Intelligent REST API Data Fuzzing
- Patrice Godefroid ,
- Bo-Yuan Huang ,
- Marina Polishchuk
MSR-TR-2019-37 |
Published by Microsoft
Revised version published in ESEC/FSE'2020, November 2020.
The cloud runs on REST APIs. In this paper, we study how to intelligently generate data payloads embedded in REST API requests in order to find data-processing bugs in cloud services. We discuss how to leverage REST API specifications, which, by definition, contain data schemas for API request bodies. We then propose and evaluate a range of data fuzzing techniques, including structural schema fuzzing rules, various rule combinations, search heuristics, extracting data values from examples included in REST API specifications, and learning data values on-the-fly from previous service responses. After evaluating these techniques, we identify the top-performing combination and use this algorithm to fuzz several Microsoft Azure cloud services. During our experiments, we found 100s of “Internal Server Error” service crashes, which we triaged into 17 unique bugs and reported to Azure developers. All these bugs are reproducible, confirmed, and fixed or in the process of being fixed.
Publication Downloads
RESTler-Fuzzer
November 16, 2020
RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.
REST API Fuzz Testing
November 16, 2020
This self-hosted service developed for Azure, including its orchestration engine and security tools (including MSR's RESTler), enables developers to embed security tooling into their CI/CD workflows.