OffensiveRezzer: A Novel Black-Box Fuzzing Tool for Web API

Abstract

Purpose: The purpose of this study is to introduce OffensiveRezzer, a novel tool designed for black-box fuzzing on Web APIs, and to evaluate its effectiveness in detecting errors, particularly focusing on errors related to input validation implementation.

Methods: We introduced OffensiveRezzer and conducted a comparative analysis against existing fuzzing tools such as EvoMaster, Schemathesis, RestTestGen, Restler, and Tcases to assess its performance. Fuzzing experiments were carried out on a custom Web API application with different input validation levels, namely no input validation, partial input validation, and full input validation.

Result: OffensiveRezzer demonstrated superior performance compared to other fuzzing tools in identifying errors in Web APIs. It outperformed competitors by detecting the highest number of unique errors. The total number of errors found by OffensiveRezzer in the application without validation, the application with partial validation, and the application with full validation was 416, followed by Restler (240), RestTestGen (145), EvoMaster (138), Tcases (78), and Schemathesis (42).

Novelty: The study has presented OffensiveRezzer as a novel tool specifically designed for black-box fuzzing on Web APIs, with a primary focus on testing input validation implementation. This tool fills a gap in existing fuzzing tools and offers improved capabilities for detecting errors in Web APIs.