Robust application communications security testing: ​as easy as can be

TNO's coverage-guided REST API fuzzer is aimed at a broad audience of end users, with a firm focus on ease of use. You only need to spend little time configuring and are able to interpret the results with ease in the fuzzer’s dashboard. TNO hopes this will make fuzz testing simpler, ultimately improving the cybersecurity of APIs.

APIs: what are those again?

APIs connect the digital world. They facilitate communication between different applications and services, no matter what ‘language’ the application speaks. Think of an API as a kind of waiter who takes information from you (your order) and comes back to you with an answer (your food).

Today, APIs are indispensable in almost every digital service. Representational State Transfer (REST) APIs are particularly popular. These have a specific architecture that works especially well with web services.

The danger of under-tested REST APIs

A security breach due to a flaw in a REST API can have major consequences, because REST APIs communicate with different applications as well as users. In addition, they often have access to business logic and data. All the more reason to make sure REST APIs are secure and robust.

REST API security can be tested with Software Security Testing, but this is complicated and time-consuming. As a result, cybersecurity often takes a back seat in practice: companies test the expected functions of their REST APIs, but forget about the security.

'That’s a problem,' says Thomas Rooijakkers, cybersecurity researcher at TNO. 'What you sometimes see is that a small mistake can have big consequences. The other day, there was an incident that forced a load of flights to be cancelled. This was due to a small error, which could have been detected early with software security testing. Instead, it caused billions of euros in damage.'

Fuzzing to detect errors

To really test the security of a REST API properly, you can send a lot of semi-random data to the API. These data should be similar to the data the API normally receives, but slightly different. This way, you can discover bugs or security flaws that a functionality test won’t reveal. Fuzz testing, or fuzzing, automatically generates these (seemingly) random input data for the application being tested.

Deploying fuzzing yourself is often seen as challenging, as the fuzzers that are available are difficult to commission. It may also be unclear what the organisation behind the fuzzer is doing with your data. With the new REST API fuzzer, TNO hopes to address these challenges and concerns.

New REST API fuzzer makes testing easier

The state-of-the-art REST API fuzzer from TNO (developed on top of LibAFL) makes it easier to carry out fuzzing yourself and detect potential errors in a REST API. Thomas Rooijakkers: 'Surprisingly, we almost always find something straight away when we first run the fuzzer.'

The fuzzer supports a wide range of applications. It works for any REST API ​​(with black-box, grey-box, and white-box testing) and supports code coverage for Java, JavaScript, and Python. In addition, the fuzzer allows you to add new languages easily. Last but not least, the REST API fuzzer meets stringent privacy criteria, and your data won’t be shared with TNO or any third parties.

Fuzzer users have several tools at their disposal. For example, you can visit GitHub for a tutorial and several sample configuration files to help get you started. Interpreting the results is also made easy for you, as the fuzzer features a handy dashboard that displays its findings. The dashboard also provides context, such as the specific API code or endpoints that have been tested. That’s how the REST API fuzzer helps detect potential errors and improve the API.

Get involved and help us improve

The free REST API fuzzer is open source and available under the Apache 2.0 licence on GitHub. You can try the fuzzer for yourself right away and make your REST APIs more secure, more reliable, and more robust – whether during a software development cycle, supply chain quality control, or penetration testing. You can also help TNO make the fuzzer even better.

TNO invites everyone to share their ideas or contribute directly on GitHub, for example by adding new languages or new mutation techniques. Thomas Rooijakkers: 'Contributions are most welcome. That’s why we made the tool open source. We want to make the fuzzer available without needless restrictions, but also receive feedback and guidance.'

If you need help, want to share your ideas, or learn more about tools for automated reliability and security testing, please don’t hesitate to contact us.