Validate Your APIs With Ease Using WuppieFuzz: Open Source Fuzzing for REST APIs

We reached the limits of manually testing software due to the growing abundance of software around us. To tackle this, we should explore automated testing techniques. Web services expose a clear attack surface to those with malicious intent.

Ensuring proper quality and security is critical. Especially for those services that are exposed to user input. We present WuppieFuzz, an open-source tool that automates REST API testing by application of fuzzing technology. The fuzzer is developed by TNO (an independent not-for-profit research organization in the Netherlands) and helps to uncover bugs, errors, and vulnerabilities quickly and efficiently.

Obvious attack surface

Application Programming Interfaces (APIs) act as the primary communication bridge between applications and services. REST APIs are a standardized way of such APIs. A REST API follows specific architectural guidelines and is a popular way to orchestrate (back-end) communication between services. But, they also expose those services and the deeper business logic to potential attackers. Thorough testing is essential as a compromised API can lead to significant breaches and data leaks.

Fuzzing: The Power of Randomness

Fuzz testing (or fuzzing) is an automated, dynamic software testing technique. A fuzzer feeds (semi-)random or mutated input to an application under test and evaluates its response. Using various forms of feedback, like covered code while processing a test input, fuzzers can adapt their mutation strategy to e.g., maximize coverage. Through this approach, one can find subtle bugs and vulnerabilities that manual testing might miss as it is hard to manually test those things you do not expect to go wrong.

WuppieFuzz

WuppieFuzz is a coverage-guided REST API fuzzer built on top of the powerful LibAFL fuzzing framework. It supports black-box, grey-box, and white-box fuzzing, meaning that it can test your APIs without needing any in-depth knowledge of the application code that is being tested.

WuppieFuzz automatically generates a variety of requests to your REST API by parsing the OpenAPI specification and testing the API’s response. It uses coverage-guided fuzzing to track the parts of the code that are tested and, based on this feedback, prioritizes new mutations to hit deeper business logic within the API under test.

The results of a fuzzing campaign are made available for inspection through a dashboard. Through the dashboard, one can discover which endpoints or what parts of the code were covered. Furthermore, it enables developers to easily replay, or reproduce, the crashing payloads to debug and fix the API’s code. Thereby, enhancing the reliability, stability, and security of the API.

Why Go WuppieFuzz?

WuppieFuzz was designed with some key aspects in mind. Namely,

Modularity: It’s built to be extensible, supporting Java, JavaScript, Python, and potentially more languages (like Golang) in the future.

Flexibility: It can work in a language-agnostic black-box mode, testing any API that has an OpenAPI specification.

Community-driven: WuppieFuzz is made open source to encourage contributions and use. Any help to extend its capabilities by adding new mutations, features, or language support is greatly appreciated.

Are You Ready to Secure Your APIs?

We’ve made WuppieFuzz available under the Apache 2.0 license and entirely free to use on GitHub. Are you a developer, a tester, or a security researcher? WuppieFuzz has something for you to offer. Designed to help you test your APIs with ease and make your services more resilient.

Check it out, contribute, and let’s build more secure APIs together!