Release Notes

Supported Versions

2.7.9

  • CLI - Added mapi job delete subcommand

2.7.8

  • CLI - Fixed generated SARIF when parsed stacktraces reference "line 0"
  • CLI - Added ability to filter fuzzed endpoints by their OpenAPI tags

2.7.7

  • CLI - Expanded response spec validation warnings
  • CLI - Fixed an issue with failing to stop a run against an unreachable API

2.7.6

  • CLI - Added experimental support for response classifying plugins, which can be used to implement arbitrary logic for identifying issues

2.7.3

  • CLI - If present, OpenAPI tags will be used to organize and group issues
  • CLI - Fixed an issue with authentication redaction in issue details

2.7.2

  • Invalid specification issues will now be reported with "warning" severity if API responses do not conform with the API specification.
  • SARIF/JUnit Report - Fixed an issue where an extra '/' prefix may appear in path display

2.7.1

  • CLI - Support suppressing issues - see Suppressing Issues for more details.
  • Checkers - Added support for Error-based NoSQL Injection for MongoDB

2.7.0

  • CLI - mapi will report warnings when responses are incompatible with the specification used to fuzz your target
  • CLI - Fixed some issues with C# stacktrace parsing
  • CLI/SARIF - It is now possible to report multiple issues for the same path, method and rule id. This is most effective when fuzzing a target that is running in debug mode and will respond with a stacktrace/traceback on error.
    • For example, a 500 Internal Server Error triggered on GET /foo, resulting in different stacktraces will be reported as two separate issues:
      • Issue 1: GET /foo?bar=1 -> Internal Server Error (NullPointerException)
      • Issue 2: GET /foo?bar=0 -> Internal Server Error (DivideByZeroException)

2.6.18

  • CLI - Save fuzzing run output to an HTTP Archive (.har file) with mapi run ... --har out.har

2.6.16

  • CLI - Added beta support for fuzzing with an HTTP Archive (.har file) for the specification.

    • mapi run will now accept a .har file for the specification argument
    • It is recommended to convert a .har to an OpenAPI specification with mapi convert har... to inspect the converted specification before running a job
  • CLI - Added mapi convert command. This runs automatically when calling mapi run with a document which supports conversion.

    The convert subcommand provides an opportunity to inspect the converted OpenAPI 3.0 document prior to fuzzing an API.

    • Convert HTTP Archive .har file to an OpenAPI spec with mapi convert har <recording.har>
    • Convert Swagger 2.0 json or yaml file to an OpenAPI spec with mapi convert swagger2 <spec.json|yaml>
    • Convert Postman 2.x collection json or yaml file to an OpenAPI spec with mapi convert postman <collection.json|yaml>
    • Run mapi convert --help for more details

2.6.14

  • CLI - Issues from the most recent previous job will now be replayed at the end of a run. The intent of this change is to reduce issues fluctuating between jobs.
    • To opt-out of this behavior, pass the --no-replay flag to mapi run.

2.6.13

  • The CLI now handles specifications with missing path parameters. If a path parameter is not in the specification, Mayhem for API will now infer it automatically and fuzz it. Previously, the CLI would exit early with an error.

2.6.12

  • CLI - Resolve an issue where the CLI may panic when generating some invalid URLs during a fuzzing run
  • Fixed an issue where calling mapi run with a path to the specification on Windows (C:\path\to\spec.yaml) would fail to read specification

2.6.11

  • CLI - Resolved an issue that could cause duplicate reported issues in certain corner conditions
    • Issue replay now supports providing a modified OpenAPI/Swagger/Postman specification
    • MAPI_LOG environment variable will now correctly output trace and debug level logs

2.6.10

  • CLI: Support for issue replay. Replay issues using mapi issue replay <job_id>
    • Try mapi issue replay --help to see more details
    • Note that some issues depend on the state of your API and may not always reproduce

2.6.9

  • CLI: Show incomplete request counts in interactive job display
  • CLI: Add markdown display support to SARIF output
  • Header parameters listed in API specifications will now be fuzzed

2.6.7

  • New Issue: Server Crash
    • Server crashes are now detected and reported in Job Issues.
    • A server that can be forced to crash may be vulnerable to denial-of-service attacks.
  • CLI: mapi issue list print a list of issues for a job

2.6.5

  • Fix parsing of stacktraces generated on windows host.

2.6.4

  • Authentication data is now redacted from buggy requests before being uploaded to our API. Note that in some cases, slightly mutated auth tokens might still be updated to our API (since they might be necessary to demonstrate authentication bypasses)
  • Add support for C# stacktraces with async code and nested exceptions

2.6.3

  • Legacy github token (which are not prefixed by ghp_) are now accepted.

2.6.0

  • Enable new security checkers by default: Command injection, Blind command injection, Path traversals, SSRF (assumes CLI can be reached through localhost from the API)
  • Improve authentication bypass checker by differentiating between -H (for regular headers) and --header-auth (for authentication header).
  • Redirect loops will not terminate a run anymore
  • Improvements in the fuzzing engine to increase coverage

2.5.16

  • CLI: Ignore errors with the --ignore-error option to mapi run. Callers may ignore specific errors such as InternalServerError or AuthenticationBypass when including this flag.

2.5.13

  • CLI: Upload code scanning results to GitHub from anywhere by passing --github-token with a token to mapi run.
  • CLI: Upload code scanning results to your on-premise GitHub instance by passing --github-api-url to mapi run.
  • CLI: Auto-detect build information from the environment in Drone CI
  • CLI: Golang stacktrace parsing, in addition to the existing parsing for Ruby, JS, Python and Java.

