Menu

Continuous REST API Testing With CI Fuzz

December 10 2021 | 2 min

CI Fuzz is a platform for automated security testing that aims to enable developers to ship secure software fast. The platform empowers development teams to automatically deploy continuous REST API security tests with each pull request. Since it enables the instrumentation of entire web service environments, CI Fuzz can create test inputs that are guided by code coverage. This enables it to uncover complex vulnerabilities and edge cases that other tools often overlook.

In the open-source project Jsoup, more than 19 bugs (CVE-2021-37714), including several DoS vulnerabilities were fixed thanks to CI Fuzz. The finding enabled users to avoid downtime by updating to the latest version of Jsoup

Check out the full recording

REST API Security as a SaaS Solution

With a strong focus on usability and automation, the CI Fuzz SaaS solution platform enables you to run the majority of security tests yourself. One of the platform’s main benefits is that it enables you to integrate continuous security testing cycles early on in the development process. The platform can be configured to test the codebase with each pull request, or even at each code change.  

The Technology Behind CI Fuzz

The testing approach used by CI Fuzz is based on feedback-based fuzzing. Feedback-based fuzzing, also called coverage-guided fuzzing, is a dynamic testing method that uses information about the internal structure of a program to maximize the code-coverage of test inputs. The fuzzer receives feedback about the structure and endpoints of your application, which it then uses to craft inputs that specifically target REST APIs.

Bug Detectors Protect Against Unexpected Edge Cases

With CI Fuzz you can apply intelligent bug detectors and security checks to identify bugs and security vulnerabilities. These features enable you to identify problematic edge cases and vulnerabilities that are often missed by static testing solutions.

Minimal Manual Configuration Thanks to Autofuzz Mode

Since CI Fuzz is a cloud-based SaaS solution, it is readily available online. All you need to do is follow the instruction manual to instrument your API endpoints precisely and start your first fuzzing runs. With the new autofuzz mode, you will be able to automatically generate test harnesses. 

CI Fuzz Runs In Your Development Environment

CI Fuzz is basically compatible with every IDE, Build System, and CI/CD pipeline. Integrating CI Fuzz into your infrastructure will enable you to test your codebase continuously, throughout the different stages of the software development life-cycle. 

Debug REST APIs With a Few Clicks

Since CI Fuzz uses a dynamic testing approach, it can provide stack traces that enable you to easily reconstruct crashes. After a bug is found, the CI Fuzz debugging feature takes you directly to the affected part of your REST API, where you can set up your IDE with a test case and start fixing the bug.

Debug (1)

Triage Bugs With Automated Bug Reporting

CI Fuzz automatically ranks security issues by their severity and presents them in a dashboard. There, you can keep track of code coverage, and bug findings and generate reports to share with your team. 

Maximize Code Coverage

CI Fuzz is a white-box testing approach that automatically measures and improves code coverage. This allows testers to efficiently close in on problematic inputs that could cause web applications to crash, or leak information. 

Coverage-Reporting

Try Out CI Fuzz for Free

If you want to see the features mentioned above in action, you can check them out on the CI Fuzz demo app. There, you can explore several sample projects with real bug findings and coverage reports. You can even contact our team to test the platform yourself. The only requirement to access the platform is a working GitHub account.

Sign Up With GitHub

Recent Posts

Fuzzing Clojure Code With Jazzer

Finding the log4j RCE With Fuzzing

Continuous REST API Testing With CI Fuzz

Share Article

Subscribe to updates