A Black Box Tool for Robustness Testing of REST Services

Laranjeiro, Nuno; Agnelo, João; Bernardino, Jorge

doi:10.1109/access.2021.3056505

Cited by 38 publications

(17 citation statements)

References 48 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Based on the previous results, we can conclude that foREST has non-trivial performance advantages over RESTler and EvoMaster in fuzzing RESTful APIs. Note that that are also other tools that support RESTful API fuzzing, such as RestTestGen [25] and bBOXRT [18]. However, an empirical study [8] has shown that these tools are either preliminary or not robust compared to RESTler, and RESTler is the best one over them.…”

Section: Comparison With Existing Toolsmentioning

confidence: 99%

foREST: A Tree-based Approach for Fuzzing RESTful APIs

Lin¹,

Li²,

Chen³

et al. 2022

Preprint

View full text Add to dashboard Cite

Representational state transfer (REST) is a widely employed architecture by web applications and cloud. Users can invoke such services according to the specification of their application interfaces, namely RESTful APIs. Existing approaches for fuzzing RESTful APIs are generally based on classic API-dependency graphs. However, such dependencies are inefficient for REST services due to the explosion of dependencies among APIs. In this paper, we propose a novel tree-based approach that can better capture the essential dependencies and largely improve the efficiency of RESTful API fuzzing. In particular, the hierarchical information of the endpoints across multiple APIs enables us to construct an API tree, and the relationships of tree nodes can indicate the priority of resource dependencies, e.g., it's more likely that a node depends on its parent node rather than its offspring or siblings. In the evaluation part, we first confirm that such a tree-based approach is more efficient than traditional graph-based approaches. We then apply our tool to fuzz two real-world RESTful services and compare the performance with two state-of-the-art tools, EvoMaster and RESTler. Our results show that foREST can improve the code coverage in all experiments, ranging from 11.5% to 82.5%. Besides, our tool finds 11 new bugs previously unknown.

show abstract

Section: Comparison With Existing Toolsmentioning

confidence: 99%

foREST: A Tree-based Approach for Fuzzing RESTful APIs

Lin¹,

Li²,

Chen³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…bBOXRT is a black-box robustness testing tool for RESTful APIs proposed by Laranjeiro et al [7], written in Java and available on the authors' website 7 . The aim of bBOXRT is to assess the robustness of REST APIs observing the behavior of services under test when providing invalid requests.…”

Section: Bboxrtmentioning

confidence: 99%

“…To the best of our knowledge, the only black-box testing approaches for REST APIs which provide an implementation, i.e., a usable testing tool, are the one we have taken into account in our comparison (RestTestGen [5], RESTler [6], bBOXRT [7] and RESTest [8], presented in Section III). Regarding test coverage, the only work proposing a systematic approach to assess the coverage of REST APIs testing tools is the framework of Martin-Lopez et al [3], that we have taken as basis for our comparison.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Empirical Comparison of Black-box Test Case Generation Tools for RESTful APIs

Corradini¹,

Zampieri²,

Pasqua³

et al. 2021

Preprint

View full text Add to dashboard Cite

show abstract

“…Recently, deep learning models have been proposed to determine the validity of these inputs [32]. The generated tests can assess the robustness of the API through invalid requests [33], detect regressions across API versions [34], verify the data dependencies among sequences of requests [35], or verify the constraints imposed on their parameters [36]. Metamorphic relations among requests may also serve as the oracle [37].…”

Section: A Test Generation For Web Apismentioning

confidence: 99%

Harvesting Production GraphQL Queries to Detect Schema Faults

Zetterlund,

Tiwari,

Monperrus

et al. 2021

Preprint

View full text Add to dashboard Cite

GraphQL is a new paradigm to design web APIs. Despite its growing popularity, there are few techniques to verify the implementation of a GraphQL API. We present a new testing approach based on GraphQL queries that are logged while users interact with an application in production. Our core motivation is that production queries capture real usages of the application, and are known to trigger behavior that may not be tested by developers. For each logged query, a test is generated to assert the validity of the GraphQL response with respect to the schema. We implement our approach in a tool called AutoGraphQL, and evaluate it on two real-world case studies that are diverse in their domain and technology stack: an open-source e-commerce application implemented in Python called Saleor, and an industrial case study which is a PHP-based finance website called Frontapp. AutoGraphQL successfully generates test cases for the two applications. The generated tests cover 26.9% of the Saleor schema, including parts of the API not exercised by the original test suite, as well as 48.7% of the Frontapp schema, detecting 8 schema faults, thanks to production queries.

show abstract

A Black Box Tool for Robustness Testing of REST Services

Cited by 38 publications

References 48 publications

foREST: A Tree-based Approach for Fuzzing RESTful APIs

foREST: A Tree-based Approach for Fuzzing RESTful APIs

Empirical Comparison of Black-box Test Case Generation Tools for RESTful APIs

Harvesting Production GraphQL Queries to Detect Schema Faults

Contact Info

Product

Resources

About