WuppieFuzz: Coverage-Guided, Stateful REST API Fuzzing

• URL: http://arxiv.org/abs/2512.15554v1
• Date: Wed, 17 Dec 2025 16:05:39 GMT
• Title: WuppieFuzz: Coverage-Guided, Stateful REST API Fuzzing
• Authors: Thomas Rooijakkers, Anne Nijsten, Cristian Daniele, Erieke Weitenberg, Ringo Groenewegen, Arthur Melissen,
• Abstract summary: WuppieFuzz is an open-source REST API fuzzer built on LibAFL.<n>It supports white-box, grey-box and black-box fuzzing.
• Score: 0.0
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: Many business processes currently depend on web services, often using REST APIs for communication. REST APIs expose web service functionality through endpoints, allowing easy client interaction over the Internet. To reduce the security risk resulting from exposed endpoints, thorough testing is desired. Due to the generally vast number of endpoints, automated testing techniques, like fuzzing, are of interest. This paper introduces WuppieFuzz, an open-source REST API fuzzer built on LibAFL, supporting white-box, grey-box and black-box fuzzing. Using an OpenAPI specification, it can generate an initial input corpus consisting of sequences of requests. These are mutated with REST-specific and LibAFL-provided mutators to explore different code paths in the software under test. Guided by the measured coverage, WuppieFuzz then selects which request sequences to send next to reach complex states in the software under test. In this process, it automates harness creation to reduce manual efforts often required in fuzzing. Different kinds of reporting are provided by the fuzzer to help fixing bugs. We evaluated our tool on the Petstore API to assess the robustness of the white-box approach and the effectiveness of different power schedules. We further monitored endpoint and code coverage over time to measure the efficacy of the approach.

Related papers

• Test Amplification for REST APIs via Single and Multi-Agent LLM Systems [1.6499388997661122]
  We investigate the use of large language model (LLM) systems, both single-agent and multi-agent setups, for amplifying existing REST API test suites.<n>We present a comparative evaluation of the two approaches across several dimensions, including test coverage, bug detection effectiveness, and practical considerations such as computational cost and energy usage.
  arXiv  Detail & Related papers  (2025-04-10T20:19:50Z)
• Test Amplification for REST APIs Using "Out-of-the-box" Large Language Models [1.8024397171920885]
  We report our experience with usingChatGPT and GitHub's Copilot to amplify REST API test suites.<n>We derive a series of guidelines and lessons learned concerning the prompts that result in the strongest test suite.
  arXiv  Detail & Related papers  (2025-03-13T12:30:14Z)
• AutoRestTest: A Tool for Automated REST API Testing Using LLMs and MARL [46.65963514391019]
  AutoRestTest is a novel tool that integrates the Semantic Property Dependency Graph (SPDG) with Multi-Agent Reinforcement Learning (MARL) and large language models (LLMs) for effective REST API testing.
  arXiv  Detail & Related papers  (2025-01-15T05:54:33Z)
• LlamaRestTest: Effective REST API Testing with Small Language Models [50.058600784556816]
  We present LlamaRestTest, a novel approach that employs two custom Large Language Models (LLMs) to generate realistic test inputs.<n>We evaluate it against several state-of-the-art REST API testing tools, including RESTGPT, a GPT-powered specification-enhancement tool.<n>Our study shows that small language models can perform as well as, or better than, large language models in REST API testing.
  arXiv  Detail & Related papers  (2025-01-15T05:51:20Z)
• Your Fix Is My Exploit: Enabling Comprehensive DL Library API Fuzzing with Large Language Models [49.214291813478695]
  Deep learning (DL) libraries, widely used in AI applications, often contain vulnerabilities like overflows and use buffer-free errors.<n>Traditional fuzzing struggles with the complexity and API diversity of DL libraries.<n>We propose DFUZZ, an LLM-driven fuzzing approach for DL libraries.
  arXiv  Detail & Related papers  (2025-01-08T07:07:22Z)
• APIRL: Deep Reinforcement Learning for REST API Fuzzing [3.053989095162017]
  APIRL is a fully automated deep reinforcement learning tool for testing REST APIs.<n>We show APIRL can find significantly more bugs than the state-of-the-art in real world REST APIs.
  arXiv  Detail & Related papers  (2024-12-20T15:40:51Z)
• A Multi-Agent Approach for REST API Testing with Semantic Graphs and LLM-Driven Inputs [46.65963514391019]
  We present AutoRestTest, the first black-box tool to adopt a dependency-embedded multi-agent approach for REST API testing.<n>Our approach treats REST API testing as a separable problem, where four agents collaborate to optimize API exploration.<n>Our evaluation of AutoRestTest on 12 real-world REST services shows that it outperforms the four leading black-box REST API testing tools.
  arXiv  Detail & Related papers  (2024-11-11T16:20:27Z)
• DeepREST: Automated Test Case Generation for REST APIs Exploiting Deep Reinforcement Learning [5.756036843502232]
  This paper introduces DeepREST, a novel black-box approach for automatically testing REST APIs. It leverages deep reinforcement learning to uncover implicit API constraints, that is, constraints hidden from API documentation. Our empirical validation suggests that the proposed approach is very effective in achieving high test coverage and fault detection.
  arXiv  Detail & Related papers  (2024-08-16T08:03:55Z)
• FuzzTheREST: An Intelligent Automated Black-box RESTful API Fuzzer [0.0]
  This work introduces a black-box API of fuzzy testing tool that employs Reinforcement Learning (RL) for vulnerability detection. The tool found a total of six unique vulnerabilities and achieved 55% code coverage.
  arXiv  Detail & Related papers  (2024-07-19T14:43:35Z)
• Adaptive REST API Testing with Reinforcement Learning [54.68542517176757]
  Current testing tools lack efficient exploration mechanisms, treating all operations and parameters equally. Current tools struggle when response schemas are absent in the specification or exhibit variants. We present an adaptive REST API testing technique incorporates reinforcement learning to prioritize operations during exploration.
  arXiv  Detail & Related papers  (2023-09-08T20:27:05Z)
• REaaS: Enabling Adversarially Robust Downstream Classifiers via Robust Encoder as a Service [67.0982378001551]
  We show how a service provider pre-trains an encoder and then deploys it as a cloud service API. A client queries the cloud service API to obtain feature vectors for its training/testing inputs. We show that the cloud service only needs to provide two APIs to enable a client to certify the robustness of its downstream classifier.
  arXiv  Detail & Related papers  (2023-01-07T17:40:11Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.