Improving REST API robustness through continuous fuzzing: A case study

Abstract

Fuzzing or fuzz testing has gained a lot of popularity in recent years as powerful addition to the Software Development Lifecycle (SDLC) to find robustness issues in software artifacts. In addition, Continuous Integration (CI) is now the de-facto standard in modern software development processes. Hence, bringing fuzzing into the CI pipeline is the next step towards delivering more robust software on a continuous basis. In this thesis, a case study is conducted using a real-world inspired software project in the domain of web Application Programming Interfaces (APIs). The study investigates the feasibility of integrating readily available fuzzing tools into a continuous development environment. Through a thorough literature research a design for a continuous fuzzing solution was determined. The implemented solution fuzzes the test target in a quick, 10 minute long fuzzing campaign on every commit using two different fuzzers running in parallel to give developers rapid feedback. In addition, when issuing a merge request to merge the changes from a branch back into the main branch, a 50 minute long fuzzing campaign employing a white-box fuzzer was implemented. The fuzzing results are combined in a single report that provides clear instructions on how to reproduce any found issues. An evaluation of the proposed solution which simulates the use of continuous fuzzing in a development process containing 22 commits stretching over the course of over two years detected 51 different robustness issues in the project, 13 of them being unique across all commits. 2 of the faults were discovered in the latest available version of the software, with one of the faults being not only an issue of robustness, but one which impacts the project’s security, thus, demonstrating the usefulness of the implemented solution. This study establishes the technical basis that demonstrates that continuous fuzzing can serve as a promising tool for enhancing the robustness of software. Building upon this, further investigations can be carried out to explore how this approach can be applied to various software projects in actual development workflows.