Realistic traffic generation for efficient web application fuzzing

Abstract

Black-box API testing is a common way to locate reliability and security bugs in closed-source RESTful services. Such testing technique relies heavily on the OpenAPI specification of the RESTful services, which are often not provided. Therefore, a prototype tool was developed to generate OpenAPI specification of a target RESTful service by processing its traffic. Previously, the traffic fed into the formatter tool was manually generated by interacting with the target service by a real user. In this project, we use Selenium, an automated web testing framework to generate such traffic in a reliable and efficient way. Meanwhile, we offer a significant improvement to the current formatter by supporting path parameter identification. Lastly, we evaluate the quality between manually written OpenAPI specification by examining the source code, and the quality of generated specification by processing its traffic.