Presentation Material

Abstract

Fuzzapi is a REST API pen testing tool that automatically does a bunch of checks for vulnerabilities on your APIs. Rather than a tool that only identifies vulnerabilities in web services, we have built a platform that enables everyone to test and understand a large range of API vulnerabilities that exist in both web and mobile applications. After seeing the benefits of Automating REST API pen testing using a basic Fuzzapi tool, the authors have decided to come up with a better version which can automatically look into vulnerabilities in APIs from the time they are written. REST APIs are often one of the main sources of vulnerabilities in most web/mobile applications. Developers quite commonly make mistakes in defining permissions on various cross-platform APIs. This gives a chance for the attackers to abuse these APIs for vulnerabilities. Fuzzapi is a tool written in Ruby on Rails which helps to quickly identify such commonly found vulnerabilities in APIs which helps developers to fix them earlier in SDLC life cycle. The first released version of the tool only has limited functionalities however, the authors are currently working on releasing the next version which will completely automate the process which saves a lot of time and resources.