2.5.10

  • CLI: Add SARIF support. mapi run now accepts a --sarif <output-file> option which outputs a SARIF file that you can upload to supported systems, like GitHub if you have enterprise plan.

2.5.7

  • The CLI now has beta support for postman 2.x collections 🚀! You can pass your collection to mapi run instead of an OpenAPI specifications.

2.5.6

  • CLI: mapi run can now automatically create a new API Target if the --url option is supplied.

2.5.5

  • Security: Added support for detecting authentication configuration issues. The fuzzer will now periodically remove or mangle any authentication parameters used for a job. Any endpoints that are specified as with security configuration will be marked as buggy if they can be accessed successfully with missing or altered authentication parameters.

2.5.4

  • Security: Added support for detecting SQL Injection errors. See the new documentation on configuring your API for tips on improving detection of SQL Injection problems.

  • CLI: Change the logging level of the mapi CLI with the MAPI_LOG environment variable. Supported values include trace,debug,info,warn,error. The default is set to info.

2.4.1

  • Renamed cohorts to organizations

2.3.28

  • Added experimental path traversal detection, enabled by setting the MAPI_FEATURE_PATH_TRAVERSAL environment variable.

2.3.19

  • Added support to CLI for rending email verification with mapi signup resend-verify <email-address>

2.3.18

  • Creating a new account when joining a Cohort now requires email verification
  • Added support to CLI for completing email verification with mapi signup verify

2.3.16

  • Improve parsing of URLs given through --url
  • Fix memory leak in type generation during fuzzing

2.3.15

  • Renamed the product to 'Mayhem for API' and the CLI to 'mapi'. Please re-download the CLI.

2.3.8

  • Parallel fuzzing is now available using -j when invoking mapi run (defaults to 1). This will allow you to potentially find concurrency issues, and load test your APIs.

2.3.7

  • bug fix: better support for reference loops in specifications

2.3.5

  • mapi run will now generate a human-friendly html report when --html is given.

2.3.4

  • CLI prints warnings on unexpected properties in the specification instead of aborting.

2.3.3

  • API Targets will now include their owner when presented in the CLI or when referenced to start a new run.

    You may continue to refer to any existing API Targets without the owner; however, shared API Targets will require the owner to be specified.

2.3.2

  • Windows support: Our CLI can now run natively on 64-bit windows.

2.3.0

  • Users can specify cookies for the fuzzer to authenticate to the target API.

2.2.4

  • EULA agreement

2.2.3

  • GitHub Cloud Integration support is now available. Please reach out to us at mayhem4api@forallsecure.com so that you can get connected with GitHub. Once you have been approved, you can connect with the CLI with the command:

    mapi github connect
    
  • Our GitHub app is also live. During Limited Availability it will not be accessible via the marketplace, but can be installed into your Personal or Organization account by following this link:

    https://github.com/apps/mayhem-for-api

2.2.2

  • Preparation for GitHub support. The CLI will attempt to gather CI details from GitHub Actions, Jenkins, or simply invocations of git to synchronize Job Status with GitHub checks. If details cannot be inferred from the environment, then they may be provided manually with new optional arguments passed to mapi run.
  • GitHub integration support will be fully supported once the Mayhem for API app is available in the GitHub marketplace.

2.2.1

  • CLI will auto-update across patch and minor versions

2.2.0

  • CLI supports API pagination for job and target API resources

2.1.10

  • Fix unresponsive arrow keys in interactive job status

2.1.9

  • JUnit output contains percentile response times per endpoint.
  • Fuzzer better uses examples in the API specification, which allows users to give a hint to the fuzzer when it cannot generate 200 responses on its own.
  • Fuzzer warns if the API closes a connection early before sending a full response. This will eventually be classified as a bug.

2.1.8

  • For accounts registered via GitHub, a New Token may now be requested when using mapi github connect --new-token.

2.1.7

  • Added interactive mode to mapi run with the new --interactive flag. This will now open the interactive UI that was previously only accessible with the mapi job status sub-command.
  • Job status UI now detects when a tty is not present. In instances where a tty is not present, the job log and coverage table will be printed to standard output.
  • All covered endpoints and statistics will now print to the console at the end of a run

2.1.6

  • Bug fixes for GitHub connect

2.1.5

  • Fuzzer will not consider HTTP response code 501 as an error
  • CLI will exit with return code 2 on fuzzer error
  • CLI will now automatically detect Swagger 2.0 specifications and attempt to convert them to OpenAPI 3.0 automatically with the help of the openapi-webconverter

2.1.4

  • CLI can now override API Target authentication parameters when calling mapi run

2.1.3

  • CLI support for handling upcoming pagination changes to job and target API resources

Breaking Changes

As Mayhem for API is continuously evolving, we make an effort to avoid breaking changes. Not breaking your workflow and CI builds is of utmost important to us. We want it to just work, always.

There are times due to security constraints or technical limitations that require us to make a breaking change. We aim to make this as painless as possible, usually requiring no more than downloading a newer CLI. If breaking changes are required, we will try to make it as painless as possible:

  • We will give you a heads up if we notice you are using a version that will become incompatible.
  • We aim to provide command-line arguments backwards compatibility, so that you can always use the latest release without having to change your invocation.
  • We give you tips on how to integrate the fuzzer into your builds so that you automatically use new releases.
  • When necessary, we will slowly deprecate features or workflows, giving you enough time to upgrade.

Unsupported versions

2.1.2

  • CLI includes request and response in junit failures

2.1.1

  • CLI support for blacklisting endpoints when calling mapi run

2.1.0

  • CLI improved logging, feedback and error handling
  • Fixed cascade delete for API Targets