Cloud services have become the new critical infrastructure, and cloud expectations have transformed how developers work. The number of cloud services that are business-critical continues to grow every day, with no end in sight. And the era of boxed software is over: developers are now responsible for continuously shipping new capabilities in live services while also maintaining their security and availability.
Today, most cloud and web services are programmatically accessed through REST (REpresentational State Transfer) APIs. However, the tools for static analysis and fuzz testing that are commonplace in native development aren’t adequate or sufficient for developers of web services. Now more than ever, these developers need automated approaches to discover issues that may compromise services through their APIs, either intentionally by attackers or accidentally through unusual usage patterns. To meet this need, Microsoft researchers have developed and open-sourced new tools to help developers find security and reliability issues in their cloud services by automatically testing their REST APIs.
Over the past few years, researchers at Microsoft have been exploring novel techniques for automatically testing and finding security and reliability bugs in cloud/web services through their REST APIs—including several recently published papers on stateful fuzzing and differential regression testing for REST APIs, and the applications of such techniques to find security vulnerabilities and data-processing bugs.
Researchers and engineers within the company have used these techniques to strengthen the security and reliability of many Microsoft and open-source services. This continued innovation and progress has led to more robust services everywhere.
Built on this research and now available to developers and the open-source community, RESTler is the first stateful REST API fuzzing tool for automatically testing and finding security and reliability bugs in cloud/web services through their REST APIs. Given an OpenAPI/Swagger specification of a cloud/web service REST API, RESTler automatically generates and executes tests that exercise the service through its REST API—no prerecorded REST API traffic or preexisting tests are needed. RESTler intelligently infers dependencies among request types from the API specification, and, during testing, it checks for specific classes of bugs and dynamically learns from prior service responses. This intelligence allows RESTler to explore deeper service states reachable only through specific request sequences and to find more bugs.
In addition to RESTler, Microsoft Research has created a self-hosted REST API fuzzing service, a platform where developers can integrate continuous testing into their builds. It can host a developer-definable set of REST API fuzzing tools, with default support for RESTler and OWASP’s (Open Web Application Security Project) ZAP. Any Docker packaged tool built on Linux can easily be integrated into the platform. New tool integration can be accomplished with a single configuration file.
This lightweight platform brings a developer-first approach to incorporating REST API fuzzing into the service development workflow. It enables developers to kick off a single job, deploying any mix of tools, to regularly test their services. Using the supplied python CLI or their preferred REST client, developers can easily run jobs and get actionable notifications. After fixing identified bugs, developers can re-run requests that identified initial bugs to confirm the validity of their fix.
Today, we are open-sourcing the RESTler tool and the self-hosted REST API Fuzz Testing platform. We hope that cloud service developers, including the open-source community, will take advantage of these new tools to make their services more reliable and secure.
For more details, see https://github.com/microsoft/restler-fuzzer and https://github.com/microsoft/rest-api-fuzz-testing.
RESTler and the REST API Fuzzing platform are the joint work of Microsoft researchers, engineers, and interns. We thank all contributors, including Vaggelis Atlidakis, Jamie Davis, Richard Files, Patrice Godefroid, Marc Greisen, Bo-Yuan Huang, Daniel Lehmann, Marina Polishchuk, Dave Tamasi, and Stas Tishkin. We also thank Microsoft Research managers Tom Ball, Donald Kossmann, Peter Lee, Madan Musuvathi, Mike Walker, Norm Whitaker, and Chris White for their support. Finally, we thank our collaborators in product groups across Microsoft: our early adopters, including Anton Evseev, Tom Gallagher, Mikhail Triakhov, and Natalia Varava, for their valuable feedback, Microsoft service developers for confirming and fixing the bugs we reported, and Azure leaders Albert Greenberg, Mark Russinovich, John Walton, and Craig Wittenberg for encouraging us to pursue this line of research.
- RESTler: Stateful REST API Fuzzing (ICSE 2019)
- Checking Security Properties of Cloud Service REST APIs (ICST 2020)
- Differential Regression Testing for REST APIs (ISSTA 2020)
- Intelligent REST API Data Fuzzing (FSE 2020)
This work was developed under the New Security Ventures group, whose mission it is to empower defenders with next-generation security technologies, and the Research in Software Engineering (RiSE) group.