Configure perform API fuzzing to discover edge cases, crashes, and security vulnerabilities.
Use when performing specialized testing.
Trigger with phrases like "fuzz the API", "run fuzzing tests", or "discover edge cases".
Perform API fuzzing to discover crashes, unhandled exceptions, security vulnerabilities, and edge case failures by sending malformed, unexpected, and boundary-value inputs to API endpoints. Supports RESTler (stateful REST API fuzzing), Schemathesis (OpenAPI-driven property-based testing), custom fuzz harnesses with fast-check, and OWASP ZAP active scanning.
Prerequisites
API specification available (OpenAPI/Swagger, GraphQL SDL, or Protobuf definitions)
Target API running in a test environment (never fuzz production)
Fuzzing tool installed (Schemathesis, RESTler, or custom harness with fast-check/Hypothesis)
API authentication credentials for protected endpoints
Error logging enabled on the target server to capture crashes and stack traces
Instructions
Parse the API specification to identify all endpoints, methods, and input schemas:
Read OpenAPI spec files using Glob (**/openapi.yaml, **/swagger.json).
Catalog each endpoint's parameters (path, query, header, body) and their types.
Add x-examples to the OpenAPI spec; use stateful fuzzing to maintain valid sequences
Examples
Schemathesis OpenAPI fuzzing:
# Basic schema-based fuzzing
schemathesis run http://localhost:3000/api/openapi.json \ # 3000: 3 seconds in ms
--stateful=links \
--hypothesis-max-examples=500 \ # HTTP 500 Internal Server Error
--base-url=http://localhost:3000 \ # 3 seconds in ms
--header "Authorization: Bearer $TEST_TOKEN"
# With specific checks
schemathesis run http://localhost:3000/api/openapi.json \ # 3 seconds in ms
--checks all \
--validate-schema=true
fast-check property-based API test:
import fc from 'fast-check';
import request from 'supertest';
import { app } from '../src/app';
test('POST /api/users handles arbitrary input without crashing', async () => {
await fc.assert(
fc.asyncProperty(
fc.record({
name: fc.string(),
email: fc.string(),
age: fc.oneof(fc.integer(), fc.string(), fc.constant(null)),
}),
async (body) => {
const res = await request(app).post('/api/users').send(body);
expect(res.status).toBeLessThan(500); // No server errors # HTTP 500 Internal Server Error
}
),
{ numRuns: 200 } # HTTP 200 OK
);
});
Custom fuzz dictionary for injection testing:
[
"' OR '1'='1",
"<script>alert(1)</script>",
"${7*7}",
"{{7*7}}",
"../../../etc/passwd",
"\u0000",
"A".repeat(100000) # 100000 = configured value
]