Advanced White-Box Heuristics for Search-Based Fuzzing of REST APIs
- URL: http://arxiv.org/abs/2309.08360v1
- Date: Fri, 15 Sep 2023 12:39:01 GMT
- Title: Advanced White-Box Heuristics for Search-Based Fuzzing of REST APIs
- Authors: Andrea Arcuri, Man Zhang, Juan Pablo Galeotti
- Abstract summary: Currently, EvoMaster is the only existing tool that supports white-box fuzzing of REST APIs.
We provide a series of novel white-box fuzzs, including for example how to deal with under-specified constrains in API schemas.
Our novel techniques are implemented as an extension to our open-source, search-based fuzzer EvoMaster.
- Score: 3.3714461095047743
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Due to its importance and widespread use in industry, automated testing of
REST APIs has attracted major interest from the research community in the last
few years. However, most of the work in the literature has been focused on
black-box fuzzing. Although existing fuzzers have been used to automatically
find many faults in existing APIs, there are still several open research
challenges that hinder the achievement of better results (e.g., in terms of
code coverage and fault finding). For example, under-specified schemas are a
major issue for black-box fuzzers. Currently, EvoMaster is the only existing
tool that supports white-box fuzzing of REST APIs. In this paper, we provide a
series of novel white-box heuristics, including for example how to deal with
under-specified constrains in API schemas, as well as under-specified schemas
in SQL databases. Our novel techniques are implemented as an extension to our
open-source, search-based fuzzer EvoMaster. An empirical study on 14 APIs from
the EMB corpus, plus one industrial API, shows clear improvements of the
results in some of these APIs.
Related papers
- LlamaRestTest: Effective REST API Testing with Small Language Models [50.058600784556816]
We present LlamaRestTest, a novel approach that employs two custom LLMs to generate realistic test inputs.
LlamaRestTest surpasses state-of-the-art tools in code coverage and error detection, even with RESTGPT-enhanced specifications.
arXiv Detail & Related papers (2025-01-15T05:51:20Z) - Your Fix Is My Exploit: Enabling Comprehensive DL Library API Fuzzing with Large Language Models [49.214291813478695]
Deep learning (DL) libraries, widely used in AI applications, often contain vulnerabilities like overflows and use buffer-free errors.
Traditional fuzzing struggles with the complexity and API diversity of DL libraries.
We propose DFUZZ, an LLM-driven fuzzing approach for DL libraries.
arXiv Detail & Related papers (2025-01-08T07:07:22Z) - APIRL: Deep Reinforcement Learning for REST API Fuzzing [3.053989095162017]
APIRL is a fully automated deep reinforcement learning tool for testing REST APIs.
We show APIRL can find significantly more bugs than the state-of-the-art in real world REST APIs.
arXiv Detail & Related papers (2024-12-20T15:40:51Z) - ExploraCoder: Advancing code generation for multiple unseen APIs via planning and chained exploration [70.26807758443675]
ExploraCoder is a training-free framework that empowers large language models to invoke unseen APIs in code solution.
We show that ExploraCoder significantly improves performance for models lacking prior API knowledge, achieving an absolute increase of 11.24% over niave RAG approaches and 14.07% over pretraining methods in pass@10.
arXiv Detail & Related papers (2024-12-06T19:00:15Z) - A Multi-Agent Approach for REST API Testing with Semantic Graphs and LLM-Driven Inputs [46.65963514391019]
We present AutoRestTest, the first black-box tool to adopt a dependency-embedded multi-agent approach for REST API testing.
Our approach treats REST API testing as a separable problem, where four agents collaborate to optimize API exploration.
Our evaluation of AutoRestTest on 12 real-world REST services shows that it outperforms the four leading black-box REST API testing tools.
arXiv Detail & Related papers (2024-11-11T16:20:27Z) - FuzzTheREST: An Intelligent Automated Black-box RESTful API Fuzzer [0.0]
This work introduces a black-box API of fuzzy testing tool that employs Reinforcement Learning (RL) for vulnerability detection.
The tool found a total of six unique vulnerabilities and achieved 55% code coverage.
arXiv Detail & Related papers (2024-07-19T14:43:35Z) - WorldAPIs: The World Is Worth How Many APIs? A Thought Experiment [49.00213183302225]
We propose a framework to induce new APIs by grounding wikiHow instruction to situated agent policies.
Inspired by recent successes in large language models (LLMs) for embodied planning, we propose a few-shot prompting to steer GPT-4.
arXiv Detail & Related papers (2024-07-10T15:52:44Z) - Fuzz Driver Synthesis for Rust Generic APIs [9.34200641681839]
This paper studies the automated fuzz driver synthesis problem for Rust libraries with generic APIs.
By solving such dependencies and type constraints, we can generate a collection of candidate monomorphic APIs.
Experimental results with 29 popular open-source libraries show that our approach can achieve promising generic API coverage with a low rate of invalid fuzz drivers.
arXiv Detail & Related papers (2023-12-17T10:24:34Z) - Exploring Behaviours of RESTful APIs in an Industrial Setting [0.43012765978447565]
We propose a set of behavioural properties, common to REST APIs, which are used to generate examples of behaviours that these APIs exhibit.
These examples can be used both (i) to further the understanding of the API and (ii) as a source of automatic test cases.
Our approach can generate examples deemed relevant for understanding the system and for a source of test generation by practitioners.
arXiv Detail & Related papers (2023-10-26T11:33:11Z) - Simple Transparent Adversarial Examples [65.65977217108659]
We introduce secret embedding and transparent adversarial examples as a simpler way to evaluate robustness.
As a result, they pose a serious threat where APIs are used for high-stakes applications.
arXiv Detail & Related papers (2021-05-20T11:54:26Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.