Advanced White-Box Heuristics for Search-Based Fuzzing of REST APIs
- Autores
- Arcuri, Andrea; Zhang, Man; Galeotti, Juan Pablo
- Año de publicación
- 2024
- Idioma
- inglés
- Tipo de recurso
- artículo
- Estado
- versión publicada
- Descripción
- Due to its importance and widespread use in industry, automated testing of REST APIs has attracted major interest from the research community in the last few years.However, most of the work in the literature has been focused on black-box fuzzing.Although existing fuzzers have been used to automatically find many faults in existing APIs, there are still several open research challenges that hinder the achievement of better results (e.g., in terms of code coverage and fault finding).For example, under-specified schemas are a major issue for black-box fuzzers.Currently, EvoMaster is the only existing tool that supports white-box fuzzing of REST APIs.In this paper, we provide a series of novel white-box heuristics, including for example how to deal with under-specified constrains in API schemas, as well as under-specified schemas in SQL databases.Our novel techniques are implemented as an extension to our open-source, search-based fuzzer EvoMaster.An empirical study on 14 APIs from the EMB corpus, plus one industrial API, shows clear improvements of the results in some of these APIs.
Fil: Arcuri, Andrea. Kristiania University College; Noruega
Fil: Zhang, Man. Kristiania University College; Noruega
Fil: Galeotti, Juan Pablo. Universidad de Buenos Aires. Facultad de Ciencias Exactas y Naturales. Departamento de Computación; Argentina. Consejo Nacional de Investigaciones Científicas y Técnicas; Argentina - Materia
-
SBST
fuzzing
REST
Web API - Nivel de accesibilidad
- acceso abierto
- Condiciones de uso
- https://creativecommons.org/licenses/by-nc-sa/2.5/ar/
- Repositorio
.jpg)
- Institución
- Consejo Nacional de Investigaciones Científicas y Técnicas
- OAI Identificador
- oai:ri.conicet.gov.ar:11336/256472
Ver los metadatos del registro completo
| id |
CONICETDig_05b88e2a29dba5a89d66245399259526 |
|---|---|
| oai_identifier_str |
oai:ri.conicet.gov.ar:11336/256472 |
| network_acronym_str |
CONICETDig |
| repository_id_str |
3498 |
| network_name_str |
CONICET Digital (CONICET) |
| spelling |
Advanced White-Box Heuristics for Search-Based Fuzzing of REST APIsArcuri, AndreaZhang, ManGaleotti, Juan PabloSBSTfuzzingRESTWeb APIhttps://purl.org/becyt/ford/2.2https://purl.org/becyt/ford/2Due to its importance and widespread use in industry, automated testing of REST APIs has attracted major interest from the research community in the last few years.However, most of the work in the literature has been focused on black-box fuzzing.Although existing fuzzers have been used to automatically find many faults in existing APIs, there are still several open research challenges that hinder the achievement of better results (e.g., in terms of code coverage and fault finding).For example, under-specified schemas are a major issue for black-box fuzzers.Currently, EvoMaster is the only existing tool that supports white-box fuzzing of REST APIs.In this paper, we provide a series of novel white-box heuristics, including for example how to deal with under-specified constrains in API schemas, as well as under-specified schemas in SQL databases.Our novel techniques are implemented as an extension to our open-source, search-based fuzzer EvoMaster.An empirical study on 14 APIs from the EMB corpus, plus one industrial API, shows clear improvements of the results in some of these APIs.Fil: Arcuri, Andrea. Kristiania University College; NoruegaFil: Zhang, Man. Kristiania University College; NoruegaFil: Galeotti, Juan Pablo. Universidad