Thesis Details
Fuzz Testing of REST API
This thesis is dealing with fuzz testing of REST API. After presenting state-of-the-art of fuzzing and assessing the current research regarding REST API fuzz testing, we design and implement our REST API fuzzer. The proposed fuzzer infers dependencies of API calls defined in an OpenAPI specification and makes the fuzzing stateful. One of the features is minimization of the number of successive 404 responses while maintaining exploration of a deeper state space of a tested application. To solve the exploration vs. exploitation problem, we used the ordering of dependencies maximizing the probability of obtaining a needed input values and determining of fuzzability of a required parameters. The implementation is an enhancement of the Schemathesis project that is using the Hypothesis library to randomly generate inputs. Our fuzzer is evaluated against the Red Hat Insights application, finding 32 bugs. Amid them, one bug is reproducible only by a stateful set of steps.
fuzz testing, fuzzing, fuzzer, REST API, testing, test generation, inferring dependencies, stateful testing, property based testing, Hypothesis, JSON Schema, OpenAPI, Swagger, Schemathesis
Grégr Matěj, Ing., Ph.D. (DIFS FIT BUT), člen
Holík Lukáš, doc. Mgr., Ph.D. (DITS FIT BUT), člen
Kořenek Jan, doc. Ing., Ph.D. (DCSY FIT BUT), člen
Malinka Kamil, Mgr., Ph.D. (DITS FIT BUT), člen
Polčák Libor, Ing., Ph.D. (DIFS FIT BUT), člen
@mastersthesis{FITMT23094,
author = "Patrik Segedy",
type = "Master's thesis",
title = "Fuzz Testing of REST API",
school = "Brno University of Technology, Faculty of Information Technology",
year = 2020,
location = "Brno, CZ",
language = "english",
url = "https://www.fit.vut.cz/study/thesis/23094/"
}