Fuzz Your Own API

It’s safe to say that APIs are now a critical part of modern application architectures today. In the age of SaaS applications and infrastructure, many architectures are designed around being API-first for managing data ingestion and retrieval. Unfortunately, with this ever increasing critical infrastructure most application testing solutions are not up to the challenge of testing APIs. With no GUI available, many solutions struggle to provide input values to properly test APIs and have difficulty making sense of responses and reusing the data to test further into the application logic. 

We designed Mayhem for API from the ground up to overcome challenges faced by legacy testing tools.

Start Fuzzing your APIs for Free!

Probe your REST API with an infinite stream of test cases generated automatically from your OpenAPI specification or Postman collection.

Free Plan Learn More

To start testing an API, you only need to provide two things: a specification describing the API, and a URL where it can be reached. You'll be running something like:

mapi run my-api 30 <specification> --url <url>

API Specification

ℹ️ Specifications can be passed to mapi as either local files or URLs.

Mayhem for API is built around OpenAPI 3.0 specifications. If you have an OpenAPI spec describing your API, you're all set. Pass either a URL or file system path directly to mapi as the <specification> argument!

If you don't have an OpenAPI spec, we support a few alternatives, described below.

OpenAPI 2.x (aka "Swagger")

mapi run will automatically detect and work with older OpenAPI/Swagger specs.

Alternatively, you can do a one-time conversion into OpenAPI 3.x by running your old spec through the mapi convert swagger2 command (see mapi help convert swagger2 for details.)

Postman

mapi run will also automatically detect if it's given a Postman 2.x collection in place of an OpenAPI spec, and work with that.

Alternatively, you can do a one-time conversion from Postman into an OpenAPI 3.x spec by running the collection through the mapi convert postman command (see mapi help convert postman for details.)

HAR

If you don't have any of the above, you'll need to do a little bit more work to generate a spec for Mayhem for API to use. The process is documented in detail over here.

API URL

Mayhem for API needs to know the URL of your API server. Because the requests come directly from the mapi CLI tool running locally on your computer, this will work for APIs that are:

• Behind a corporate firewall
• On localhost
• In a private network
• On the public internet

If the machine running the CLI can access the API - then we can fuzz it!

Proximity and Latency

Although it'll work in just about any configuration, Mayhem for API works better the "closer" it is (in network terms) to the API server. For the best results, this means pointing the fuzzer at a locally-running instance of your server.

Never, Ever, Use Your Own Production Services!

Mayhem for API has one job: finding ways to break an API! You should absolutely not give Mayhem for API the URL of your production services to test against.

All right, hopefully, you've got Mayhem for API configured to test your API, congrats! If you want to check out some additional API fuzzing resources, check out our blogs Testing Postman APIs with Fuzzing and Mayhem for API ❤️ GitHub Code Scanning: Seamless DevSecOps for your REST APIs.