RESTler: Stateful REST API Fuzzing

ICSE 2019 |

Publication

This paper introduces RESTler, the first stateful REST API fuzzer. RESTler analyzes the API specification of a cloud service and generates sequences of requests that automatically test the service through its API. RESTler generates test sequences by (1) inferring producer-consumer dependencies among request types declared in the specification (e.g., inferring that “a request B should be executed after request A” because B takes as an input a resource-id x produced by A) and by (2) analyzing dynamic feedback from responses observed during prior test executions in order to generate new tests (e.g., learning that “a request C after a request sequence A;B is refused by the service” and therefore avoiding this combination in the future). We present experimental results showing that these two techniques are necessary to thoroughly exercise a service under test while pruning the large search space of possible request sequences. We used RESTler to test GitLab, an open-source Git service, as well as several Microsoft Azure and Office365 cloud services. RESTler found 28 bugs in GitLab and several bugs in each of the Azure and Office365 cloud services tested so far. These bugs have been confirmed and fixed by the service owners.

Publication Downloads

RESTler-Fuzzer

November 16, 2020

RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.

REST API Fuzz Testing

November 16, 2020

This self-hosted service developed for Azure, including its orchestration engine and security tools (including MSR's RESTler), enables developers to embed security tooling into their CI/CD workflows.

Fuzzing to improve the security and reliability of cloud services with RESTler

In the past few years, cloud services have experienced tremendous growth. Most of these services are programmatically accessed through REST APIs. As the pace of development increases, both the APIs and service implementations are evolving rapidly. There is an urgent need for automated tools to test the reliability and security of cloud services that can keep up with today’s fast-paced service development and deployment—tools that provide the necessary level of automation and coverage for the growing number of APIs being deployed across the web. In this webinar, join Marina Polishchuk, a Software Engineer at Microsoft Research, in exploring how RESTler—the first stateful REST API fuzzer—can help efficiently find security and reliability bugs in cloud services. RESTler analyzes a Swagger/OpenAPI specification and produces a fuzzing grammar…