ForAllSecure Blog

Try API Fuzzing Easily With the Petstore API Demo

Editorial Staff
·
October 25, 2022

We have prepared an instance of the Swagger Petstore API for you to try fuzzing. The Swagger Petstore is a stand-alone REST API server which implements the OpenAPI 3 Specification.

Fuzz the Swagger Petstore API by running the following in your terminal:

mapi run \
     petstore auto "https://demo-api.mayhem4api.forallsecure.com/api/v3/openapi.json" \
     --url "https://demo-api.mayhem4api.forallsecure.com/api/v3/" \
     --interactive

Once the run completes, visit your dashboard to see the results!

What just happened?

Let's break that command down to see what happened:

mapi run

Use the CLI to run a fuzzing job.

ℹ️ Check out mapi help if you want to explore some other things the CLI can do!

petstore

Use (and create, if it doesn't already exist) a "target" named petstore for this run. We'll come back to targets in more detail later. For now, a short name that uniquely identifies the API being tested is perfect.

ℹ️ Targets are used to group related fuzzing jobs.

auto

Runs the job until it is decided that enough endpoints have been exercised. You can specify a specific time period here if you wish, such as 30sec to run the job for 30 seconds. The longer the job is run, the more edge cases will be uncovered.

https://demo-api.mayhem4api.forallsecure.com/api/v3/openapi.json

Tells the fuzzer to base its testing on the OpenAPI 3 specification of the petstore demo API, which is hosted on our site for demo purposes.

--url "https://demo-api.mayhem4api.forallsecure.com/api/v3/"

Tells the fuzzer, which is running locally on your computer, to address its tests to the petstore demo API on our network.

--interactive

Runs the fuzzing job with an interactive, terminal-based user interface. This option should be omitted in a continuous integration environment.

You will see the following UI in interactive mode:

Status UI

The status UI contains a fair amount of information:

  • A progress bar at the top, based on the duration of the job and elapsed time.
  • The job logs. If the job doesn't start properly, or runs into trouble, this is where you should see information on how to resolve the issue.
  • The status codes that the fuzzer observed per endpoint. This will help you determine if the fuzzer is covering the endpoints and status code you expected. For instance, if you see only 401 responses, then that means the fuzzer probably needs help with authentication. We cover this in more details in the “API Authentication chapter".

The UI has a few navigation keys that might be handy:

  • q, ^C or <Esc> to quit
  • <Tab> to switch focus between widgets
  • <Space> to make the current widget full screen
  • Arrow keys for horizontal and vertical scrolling

In your run you should see a number of red endpoints, which means that at least one 500 response code is observed. That means we just found some bugs! You should also see a number of green endpoints. These mean that at least one 2xx response has been observed.

API Security. Performance. Validation. Fast.

Prime Your APIs for Performance ... In As Little As 5 Minutes.

Get Free Request A Demo

You're off to a great start on your API fuzzing journey! 

Stay Connected

Subscribe to Updates

By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement.