REST-ler: Stateful REST API Fuzzing
Technical TrackIndustry Program
This paper introduces RESTler, the first stateful REST API fuzzer. RESTler analyzes the API specification of a cloud service and generates sequences of requests that automatically test the service through its API. REST-ler generates test sequences by (1) inferring producer-consumer dependencies among request types declared in the specification (eg inferring that “a request B should be executed after request A” because B takes as an input a resource-id x produced by A) and by (2) analyzing dynamic feedback from responses observed during prior test executions in order to generate new tests (eg learning that “a request C after a request sequence A;B is refused by the service” and therefore avoiding this combination in the future).
We present experimental results showing that these two techniques are necessary to thoroughly exercise a service under test while pruning the large search space of possible request sequences. We used RESTler to test GitLab, a large open-source self-hosted Git service, as well as several Microsoft Azure and Office365 cloud services. RESTler found 28 bugs in Gitlab and several bugs in each of the Azure and Office365 cloud services tested so far. These bugs have been confirmed and fixed by the service owners.
Fri 31 MayDisplayed time zone: Eastern Time (US & Canada) change
11:00 - 12:30
|SLF: Fuzzing without Valid Seed InputsTechnical TrackIndustry Program|
|Superion: Grammar-Aware Greybox FuzzingTechnical Track|
|Grey-box Concolic Testing on Binary CodeTechnical TrackIndustry Program|
|REST-ler: Stateful REST API FuzzingTechnical TrackIndustry Program|
Vaggelis Atlidakis Columbia University, Patrice Godefroid Microsoft Research, Marina Polishchuk MicrosoftLink to publication