RESTler: Automatic Intelligent REST API Fuzzing

MSR-TR-2018-11 |

Published by Microsoft

Cloud services have recently exploded with the advent of powerful cloud-computing platforms such as Amazon Web Services and Microsoft Azure. Today, most cloud services are accessed through REST APIs, and Swagger is arguably the most popular interface-description language for REST APIs. A Swagger specification describes how to access a cloud service through its REST API (e.g., what requests the service can handle and what responses may be expected).

This paper introduces RESTler, the first automatic intelligent REST API security-testing tool. RESTler analyzes a Swagger specification and generates tests that exercise the corresponding cloud service through its REST API. Each test is defined as a sequence of requests and responses. RESTler generates tests intelligently by (1) inferring dependencies among request types declared in the Swagger specification (e.g., inferring that “a request B should not be executed before a request A” because B takes as an input argument a resource-id returned by A) and by (2) analyzing dynamic feedback from responses observed during prior test executions in order to generate new tests (e.g., learning that “a request C after a request sequence A;B is refused by the service” and therefore avoiding this combination in the future). We show that these two techniques are necessary to thoroughly exercise a service under test while pruning the large search space of possible request sequences. We also discuss the application of RESTler to test GitLab, a large popular open-source self-hosted Git service, and the new bugs that were found.

Publication Downloads

RESTler-Fuzzer

November 16, 2020

RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.

REST API Fuzz Testing

November 16, 2020

This self-hosted service developed for Azure, including its orchestration engine and security tools (including MSR's RESTler), enables developers to embed security tooling into their CI/CD workflows.

Fuzzing to improve the security and reliability of cloud services with RESTler

In the past few years, cloud services have experienced tremendous growth. Most of these services are programmatically accessed through REST APIs. As the pace of development increases, both the APIs and service implementations are evolving rapidly. There is an urgent need for automated tools to test the reliability and security of cloud services that can keep up with today’s fast-paced service development and deployment—tools that provide the necessary level of automation and coverage for the growing number of APIs being deployed across the web. In this webinar, join Marina Polishchuk, a Software Engineer at Microsoft Research, in exploring how RESTler—the first stateful REST API fuzzer—can help efficiently find security and reliability bugs in cloud services. RESTler analyzes a Swagger/OpenAPI specification and produces a fuzzing grammar that contains information about requests and their dependencies. RESTler only fuzzes a request if all its dependent resources have been successfully created—this enables RESTler to achieve deeper coverage out of the box. RESTler also offers a pluggable model for checking security properties. RESTler is open source and available at its GitHub repository. Together, you'll explore: How to use RESTler to fuzz a cloud service The types of bugs that can be discovered through the REST API and their security impact How RESTler addresses the challenges of testing large, complex services through their REST APIs Resource list: RESTler Fuzzing tool (GitHub) RESTler: Stateful REST API Fuzzing (Publication) Checking Security Properties of Cloud Services REST APIs (Publication) Differential Regression Testing for REST APIs (Publication) Intelligent REST API Data Fuzzing (Publication) Marina Polishchuk (Researcher profile) *This on-demand webinar features a previously recorded Q&A session and open captioning. This webinar originally aired on May 26, 2021 Explore more Microsoft Research webinars: https://aka.ms/msrwebinars