@techreport{atlidakis2018restler,
author = {Atlidakis, Vaggelis and Godefroid, Patrice and Polishchuk, Marina},
title = {RESTler: Automatic Intelligent REST API Fuzzing},
institution = {Microsoft},
year = {2018},
month = {April},
abstract = {Cloud services have recently exploded with the advent of powerful cloud-computing platforms such as Amazon Web Services and Microsoft Azure. Today, most cloud services are accessed through REST APIs, and Swagger is arguably the most popular interface-description language for REST APIs. A Swagger specification describes how to access a cloud service through its REST API (e.g., what requests the service can handle and what responses may be expected).

This paper introduces RESTler, the first automatic intelligent REST API security-testing tool. RESTler analyzes a Swagger specification and generates tests that exercise the corresponding cloud service through its REST API. Each test is defined as a sequence of requests and responses. RESTler generates tests intelligently by (1) inferring dependencies among request types declared in the Swagger specification (e.g., inferring that ``a request B should not be executed before a request A'' because B takes as an input argument a resource-id returned by A) and by (2) analyzing dynamic feedback from responses observed during prior test executions in order to generate new tests (e.g., learning that ``a request C after a request sequence A;B is refused by the service'' and therefore avoiding this combination in the future). We show that these two techniques are necessary to thoroughly exercise a service under test while pruning the large search space of possible request sequences. We also discuss the application of RESTler to test GitLab, a large popular open-source self-hosted Git service, and the new bugs that were found.},
url = {http://approjects.co.za/?big=en-us/research/publication/rest-ler-automatic-intelligent-rest-api-fuzzing/},
number = {MSR-TR-2018-11},
}