REST-ler: Stateful REST API Fuzzing
Technical TrackIndustry Program
This paper introduces RESTler, the first stateful REST API fuzzer. RESTler analyzes the API specification of a cloud service and generates sequences of requests that automatically test the service through its API. REST-ler generates test sequences by (1) inferring producer-consumer dependencies among request types declared in the specification (eg inferring that “a request B should be executed after request A” because B takes as an input a resource-id x produced by A) and by (2) analyzing dynamic feedback from responses observed during prior test executions in order to generate new tests (eg learning that “a request C after a request sequence A;B is refused by the service” and therefore avoiding this combination in the future).
We present experimental results showing that these two techniques are necessary to thoroughly exercise a service under test while pruning the large search space of possible request sequences. We used RESTler to test GitLab, a large open-source self-hosted Git service, as well as several Microsoft Azure and Office365 cloud services. RESTler found 28 bugs in Gitlab and several bugs in each of the Azure and Office365 cloud services tested so far. These bugs have been confirmed and fixed by the service owners.
Fri 31 MayDisplayed time zone: Eastern Time (US & Canada) change
11:00 - 12:30
FuzzingTechnical Track / Papers at Duluth
Chair(s): Marcel Böhme Monash University
|SLF: Fuzzing without Valid Seed InputsTechnical TrackIndustry Program|
Wei You Purdue University, Xuwei Liu Zhejiang University, Shiqing Ma Purdue University, USA, David Mitchel Perry Purdue University, Xiangyu Zhang Purdue University, Bin Liang Renmin University of China, China
|Superion: Grammar-Aware Greybox FuzzingTechnical Track|
Junjie Wang Nanyang Technological University, Bihuan Chen Fudan University, Lei Wei Nanyang Technological University, Yang Liu Nanyang Technological University, Singapore
|Grey-box Concolic Testing on Binary CodeTechnical TrackIndustry Program|
Jaeseung Choi KAIST, Joonun Jang Samsung Research, Samsung Electronics, Choongwoo Han NAVER Corporation, Sang Kil Cha KAIST
|REST-ler: Stateful REST API FuzzingTechnical TrackIndustry Program|
Vaggelis Atlidakis Columbia University, Patrice Godefroid Microsoft Research, Marina Polishchuk MicrosoftLink to publication