1: Reinforcement Learning Environment and Agent Overview
  • Figure 2: Proposed Fuzzer's Data Schema
  • Figure 3: GetPetById Agent performance
  • Figure 4: JaCoCo Coverage Report