API Fuzzer

Overview

Perform API fuzzing to discover crashes, unhandled exceptions, security vulnerabilities, and edge case failures by sending malformed, unexpected, and boundary-value inputs to API endpoints. Supports RESTler (stateful REST API fuzzing), Schemathesis (OpenAPI-driven property-based testing), custom fuzz harnesses with fast-check, and OWASP ZAP active scanning.

Prerequisites

• API specification available (OpenAPI/Swagger, GraphQL SDL, or Protobuf definitions)
• Target API running in a test environment (never fuzz production)
• Fuzzing tool installed (Schemathesis, RESTler, or custom harness with fast-check/Hypothesis)
• API authentication credentials for protected endpoints
• Error logging enabled on the target server to capture crashes and stack traces

Instructions

1. Parse the API specification to identify all endpoints, methods, and input schemas:
   • Read OpenAPI spec files using Glob (**/openapi.yaml, **/swagger.json).
   • Catalog each endpoint's parameters (path, query, header, body) and their types.
   • Note validation constraints (min/max, pattern, enum, required fields).