RESTful APIs are a type of web services that are widely used in industry. In the last few years, a lot of effort in the research community has been spent in designing novel techniques to automatically fuzz those APIs to find faults in them. Many real faults were automatically found in a large variety of RESTful APIs. However, usually the analyzed fuzzers treat the APIs as black-box, and no analysis of what is actually covered in these systems is done. Therefore, although these fuzzers are clearly useful for practitioners, we do not know what are their current limitations and actual effectiveness. Solving this is a necessary step to be able to design better, more efficient and effective techniques. To address this issue, in this paper we compare 6 state-of-the-art fuzzers on 10 RESTful APIs. We then analyzed the source code of which parts of these APIs the fuzzers fail to generate tests for. This analysis points to clear limitations of these current fuzzers, listing concrete challenges for the research community to follow up on.
翻译:RESTful API 是一种在行业中广泛使用的网络服务类型。 在过去几年中,研究界花了大量精力来设计新颖技术,自动模糊这些API,以找出其中的错误。 许多真正的错误在各种RESTful API 中自动发现。 然而,分析过的模糊器通常将API作为黑箱处理,而没有对这些系统中实际覆盖的内容进行分析。 因此,虽然这些模糊器显然对从业人员有用,但我们不知道它们目前的局限性和实际效力。 解决这个问题是设计更好、更有效率和更有效的技术的必要步骤。 为了解决这个问题,我们在本文件中比较了10 RESTful API 上的6个最先进的模糊器。 然后我们分析了这些模糊器中哪些部分的源代码无法产生测试。 这个分析指出这些模糊器的局限性是清楚的,列出了研究界要跟进的具体挑战。