Explore StackHawk
Watch a Demo
Getting Started
StackHawk API
Integrations
Authentication
Maturity Model
Blog
When it comes to testing APIs, there are a lot of options out there. Generally, you won’t pick a single approach; instead, you will stitch multiple types of testing together to create an API testing stack. One of these types of testing is API fuzzing or fuzz testing. In this blog, we will go over its basics and how to get started. Let’s begin by understanding the key concepts within API fuzzing.
Understanding API Fuzzing
In its most simple form, API fuzzing is a security testing technique where APIs are sent a large number of malformed or unexpected input values. The hope is that through these inputs, certain vulnerabilities or issues will appear so that developers can find and fix them before attackers can. Overall, the goal of fuzzing is to make APIs and the applications they support more secure and reliable.
When developers use fuzzing, they often generate and execute API calls that contain unexpected, invalid, and random data to try and uncover potential vulnerabilities or issues. When developers test their APIs, they usually start with “happy path” tests where the outputs are known, and core application functionality is tested in a predictable way. From here, they may then branch out into some known or expected edge cases. With fuzz testing, developers are forced to go beyond the known and predictable.
API fuzzing is especially useful for:
• Detecting edge cases that could lead to crashes or unexpected behavior.
• Identifying security vulnerabilities like SQL injection, buffer overflows, and authorization bypasses.
• Stress testing API endpoints to ensure they remain stable under unexpected input conditions.
In short, fuzz testing allows developers to inundate an API endpoint with random data at high volumes to uncover security or unexpected performance issues.
Comprehensive Testing for API Endpoints
As mentioned at the beginning of the blog, comprehensive testing for API endpoints involves coupling multiple testing methods together. API fuzzing complements other testing approaches, making it possible for this type of testing to potentially uncover defects and vulnerabilities not found by other types of testing. When creating a testing stack, it’s best to look at what benefits certain testing methods bring. When it comes to fuzz testing APIs, it brings the following benefits:
• Broader Coverage: Fuzzing explores a wide range of input scenarios, often beyond the imagination of developers.
• Automation-Friendly: Many fuzzing tools integrate seamlessly into CI/CD pipelines, enabling continuous testing.
• Security Focused: It is particularly adept at uncovering security flaws to address issues like injection attacks, improper input validation, and data leakage.
Based on these benefits, some good testing techniques to combine it with include the following:
• Dynamic Application Security Testing (DAST): While DAST tests APIs in runtime conditions to identify potential vulnerabilities, like insecure authentication, fuzzing digs deeper by deliberately sending malformed inputs to observe failures. Although these two can feel similar at times, DAST usually works to uncover specific vulnerabilities, whereas fuzzing can also uncover bugs, crashes, or other instability issues that might not pose any immediate security threat.
• Unit and Integration Testing: These types of static tests work to ensure application functionality works as expected. Fuzzing extends this by challenging input validity assumptions and scenarios outside the predictable and “happy path.”
• Load Testing: In some cases, load and stress testing can incorporate fuzzing to simulate chaotic input scenarios under heavy load. Combining the two can give you a similar output to chaos testing.
These aren’t the only testing methods that work well with fuzzing, but you get the idea: combining various methods together helps to create a more holistic testing strategy. So, how would you go about bringing fuzz testing into your toolkit? Let’s look at that next.
Fuzz Testing Techniques and Tools
In this section, we will briefly look at specific fuzz testing techniques and the tools you can use to implement these techniques. First, let’s look at techniques.
Fuzz Testing Techniques
Although there are probably numerous variants of fuzz testing techniques, three stand out as some of the most popular. These include:
Swarm Testing
This technique rapidly sends diverse and randomized inputs to your API endpoints, mimicking unpredictable real-world scenarios to uncover bugs and performance bottlenecks. When people imagine fuzz testing in their heads, this is usually the default technique that comes to mind.
Schema Fuzzing
More specific to APIs, schema fuzzing uses API specifications, such as OpenAPI or JSON Schema, to generate test cases that align with or deliberately violate expected input structures. This technique is a little more pointed than swarm testing APIs.
Stateful REST API Fuzzing
If APIs require stateful testing or are part of a workflow (multiple API calls that are called in succession to complete a task), stateful REST API fuzzing can be used. This technique tests APIs in the context of their operational state by executing sequences of API calls to identify issues in workflows or dependencies.
