Fuzz Your Own API

Mayhem Team
March 7, 2022
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

It’s safe to say that APIs are now a critical part of modern application architectures today. In the age of SaaS applications and infrastructure, many architectures are designed around being API-first for managing data ingestion and retrieval. Unfortunately, with this ever increasing critical infrastructure most application testing solutions are not up to the challenge of testing APIs. With no GUI available, many solutions struggle to provide input values to properly test APIs and have difficulty making sense of responses and reusing the data to test further into the application logic. 

We designed Mayhem for API from the ground up to overcome challenges faced by legacy testing tools.

Start Fuzzing your APIs for Free!

Probe your REST API with an infinite stream of test cases generated automatically from your OpenAPI specification or Postman collection.

Free Plan Learn More

To start testing an API, you only need to provide two things: a specification describing the API, and a URL where it can be reached. You'll be running something like:

mapi run my-api 30 <specification> --url <url>

API Specification

ℹ️ Specifications can be passed to mapi as either local files or URLs.

Mayhem for API is built around OpenAPI 3.0 specifications. If you have an OpenAPI spec describing your API, you're all set. Pass either a URL or file system path directly to mapi as the <specification> argument!

If you don't have an OpenAPI spec, we support a few alternatives, described below.

OpenAPI 2.x (aka "Swagger")

mapi run will automatically detect and work with older OpenAPI/Swagger specs.

Alternatively, you can do a one-time conversion into OpenAPI 3.x by running your old spec through the mapi convert swagger2 command (see mapi help convert swagger2 for details.)

Postman

mapi run will also automatically detect if it's given a Postman 2.x collection in place of an OpenAPI spec, and work with that.

Alternatively, you can do a one-time conversion from Postman into an OpenAPI 3.x spec by running the collection through the mapi convert postman command (see mapi help convert postman for details.)

HAR

If you don't have any of the above, you'll need to do a little bit more work to generate a spec for Mayhem for API to use. The process is documented in detail over here.

API URL

Mayhem for API needs to know the URL of your API server. Because the requests come directly from the mapi CLI tool running locally on your computer, this will work for APIs that are:

  • Behind a corporate firewall
  • On localhost
  • In a private network
  • On the public internet

If the machine running the CLI can access the API - then we can fuzz it!

Local Fuzz

Proximity and Latency

Although it'll work in just about any configuration, Mayhem for API works better the "closer" it is (in network terms) to the API server. For the best results, this means pointing the fuzzer at a locally-running instance of your server.

Never, Ever, Use Your Own Production Services!

Mayhem for API has one job: finding ways to break an API! You should absolutely not give Mayhem for API the URL of your production services to test against.

All right, hopefully, you've got Mayhem for API configured to test your API, congrats! If you want to check out some additional API fuzzing resources, check out our blogs Testing Postman APIs with Fuzzing and Mayhem for API ❤️ GitHub Code Scanning: Seamless DevSecOps for your REST APIs.

Share this post

Add a Little Mayhem to Your Inbox

Subscribe to our weekly newsletter for expert insights and news on DevSecOps topics, plus Mayhem tips and tutorials.

By subscribing, you're agreeing to our website terms and privacy policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Add Mayhem to Your DevSecOps for Free.

Get a full-featured 30 day free trial.

Complete API Security in 5 Minutes

Get started with Mayhem today for fast, comprehensive, API security. 

Get Mayhem

Maximize Code Coverage in Minutes

Mayhem is an award-winning AI that autonomously finds new exploitable bugs and improves your test suites.

Get Mayhem