REST (Representational State Transfer) is an architectural style that provides guidelines for building web services, commonly referred to as REST APIs or RESTful APIs. Nowadays, REST APIs have been widely adopted in industry, especially in developing large-scale enterprise microservices architectures. Due to its importance and widespread adoption in industry, the validation and verification of REST APIs has attracted major interest from the research community. A lot of automated testing approaches for REST APIs have been proposed in recent years.

Although existing fuzzers have demonstrated effectiveness in code coverage and fault detection, several open research challenges remain that hinder further improvements. For example, benefiting from the OpenAPI Specification (OAS) as a standard for defining schemas, most approaches use OAS as input to generate tests. However, faults or under-specified schemas may exist, representing one of the major issues for black-box fuzzers. In addition, web API commonly interacts with databases. Under-specified constraints may also exist in the database schema, which can hinder the preparation of necessary test data. Without access to source code, such under-specified API schemas and constraints cannot be addressed. But, in the literature, most of the approaches focus on black-box fuzzing. EvoMaster is the only existing open-source fuzzer that supports white-box fuzzing of REST APIs. In this paper, building on EvoMaster, we employed white-box techniques (e.g., method replacement and taint analysis) and proposed a series of novel white-box heuristics to tackle three main challenges: (1) Under-specified schemas in OAS, particularly when HTTP query parameters and header information are missing. If these headers and parameters are not included in API requests during fuzzing, then the code responsible for handling them and their associated functionalities would never be tested. (2) Under-specified constraints in SQL database schemas, especially when the tested API relies on the Java Persistence API (JPA) to access databases. Depending on the state of the databases the API interacts with, the same request may exercise different code paths and correspond to different business scenarios, e.g., happy-path' or exceptional scenarios. As such, invalid data inserted into a SQL database can hamper the testing process for code coverage, e.g., the API may crash when such data is read. (3) \emph{Flag} problem in common library calls. Function calls that return boolean values or raise exceptions on invalid inputs can createfitness plateaus'' in the search space, resulting in no effective guidance for the evolutionary process of generating high-coverage test cases.

To assess the effectiveness of our approach, we carried out an empirical study on 14 open-source, JVM REST APIs currently part of the EMB corpus. To better generalize our results, we also included one industrial API from one of our industrial partners. The results of our empirical study demonstrate clear improvements achieved by our approach on several of these APIs in terms of both code coverage and fault detection. This study enables us to push forward the boundaries of scientific research in white-box fuzzing of Web APIs. Nevertheless, there are still several challenges left, which will require further research on developing more advanced white-box heuristics to solve these further issues.

Our novel heuristics have been integrated as part of our open-source fuzzer EvoMaster. In this presentation, we will explain how our approach tackles major challenges in REST API fuzzing and include a live demo of EvoMaster. However, these novel techniques are independent of EvoMaster. They can be integrated and evaluated in any white-box fuzzer for REST APIs.