Mayhem for API supports a number of ways to authenticate to the target API. Giving the fuzzer a way to authenticate to the target API will enable it to exercise more endpoints and maximize coverage.
is a simple technique for enforcing access control to web resources,
which is supported by most web servers. You can specify basic
authentication credentials when you fuzz your target with
with a command line option or environment variable.
mapi run --basic-auth "username:password" <api-name> <duration> ./openapi.json
export MAPI_BASIC_AUTH="username:password" mapi run <api-name> <duration> ./openapi.json
Note that basic authentication does not protect the username and password by itself. They are simply encoded with base64 in transit, but not encrypted or hashed. Basic authentication should be used in conjunction with HTTPS to protect the credentials, or on a trusted network.
Bearer authentication (also called token authentication) is an HTTP authentication scheme that involves security tokens called bearer tokens The client must send this token in the Authorization header when making requests to protected resources:
mapi run --header-auth 'Authorization: bearer <token>' <api-name> <duration> ./openapi.json
This method can also be used for any header-based authentication, for instance:
mapi run --header-auth 'X-Custom: auth <token>' <api-name> <duration> ./openapi.json
You can also use an environment variable to pass your token:
export MAPI_HEADER_AUTH="Authorization:Bearer <token>" mapi run <api-name> <duration> ./openapi.json
Note that the authorization header does not protect the token by itself. It is not encrypted or hashed before sending it to the server. As with basic authentication, this authentication method should be used in conjunction with HTTPS to protect the credentials, or on a trusted network.
Note that if you would like to specify additional headers that do not
include credentials, we recommend using
-H instead of
Mayhem for API treats
--header-auth differently when looking for
Cookie authentication uses HTTP cookies to authenticate client requests
and maintain session information. Cookies are generally returned by the
server after a successful login, and sent by the clients in subsequent
requests. You can specify cookies when you fuzz your target with
mapi run either via command line options or an environment variable.
mapi run --cookie-auth "PHPSESSID=abe67cd" <api-name> <duration> ./openapi.json
export MAPI_COOKIE_AUTH="PHPSESSID=abe67cd" mapi run <api-name> <duration> ./openapi.json
Note that cookies are not encrypted or hashed before being sent to the server. As with basic and header authentication, this authentication method should be used in conjunction with HTTPS to protect the credentials, or on a trusted network.
We are planning on adding more authentication methods soon, and we'd love to hear from you about what you'd like to see.
If the credentials you passed to the fuzzer can be invalidated through a logout
endpoint, consider blacklisting that endpoint with the
mapi run, something like this:
mapi run [...] --ignore-endpoint "/api/logout"
For more details on this and other mechanisms for choosing which endpoints to fuzz, see Selective Route Testing.
Note that the Mayhem for API does not currently handle CSRF tokens. Those are extremely common to prevent CSRF attacks when using cookie authentication, but often disabled when using API tokens. If this is something you'd like us support better, shoot us an email at email@example.com