de Buenos Aires. Facultad de Ciencias Exactas y Naturales. Departamento de Computación; Argentina. Consejo Nacional de Investigaciones Científicas y Técnicas; ArgentinaAssociation for Computing Machinery2024-03info:eu-repo/semantics/articleinfo:eu-repo/semantics/publishedVersionhttp://purl.org/coar/resource_type/c_6501info:ar-repo/semantics/articuloapplication/pdfapplication/pdfapplication/pdfhttp://hdl.handle.net/11336/256472Arcuri, Andrea; Zhang, Man; Galeotti, Juan Pablo; Advanced White-Box Heuristics for Search-Based Fuzzing of REST APIs; Association for Computing Machinery; ACM Transactions on Software Engineering and Methodology; 33; 6; 3-2024; 1-361049-331XCONICET DigitalCONICETenginfo:eu-repo/semantics/altIdentifier/url/https://dl.acm.org/doi/10.1145/3652157info:eu-repo/semantics/altIdentifier/doi/10.1145/3652157info:eu-repo/semantics/openAccesshttps://creativecommons.org/licenses/by-nc-sa/2.5/ar/reponame:CONICET Digital (CONICET)instname:Consejo Nacional de Investigaciones Científicas y Técnicas2025-09-29T10:37:55Zoai:ri.conicet.gov.ar:11336/256472instacron:CONICETInstitucionalhttp://ri.conicet.gov.ar/Organismo científico-tecnológicoNo correspondehttp://ri.conicet.gov.ar/oai/requestdasensio@conicet.gov.ar; lcarlino@conicet.gov.arArgentinaNo correspondeNo correspondeNo correspondeopendoar:34982025-09-29 10:37:55.866CONICET Digital (CONICET) - Consejo Nacional de Investigaciones Científicas y Técnicasfalse |
| dc.title.none.fl_str_mv |
Advanced White-Box Heuristics for Search-Based Fuzzing of REST APIs |
| title |
Advanced White-Box Heuristics for Search-Based Fuzzing of REST APIs |
| spellingShingle |
Advanced White-Box Heuristics for Search-Based Fuzzing of REST APIs Arcuri, Andrea SBST fuzzing REST Web API |
| title_short |
Advanced White-Box Heuristics for Search-Based Fuzzing of REST APIs |
| title_full |
Advanced White-Box Heuristics for Search-Based Fuzzing of REST APIs |
| title_fullStr |
Advanced White-Box Heuristics for Search-Based Fuzzing of REST APIs |
| title_full_unstemmed |
Advanced White-Box Heuristics for Search-Based Fuzzing of REST APIs |
| title_sort |
Advanced White-Box Heuristics for Search-Based Fuzzing of REST APIs |
| dc.creator.none.fl_str_mv |
Arcuri, Andrea Zhang, Man Galeotti, Juan Pablo |
| author |
Arcuri, Andrea |
| author_facet |
Arcuri, Andrea Zhang, Man Galeotti, Juan Pablo |
| author_role |
author |
| author2 |
Zhang, Man Galeotti, Juan Pablo |
| author2_role |
author author |
| dc.subject.none.fl_str_mv |
SBST fuzzing REST Web API |
| topic |
SBST fuzzing REST Web API |
| purl_subject.fl_str_mv |
https://purl.org/becyt/ford/2.2 https://purl.org/becyt/ford/2 |
| dc.description.none.fl_txt_mv |
Due to its importance and widespread use in industry, automated testing of REST APIs has attracted major interest from the research community in the last few years.However, most of the work in the literature has been focused on black-box fuzzing.Although existing fuzzers have been used to automatically find many faults in existing APIs, there are still several open research challenges that hinder the achievement of better results (e.g., in terms of code coverage and fault finding).For example, under-specified schemas are a major issue for black-box fuzzers.Currently, EvoMaster is the only existing tool that supports white-box fuzzing of REST APIs.In this paper, we provide a series of novel white-box heuristics, including for example how to deal with under-specified constrains in API schemas, as well as under-specified schemas in SQL databases.Our novel techniques are implemented as an extension to our open-source, search-based fuzzer EvoMaster.An empirical study on 14 APIs from the EMB corpus, plus one industrial API, shows clear improvements of the results in some of these APIs. Fil: Arcuri, Andrea. Kristiania University College; Noruega Fil: Zhang, Man. Kristiania University College; Noruega Fil: Galeotti, Juan Pablo. Universidad de Buenos Aires. Facultad de Ciencias Exactas y Naturales. Departamento de Computación; Argentina. Consejo Nacional de Investigaciones Científicas y Técnicas; Argentina |
