We have prepared an instance of the Swagger Petstore API for you to try fuzzing. The Swagger Petstore is a stand-alone REST API server which implements the OpenAPI 3 Specification.
Fuzz the Swagger Pestore API by running the following in your terminal...
mapi run \ petstore auto "https://demo-api.mayhem4api.forallsecure.com/api/v3/openapi.json" \ --url "https://demo-api.mayhem4api.forallsecure.com/api/v3/" \ --interactive
...once the run completes, visit your dashboard to see the results!
What just happened?
Let's break that command down, to see what happened:
Use the CLI to run a fuzzing job.
ℹ️ Check out
mapi helpif you want to explore some other things the CLI can do!
Use (and create, if it doesn't already exist) a "target" named petstore for this run. We'll come back to targets in more detail later. For now, a short name that uniquely identifies the API being tested is perfect.
ℹ️ Targets are used to group related fuzzing jobs.
Runs the job until it is decided that enough endpoints have been exercised.
You can specify a specific time period here if you wish, such as
30sec to run
the job for 30 seconds. The longer the job is run, the more edge cases will be
See How long to run for more information.
Tells the fuzzer to base its testing on the OpenAPI 3 specification of the petstore demo API, which is hosted on our site for demo purposes.
Tells the fuzzer, which is running locally on your computer, to address its tests to the petstore demo API on our network.
Runs the fuzzing job with an interactive, terminal-based user interface. This option should be omitted in a continuous integration environment.
You will see the following UI in interactive mode:
The status UI contains a fair amount of information:
- A progress bar at the top, based on the duration of the job and elapsed time.
- The job logs. If the job doesn't start properly, or runs into trouble, this is where you should see information on how to resolve the issue.
- The status codes that the fuzzer observed per endpoint. This will help you determine if the fuzzer is covering the endpoints and status code you expected. For instance, if you see only 401 responses, then that means the fuzzer probably needs help with authentication. We cover this in more details in the “API Authentication chapter".
The UI has a few navigation keys that might be handy:
<Tab>to switch focus between widgets
<Space>to make the current widget full screen
- Arrow keys for horizontal and vertical scrolling
In your run you should see a number of red endpoints which means that at least one 500 response code is observed. That means we just found some bugs! You should also see a number of green endpoints. These mean that at least one 2xx response has been observed.
You're already off to a great start on your API fuzzing journey! Hopefully, you're thinking to yourself: "this is neat! I wonder how I can use it to test my own APIs?"... because that's the next topic!