Popular Fuzz Testing Tools
Now that you know some of the techniques, you can begin to explore the tools. Just like any testing, there’s a massive abundance of tools that can help developers implement fuzz testing within their testing stack. Here are three that will give you a good place to start:
RESTler
Developed by Microsoft, RESTler is an open-source, extensible framework for fuzzing RESTful APIs. This API Fuzzer is particularly good at stateful API fuzzing and understanding the relationships between different API calls. RESTler excels at finding complex bugs that surface through sequences of API calls (e.g., authentication flaws and authorization issues in multi-step processes).
- Key Highlights:
- Learns API request sequences from OpenAPI specifications.
- Generates and executes tests based on learned API behavior.
- Provides detailed bug reports with reproduction steps.
Radamsa
This tool is a general-purpose fuzzer known for its speed and simplicity. While not API-specific, it can be used to generate invalid or unexpected data that you then feed into your API requests. Radamsa is excellent for basic swarm testing, where you want to throw a large volume of randomized, invalid inputs at your API to see what breaks. It’s less specialized than RESTler but can be very effective for raw fuzzing power.
- Key Highlights:
- Lightweight and fast.
- Supports a wide range of file formats and data types.
- Highly configurable mutation engine.
Fuzzapi
Fuzzapi is a Python-based API fuzzing tool designed for ease of use. It allows you to define fuzzing targets and mutation strategies in a simple YAML format. Fuzzapi is a good choice for teams looking for a straightforward way to incorporate fuzzing into their testing process. It supports both schema fuzzing and swarm testing, providing flexibility in approaching your fuzzing strategy.
Key Highlights
- Simple setup and configuration.
- Supports various fuzzing methods (e.g., mutation, generation).
- Integrates well with CI/CD pipelines.
Best Practices for API Fuzzing
For those implementing fuzz testing as part of their testing and development process, there are a few best practices to be aware of. These best practices include:
Define Clear Objectives For Your Tests
Understand whether you are testing for functional bugs, security vulnerabilities, or performance issues. Knowing why you are testing can help to keep tests targeted and allow results to be interpreted in context.
Use Your API Docs To Lead The Way
When it comes to kicking off testing, use OpenAPI documentation or other formats, if applicable, to generate meaningful test cases. By referencing these docs, you’ll know exactly what each API request should look like and the corresponding fields in the response, such as a status code or expected headers.
Automate and Integrate
Although fuzzing tools can be run locally, automated test execution can be incorporated into CI/CD pipelines for continuous testing and test reliability. Making pull requests automatically kick off a fuzz testing job and report as part of your pipeline is a great way to make sure that all developers are in the know and that all code is covered.
Prioritize Endpoints
If you have a large portfolio of API endpoints, identify your most critical place to begin implementation. Focus on high-risk endpoints handling sensitive data or performing critical operations, as these should be put under test as a priority. Eventually, roll out test coverage more holistically but ensure that critical endpoints and the code within them are covered via your fuzz testing efforts.
Analyze Results
Don’t blindly follow the reports of your fuzz testing efforts since not all issues will be of the same weight. Fuzzing can produce a lot of noise; prioritize issues based on exploitability and impact.
With these best practices in place, you’ll be on a good path toward efficiently implementing fuzz testing for your APIs.
Conclusion
With that, you’re now familiar with API fuzzing and ready to try it out for yourself. Remember to keep the various types of fuzz testing in mind as you move forward, consider automated tools to make testing easier, and always follow the best practices we discussed. Of course, for those who want to augment their testing beyond simply fuzz testing, StackHawk’s DAST platform can help in multiple ways.
First, StackHawk’s DAST platform can augment your fuzzing efforts through its DAST tool, specifically designed to help you find and fix many vulnerabilities in the OWASP API Top Ten. This can help to confirm if bugs found during the fuzz testing process are exploitable security vulnerabilities.
On top of this, StackHawk also offers API Discovery and Oversight. API discovery can help to ensure that every API in your codebase is accounted for and brought under test for both DAST and API fuzzing. Oversight allows you to see your entire attack surface under a single pane of glass, making security operations more straightforward to manage and track.Want to try out StackHawk for yourself today? Sign up for a free trial and combine the best DAST for APIs with the power of API fuzz testing that we covered in this blog.