| description |
Due to its importance and widespread use in industry, automated testing of REST APIs has attracted major interest from the research community in the last few years.However, most of the work in the literature has been focused on black-box fuzzing.Although existing fuzzers have been used to automatically find many faults in existing APIs, there are still several open research challenges that hinder the achievement of better results (e.g., in terms of code coverage and fault finding).For example, under-specified schemas are a major issue for black-box fuzzers.Currently, EvoMaster is the only existing tool that supports white-box fuzzing of REST APIs.In this paper, we provide a series of novel white-box heuristics, including for example how to deal with under-specified constrains in API schemas, as well as under-specified schemas in SQL databases.Our novel techniques are implemented as an extension to our open-source, search-based fuzzer EvoMaster.An empirical study on 14 APIs from the EMB corpus, plus one industrial API, shows clear improvements of the results in some of these APIs. |
| publishDate |
2024 |
| dc.date.none.fl_str_mv |
2024-03 |
| dc.type.none.fl_str_mv |
info:eu-repo/semantics/article info:eu-repo/semantics/publishedVersion http://purl.org/coar/resource_type/c_6501 info:ar-repo/semantics/articulo |
| format |
article |
| status_str |
publishedVersion |
| dc.identifier.none.fl_str_mv |
http://hdl.handle.net/11336/256472 Arcuri, Andrea; Zhang, Man; Galeotti, Juan Pablo; Advanced White-Box Heuristics for Search-Based Fuzzing of REST APIs; Association for Computing Machinery; ACM Transactions on Software Engineering and Methodology; 33; 6; 3-2024; 1-36 1049-331X CONICET Digital CONICET |
| url |
http://hdl.handle.net/11336/256472 |
| identifier_str_mv |
Arcuri, Andrea; Zhang, Man; Galeotti, Juan Pablo; Advanced White-Box Heuristics for Search-Based Fuzzing of REST APIs; Association for Computing Machinery; ACM Transactions on Software Engineering and Methodology; 33; 6; 3-2024; 1-36 1049-331X CONICET Digital CONICET |
| dc.language.none.fl_str_mv |
eng |
| language |
eng |
| dc.relation.none.fl_str_mv |
info:eu-repo/semantics/altIdentifier/url/https://dl.acm.org/doi/10.1145/3652157 info:eu-repo/semantics/altIdentifier/doi/10.1145/3652157 |
| dc.rights.none.fl_str_mv |
info:eu-repo/semantics/openAccess https://creativecommons.org/licenses/by-nc-sa/2.5/ar/ |
| eu_rights_str_mv |
openAccess |
| rights_invalid_str_mv |
https://creativecommons.org/licenses/by-nc-sa/2.5/ar/ |
| dc.format.none.fl_str_mv |
application/pdf application/pdf application/pdf |
| dc.publisher.none.fl_str_mv |
Association for Computing Machinery |
| publisher.none.fl_str_mv |
Association for Computing Machinery |
| dc.source.none.fl_str_mv |
reponame:CONICET Digital (CONICET) instname:Consejo Nacional de Investigaciones Científicas y Técnicas |
| reponame_str |
CONICET Digital (CONICET) |
| collection |
CONICET Digital (CONICET) |
| instname_str |
Consejo Nacional de Investigaciones Científicas y Técnicas |
| repository.name.fl_str_mv |
CONICET Digital (CONICET) - Consejo Nacional de Investigaciones Científicas y Técnicas |
| repository.mail.fl_str_mv |
dasensio@conicet.gov.ar; lcarlino@conicet.gov.ar |
| _version_ |
1844614400234749952 |
| score |
13.070432 |