WFC/WFD: Web Fuzzing Commons, Dataset and Guidelines to Support Experimentation in REST API Fuzzing

Fuzzing REST APIs is an important research problem, with practical applications and impact in industry. As such, a lot of research work has been carried out on this topic in the last few years. However, there are three major issues that hinder further progress: how to deal with API authentication; how to catalog and compare different fault types found by different fuzzers; and what to use as case study to facilitate fair comparisons among fuzzers. To address these important challenges, we present Web Fuzzing Commons (WFC) and Web Fuzzing Dataset (WFD). WFC is a set of open-source libraries and schema definitions to declaratively specify authentication info and catalog different types of faults that fuzzers can automatically detect. WFD is a collection of 36 open-source APIs with all necessary scaffolding to easily run experiments with fuzzers, supported by WFC. To show the usefulness of WFC/WFD, a set of experiments is carried out with EvoMaster, a state-of-the-art fuzzer for Web APIs. However, any fuzzer can benefit from WFC and WFD. We compare EvoMaster with other state-of-the-art tools such as ARAT-RL, EmRest, LLamaRestTest, RESTler, and Schemathesis. We discuss common pitfalls in tool comparisons, as well as providing guidelines with support of WFC/WFD to avoid them.