Performing API Fuzzing with RESTler

When to Use

• Performing automated security testing of REST APIs using their OpenAPI/Swagger specifications
• Discovering bugs that only manifest through specific sequences of API calls (stateful testing)
• Finding 500 Internal Server Error responses that indicate unhandled exceptions or crash conditions
• Testing API input validation by fuzzing parameters with malformed, boundary, and injection payloads
• Running continuous security regression testing in CI/CD pipelines for API changes

Do not use against production environments without explicit authorization and monitoring. RESTler creates and deletes resources aggressively during fuzzing.

Prerequisites

• Written authorization specifying the target API and acceptable testing scope
• Python 3.12+ and .NET 8.0 runtime installed
• RESTler downloaded from https://github.com/microsoft/restler-fuzzer
• OpenAPI/Swagger specification (v2 or v3) for the target API
• API authentication credentials (tokens, API keys, or OAuth credentials)
• Isolated test/staging environment (RESTler can create thousands of resources per hour)