Mayhem Case Studies

In this post, we'll look at how we've enhanced our Postman integration. We now support API Key, Bearer Token, Basic Auth and OAuth 2.0.

When Mayhem generates test cases, it also saves those test cases for future Mayhem runs of the same target. This way, future Mayhem runs can utilize those previously generated test cases to confirm if the current fuzzing behavior of the target application has changed. Learn more in this post.

Here's a way to authenticate Mayhem for API to the target and enable it to exercise more endpoints as well as maximize coverage.

Open source software is mission critical, but its security is severely under-tested. As part of Phase 1, ForAllSecure has offered up to $2 million to meet these needs with its Mayhem Heroes program. Jacob is one of those heroes.

The Mayhem UI will reveal further insight into the behavior of a crashed binary as a result of the particular input test case.

You've seen what Mayhem for API can do in a demo. Now it's time to fuzz your own! To start testing an API, you only need to provide two things: a specification describing the API, and a URL where it can be reached.

You could, of course, sell your skillz to the dark web. Or you could legitimately report what you find and get paid to do so. You might even travel the world. In this episode of The Hacker Mind, I return to Episode 7 with Tim Becker, Episode 9 with Stok, and Episode 22 with Jack Cable to get their perspective on leaving 1337 skillz while getting paid by various bug bounty programs.

The Mayhem UI can create, manage, and analyze their Mayhem fuzzing runs on containerized applications, or targets, residing within Docker images that have been uploaded to the public Docker Hub registry.

By running Mayhem, we uncovered an uncontrolled memory allocation (CWE 789) and reported it as CVE-2022-35922