Not all APIs have an OpenAPI/Postman/Swagger specification available. The only specification is the code itself.
It is still possible to fuzz an API using Mayhem without a specification by recording transactions with the API as an HTTP Archive (.har file) and converting the recording into an OpenAPI specification. While this enables fuzzing of APIs without specifications, there is a trade-off in the accuracy of the converted specification compared with one generated from the code or maintained by hand.
HAR files, or HTTP Archives, at their core, essentially record traffic between a client and a website. In our use case, this is helpful to record API requests that are made as part of normal user interaction with a website and responses that are sent by the API.
⚠️ HAR files contain everything that was sent between your client/browser and the target API. This may include Authorization headers, cookies, etc. It is not advisable to persist or convert a .har file unless it has been stripped of sensitive information beforehand.
If you have a web frontend that interacts with your API, you can record an HTTP Archive by navigating your website and running through various use cases to build a recording of API interactions based on which features you access from the frontend.
Most modern browsers support recording your interactions and exporting a HAR file. See https://toolbox.googleapps.com/apps/har_analyzer/ for browser-specific details.
A web frontend may not make sufficient requests to your API to generate a useful OpenAPI specification. You may have other tools such as a CLI, automated test suites, or a collection of manual curl invocations that can do this. In this case, you can use a proxy to record all of your traffic to produce a HAR file.
The following tools provide support for this capability:
The mapi convert command is used to convert from other formats to an OpenAPI 3 specification.
For example, the following command converts a recording, recording.har into an OpenAPI spec, openapi.yaml:
mapi convert har recording.har --host "127.0.0.1:8080" --base-path "api/v1" --out openapi.yamlLet"s examine the arguments:
--host "127.0.0.1:8080" The conversion will attempt to infer the URL of your API from the recording. If the recording contains requests to multiple URLs, you can specify the --host option to restrict conversion to requests that are only from the specified host.--base-path "api/v1" If your API has a common base path this option will strip the common prefix from all request URLs. This can significantly improve the accuracy of the converted spec.--out opennapi.yaml This will overwrite any existing file, openapi.yaml, with the converted specification. Without this argument, the conversion will be printed to standard out in your terminal.ℹ️ See all available options with the
mapi convert --helpcommand
Upon successful conversion you may inspect the converted file and make any modifications you feel are necessary or start a new run immediately.
Learn more about using an HAR file with Mayhem for API here.
By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement.
