restler-fuzzer v9.2.2 releases: first stateful REST API fuzzing tool

REST API fuzzing tool

RESTler

What is RESTler?

RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services. For a given cloud service with an OpenAPI/Swagger specification, RESTler analyzes its entire specification and then generates and executes tests that exercise the service through its REST API.

RESTler intelligently infers producer-consumer dependencies among request types from the Swagger specification. During testing, it checks for specific classes of bugs and dynamically learns how the service behaves from prior service responses. This intelligence allows RESTler to explore deeper service states reachable only through specific request sequences and to find more bugs.

Using RESTler

RESTler runs in 4 main modes (in order):

  1. Compile: from a Swagger JSON or YAML specification (and optionally examples), generate a RESTler grammar. See Compiling.
  2. Test: execute quickly all of the endpoints+methods in a compiled RESTler grammar for debugging the test setup and compute what parts of the Swagger spec are covered. This mode is also called a smoketest. See Testing. To use custom test engine settings, see Test Engine Settings.
  3. Fuzz-lean: execute once every endpoint+method in a compiled RESTler grammar with a default set of checkers to see if bugs can be found quickly. See Fuzzing.
  4. Fuzz: bug hunting – explore a RESTler fuzzing grammar in smart breadth-first-search mode (deeper search mode) for finding more bugs. Warning: This type of fuzzing is more aggressive and may create outages in the service under test if the service is poorly implemented (e.g., fuzzing might create resource leaks, perf degradation, backend corruptions, etc.). See Fuzzing.

Changelog v9.2.2

– bug fixes

– enable fuzzing based on a different random seed on every run

Install & Use

Copyright (c) Microsoft Corporation.