English

Deriving Semantics-Aware Fuzzers from Web API Schemas

Cryptography and Security 2021-12-21 v1 Software Engineering

Abstract

Fuzzing -- whether generating or mutating inputs -- has found many bugs and security vulnerabilities in a wide range of domains. Stateful and highly structured web APIs present significant challenges to traditional fuzzing techniques, as execution feedback is usually limited to a response code instead of code coverage and vulnerabilities of interest include silent information-disclosure in addition to explicit errors. Our tool, Schemathesis, derives structure- and semantics-aware fuzzers from web API schemas in the OpenAPI or GraphQL formats, using property-based testing tools. Derived fuzzers can be incorporated into unit-test suites or run directly, with or without end-user customisation of data generation and semantic checks. We construct the most comprehensive evaluation of web API fuzzers to date, running eight fuzzers against sixteen real-world open source web services. OpenAPI schemas found in the wild have a long tail of rare features and complex structures. Of the tools we evaluated, Schemathesis was the only one to handle more than two-thirds of our target services without a fatal internal error. Schemathesis finds 1.4 times to 4.5 times more unique defects than the respectively second-best fuzzer for each target, and is the only fuzzer to find defects in four targets.

Keywords

Cite

@article{arxiv.2112.10328,
  title  = {Deriving Semantics-Aware Fuzzers from Web API Schemas},
  author = {Zac Hatfield-Dodds and Dmitry Dygalo},
  journal= {arXiv preprint arXiv:2112.10328},
  year   = {2021}
}

Comments

Nine pages, one pdf figure

R2 v1 2026-06-24T08:24:01.921Z