Fuzzing Web APIs for Functional and Security Testing

Web APIs are a cornerstone of modern web architectures, they are essential for integrating systems and building microservices architectures. Web APIs are more and more adopted to enable different services to communicate and share data seamlessly over the web. While in other programming domains (e.g., smartphone apps or web-sites) a GUI is typically available to suggest what next interactions can be taken (e.g., as available widgets or links), web APIs lack a graphical user interface and all the operations are equally available to a fuzzer even if not logically meaningful at each moment in time. Automatically fuzzing web APIs requires to address peculiar challenges, including not only picking the most appropriate input data, but also fuzzing operations in an appropriate order even if no GUI is available to suggest a logical sequence of interactions. In this keynote I will cover the main research challenges to address to automatically fuzz web APIs. Moreover, I will touch some recent research achievements, including the use of deep reinforcement learning to train a fuzzing agent for functional testing, performing security testing based on test patterns, and the reusable research tools available to the research community to build on top.