Fuzz Testing Web APIs

Overview

This topic describes how to perform web API fuzzing with a Web Application Module and a custom module.

Using a Web Application Module

To fuzz a Web Application Module, do the following:

  1. Open beSTORM Client.

  2. Select New Project. The beSTORM New Project Wizard opens.

  3. On the Welcome page, do the following:

    1. In the Project Name box, enter a name.

    2. Optionally, select a different file location for your project in the Location Name box.

    3. Set Please select the wizard to Advanced.

    4. Leave Perform a port scan, and service detection and assist me in choosing the relevant module unchecked.

  4. Select Next.

  5. On the Basic Configuration page, select Build a Web Application Module and then select Learn.

  6. In the API Auto Learn dialog, under File, select OpenAPI and then select Browse.

  7. Select your web API .json descriptor file, and then select Open.

  8. Select Process.

  9. In the Web API Data table, several API paths that are available to fuzz will appear. Individually select the desired paths to include in your test session or select All.

  10. Select Generate.

  11. Select Next.

  12. On the Advanced Configuration page, adjust these parameters as needed. You can further modify these parameters by customizing the final module.

  13. Select Next.

  14. On the Module Environment page, review your parameter settings for the module.

  15. Select Next.

  16. On the Extra Configuration page, adjust these parameters as needed.

  17. Select Next.

  18. On the Complete beSTORM wizard page, select Finish to begin fuzzing.

Using a custom module

To fuzz a custom module, do the following:

  1. Open beSTORM Client.

  2. Select New Project. The beSTORM New Project Wizard opens.

  3. On the Welcome page, do the following:

    1. In the Project Name box, enter a name.

    2. Optionally, select a different file location for your project in the Location Name box.

    3. Set Please select the wizard to Advanced.

    4. Leave Perform a port scan, and service detection and assist me in choosing the relevant module unchecked.

  4. Select Next.

  5. On the Basic Configuration page, select Import a Custom Module from a BSM File and then select Import.

  6. Select your prebuilt custom module, and then select Open.

  7. Select Next.

  8. On the Advanced Configuration page, adjust these parameters as needed. You can further modify these parameters by customizing the final module.

  9. Select Next.

  10. On the Module Environment page, review your parameter settings for the module.

  11. Select Next.

  12. On the Extra Configuration page, adjust these parameters as needed.

  13. Select Next.

  14. On the Complete beSTORM wizard page, select Finish to begin fuzzing.