Mayhem Blog

Once authentication is configured, the next step is to ensure that Mayhem for API is able to successfully cover as much of your API as possible.

In this post, we'll look at how we've enhanced our Postman integration. We now support API Key, Bearer Token, Basic Auth and OAuth 2.0.

When Mayhem generates test cases, it also saves those test cases for future Mayhem runs of the same target. This way, future Mayhem runs can utilize those previously generated test cases to confirm if the current fuzzing behavior of the target application has changed. Learn more in this post.

Here's a way to authenticate Mayhem for API to the target and enable it to exercise more endpoints as well as maximize coverage.

The Mayhem UI will reveal further insight into the behavior of a crashed binary as a result of the particular input test case.

You've seen what Mayhem for API can do in a demo. Now it's time to fuzz your own! To start testing an API, you only need to provide two things: a specification describing the API, and a URL where it can be reached.

The Mayhem UI can create, manage, and analyze their Mayhem fuzzing runs on containerized applications, or targets, residing within Docker images that have been uploaded to the public Docker Hub registry.

By running Mayhem, we uncovered an uncontrolled memory allocation (CWE 789) and reported it as CVE-2022-35922

Mayhem can analyze compiled binaries written in languages like C/C++, Go, Rust, Java, and Python that read from a file, standard input, or from the network via a TCP or UDP socket. Mayhem also handles user-land (containerized) Linux applications.