Cookie Consent

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

deny icon
Deny
allow icon
Accept
All Posts

Fuzz Your Own API with Mayhem for API

Mayhem Team
September 29, 2022
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

You've seen what Mayhem for API can do in a demo. Now it's time to fuzz your own!

To start testing an API, you only need to provide two things: a specification describing the API, and a URL where it can be reached. You'll be running something like:

mapi run my-api 30 <specification> --url <url>


API Specification

ℹ️ Specifications can be passed to mapi as either local files or URLs.

Mayhem for API is built around OpenAPI 3 specifications. If you have an OpenAPI spec describing your API, you're all set. Pass either a URL or file system path directly to mapi as the <specification> argument!

If you don't have an OpenAPI spec, we support a few alternatives, described below.

mapi run will automatically detect and work with older OpenAPI/Swagger specs.

Alternatively, you can do a one-time conversion into OpenAPI 3 by running your old spec through the mapi convert swagger2 command. 

Postman

mapi run will also automatically detect if it's given a Postman 2.x collection in place of an OpenAPI spec, and work with that.

Alternatively, you can do a one-time conversion from Postman into an OpenAPI 3 spec by running the collection through the mapi convert postman command.

HAR

If you don't have any of the above, you'll need to do a little bit more work to generate a spec for Mayhem for API to use. 

API URL

Mayhem for API needs to know the URL of your API server. Because the requests come directly from the mapi CLI tool running locally on your computer, this will work for APIs that are:

  • Behind a corporate firewall
  • On localhost
  • In a private network
  • On the public internet

If the machine running the CLI can access the API - then we can fuzz it!

Local Fuzz

Proximity and Latency

Although it'll work in just about any configuration, Mayhem for API works better the "closer" it is (in network terms) to the API server. For the best results, this means pointing the fuzzer at a locally-running instance of your server.

Never, Ever, Ever Production

Mayhem for API has one job: finding ways to break an API! You should absolutely not give Mayhem for API the URL of your production services to test against.

API Security. Performance. Validation. Fast.

Prime Your APIs for Performance ... In As Little As 5 Minutes.

Get Free Request A Demo

All right, hopefully you've got Mayhem for API configured to test your API, congrats!

Share this post
Blog

Recent Blogs

View All
Mayhem Makers

Mayhem Makers: Josh Thorngren, VP Marketing and Product

“Mayhem Makers” is a Q&A series dedicated to our growing company. For this month’s profile, we talked with Josh Thorngren, VP Marketing and Product at Mayhem.
Read More
Code Security

5 Key Takeaways From the Cybersecurity White House Briefing

The recent Cybersecurity White House Briefing highlights the importance of proactive measures against emerging threats. Here are five key takeaways.
Read More
Code Security

Why Automotive Security Needs To Extend Beyond the CAN Bus

In this blog post, we’ll explore why the traditional automotive security approach centered around the CAN Bus is no longer sufficient.
Read More
View all

Add a Little Mayhem to Your Inbox

Subscribe to our weekly newsletter for expert insights and news on DevSecOps topics, plus Mayhem tips and tutorials.

By subscribing, you're agreeing to our website terms and privacy policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Add Mayhem to Your DevSecOps for Free.

Get a full-featured 30 day free trial.

Company
AboutCareersPressEvents
Support
Docs & TutorialsContact
Connect with us
© 2024 ForAllSecure
Privacy PolicyTerms of UseCookies Settings
Mayhem Tips

Complete API Security in 5 Minutes

Get started with Mayhem today for fast, comprehensive, API security. 

Get Mayhem

Maximize Code Coverage in Minutes

Mayhem is an award-winning AI that autonomously finds new exploitable bugs and improves your test suites.

Get Mayhem