Skip to main content

API Testing

Building robust APIs is a challenging endeavor that requires thorough testing. While Unit Tests ensure the functional correctness of APIs, Fuzz Tests can test for security and reliability issues. CI Fuzz supports Fuzz Tests for APIs based on JUnit and provides the ability to show the results of the tested API endpoints.

Spring Boot Demo

This Java Spring Boot Demo is an example project to showcase the usage of white-box Fuzz Testing for developers and security experts.

The demo includes multiple examples:

  • Simple Testing Example: A simple example showcasing how minor the syntax differences between a Fuzz Test and Unit Test are.
  • Robustness Examples: Multiple examples showcasing the testing of APIs for error 5xx.
  • Security Examples: Multiple example showing how to use Fuzz Testing to check for security vulnerabilities in webservers.

The project is set up with Maven and CI Fuzz. If you have not installed CI Fuzz yet, check out the Maven setup instructions here.

Fuzz Test Example

The project contains multiple Fuzz Tests triggering different types of issues. The example below tests an endpoint with a MockMvc object and will trigger a Remote Code Execution:

cifuzz run com.demo.controller.UserControllerTest::fuzzTestGetUser
UserControllerTest.java
package com.demo.controller;

import ...

@WebMvcTest
@AutoConfigureMockMvc(print = MockMvcPrint.NONE)
public class UserControllerTest {
    @Autowired
    private MockMvc mockMvc;

    @FuzzTest
    public void fuzzTestGetUser(@UrlSegment String id, @NotNull String role) throws Exception {
        mockMvc.perform(get("/user/{id}", id)
                        .param("role", role))
                .andExpect(statusIsNot5xxServerError());
    }
}

Inspect your API Fuzz Tests

You can get a summary of the returned status codes of your API Fuzz Test by adding the function collectApiStats() from the jazzer.junit.SpringFuzzTestHelper package to your code:

UserControllerTest.java
package com.demo.controller;

import ...
import static com.code_intelligence.jazzer.junit.SpringFuzzTestHelper.collectApiStats;

@WebMvcTest
@AutoConfigureMockMvc(print = MockMvcPrint.NONE)
public class UserControllerTest {
    @Autowired
    private MockMvc mockMvc;

    @FuzzTest
    public void fuzzTestGetUser(@UrlSegment String id, @NotNull String role) throws Exception {
        mockMvc.perform(get("/user/{id}", id)
                        .param("role", role))
                .andExpect(statusIsNot5xxServerError())
                .andDo(collectApiStats("/user/{id}"));
    }
}

CI Fuzz will print the overview at the end of the run with general information about the performance of the run and the Finding:

▄  Testing code... Done!
107 Unit Test Equivalents and 1 new Finding in 28s.
1 Finding in total.
Endpoint   | Method | Status Code | Count
/user/{id} | GET    | 200         | 25
/user/{id} | GET    | 403         | 80


💥 [busy_horse] Security Issue: Remote Code Execution in com.demo.controller.UserController.triggerRCE (src/main/java/com/demo/controller/UserController.java:127)