How to Use an HTTP Archive (HAR) With Mayhem

Not all APIs have an OpenAPI/Postman/Swagger specification available. The only specification is the code itself.

It is still possible to fuzz an API using Mayhem without a specification by recording transactions with the API as an HTTP Archive (.har file) and converting the recording into an OpenAPI specification. While this enables fuzzing of APIs without specifications, there is a trade-off in the accuracy of the converted specification compared with one generated from the code or maintained by hand.

What is an HTTP Archive or HAR file?

HAR files, or HTTP Archives, at their core, essentially record traffic between a client and a website. In our use case, this is helpful to record API requests that are made as part of normal user interaction with a website and responses that are sent by the API.

HAR Files May Contain Sensitive Information

⚠️ HAR files contain everything that was sent between your client/browser and the target API. This may include Authorization headers, cookies, etc. It is not advisable to persist or convert a .har file unless it has been stripped of sensitive information beforehand.

How to Create an .HAR Recording With Your Browser

If you have a web frontend that interacts with your API, you can record an HTTP Archive by navigating your website and running through various use cases to build a recording of API interactions based on which features you access from the frontend.

Most modern browsers support recording your interactions and exporting a HAR file. See https://toolbox.googleapps.com/apps/har_analyzer/ for browser-specific details.

How to Create an .HAR Recording With a Proxy

A web frontend may not make sufficient requests to your API to generate a useful OpenAPI specification. You may have other tools such as a CLI, automated test suites, or a collection of manual curl invocations that can do this. In this case, you can use a proxy to record all of your traffic to produce a HAR file.

The following tools provide support for this capability:

• Charles Proxy
• Fiddler Proxy
• Proxyman

Converting a .HAR to an OpenAPI 3 specification

The mapi convert command is used to convert from other formats to an OpenAPI 3 specification.

For example, the following command converts a recording, recording.har into an OpenAPI spec, openapi.yaml:

mapi convert har recording.har --host "127.0.0.1:8080" --base-path "api/v1" --out openapi.yaml

Let"s examine the arguments:

• --host "127.0.0.1:8080" The conversion will attempt to infer the URL of your API from the recording. If the recording contains requests to multiple URLs, you can specify the --host option to restrict conversion to requests that are only from the specified host.
• --base-path "api/v1" If your API has a common base path this option will strip the common prefix from all request URLs. This can significantly improve the accuracy of the converted spec.
• --out opennapi.yaml This will overwrite any existing file, openapi.yaml, with the converted specification. Without this argument, the conversion will be printed to standard out in your terminal.

ℹ️ See all available options with the mapi convert --help command

Upon successful conversion you may inspect the converted file and make any modifications you feel are necessary or start a new run immediately.

Learn more about using an HAR file with Mayhem for API here.