Mayhem for API

Develop reliable APIs faster

What is Mayhem for API?

Mayhem for API automates testing REST APIs by bringing the full might of fuzzing methodology to API testing. With the guidance of an API specification, Mayhem for API provides accurate and informative test coverage tailored to any REST API.

How does it work?

Mayhem for API uses a fuzzing engine to automatically generate a comprehensive suite of inputs used to test function and robustness of an application’s API infrastructure. By using fuzzing techniques to generate inputs and observing the response from the application, Mayhem for API can quickly iterate through multitudes of test cases to find weakness in an API’s functionality or security.

Why should I use it?

It is no secret that web APIs have become increasingly important to the operation of modern business. Many business models for new products and services are constructed based on APIs such as billing and identity providers. Trust has become a necessity for APIs. APIs that perform consistently and with high quality earn trust, and those that fail are abandoned. Mayhem for API helps you build trust in your APIs in a number of ways:

  • Resilience - Mayhem for API is great for discovering troublesome 500 Internal Server Errors and server crashes automatically, before your clients do.
  • Security - With a growing list of Security Checkers, Mayhem for API can discover issues such as Server Side Request Forgery (SSRF) and SQL Injection.
  • Quality - Mayhem for API validates all the responses returned from your API with your specification to identify endpoints which are inconsistent with the spec, such as missing fields or incorrect response codes. Keeping your API synchronized
    with your specification ensures that API consumers are not caught of guard with unexpected behavior.
  • Performance - Latency statistics of every endpoint are recorded on every run to provide a clear picture of what endpoints have inconsistent or degraded performance.

The Mayhem for API website provides reproduction steps so that you can replay any issues either with curl or with the mapi CLI.

reproduce-curl

Mayhem for API is not a replacement for existing automated tests. It is complementary! With the help of fuzzing, Mayhem for API identifies blind spots in your existing testing, without the bias or the tedium of manually written tests.

Point and Shoot

Setting up the fuzzer is a breeze. Once you have signed up for a free account all you need to do is download the mapi CLI and start testing your API with a compatible specification such as OpenAPI or a Postman Collection.

Web UI

Reach out!

We aim to provide a great experience. Please reach out to us on Discord or by emailing mayhem4api@forallsecure.com if you have any suggestions or run into any issues. We're more than happy to help!

Let's get started!