APIRL: Deep Reinforcement Learning for REST API Fuzzing
Myles Foley, Sergio Maffeis
TL;DR
APIRL tackles REST API fuzzing by framing it as a deep reinforcement learning problem that uses a transformer-based embedding of API responses to inform mutation decisions. The method integrates a fixed action space of 23 mutations with a DQN that consumes a hybrid observation consisting of a RoBERTa embedding and lightweight state features, guided by a reward emphasizing server-side errors. Key contributions include a novel feedback mechanism from JSON-structured responses, extensive ablation studies on reward design and architecture, and superior bug-finding performance with fewer test cases across 26 real-world REST APIs. This work demonstrates the practical impact of combining rich response representations with reinforcement learning to improve efficiency and generalization in API fuzzing, offering a blueprint for robust automated testing of evolving web services.
Abstract
REST APIs have become key components of web services. However, they often contain logic flaws resulting in server side errors or security vulnerabilities. HTTP requests are used as test cases to find and mitigate such issues. Existing methods to modify requests, including those using deep learning, suffer from limited performance and precision, relying on undirected search or making limited usage of the contextual information. In this paper we propose APIRL, a fully automated deep reinforcement learning tool for testing REST APIs. A key novelty of our approach is the use of feedback from a transformer module pre-trained on JSON-structured data, akin to that used in API responses. This allows APIRL to learn the subtleties relating to test outcomes, and generalise to unseen API endpoints. We show APIRL can find significantly more bugs than the state-of-the-art in real world REST APIs while minimising the number of required test cases. We also study how reward functions, and other key design choices, affect learnt policies in a thorough ablation study.