{"id":15919633,"url":"https://github.com/TNO-S3/WuppieFuzz","last_synced_at":"2025-10-18T14:30:27.931Z","repository":{"id":248672076,"uuid":"827721685","full_name":"TNO-S3/WuppieFuzz","owner":"TNO-S3","description":"A coverage-guided REST API fuzzer developed on top of LibAFL","archived":false,"fork":false,"pushed_at":"2025-01-22T14:42:59.000Z","size":621,"stargazers_count":98,"open_issues_count":21,"forks_count":7,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-01-22T15:34:05.583Z","etag":null,"topics":["api-fuzzer","fuzzer","fuzzing","openapi","rest-api-test"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/TNO-S3.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-07-12T08:30:51.000Z","updated_at":"2025-01-22T12:34:05.000Z","dependencies_parsed_at":"2024-09-17T09:38:51.291Z","dependency_job_id":"07b0f3c9-1d9f-4ee6-b09e-1add4e2e997f","html_url":"https://github.com/TNO-S3/WuppieFuzz","commit_stats":null,"previous_names":["tno-s3/wuppiefuzz"],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TNO-S3%2FWuppieFuzz","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TNO-S3%2FWuppieFuzz/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TNO-S3%2FWuppieFuzz/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TNO-S3%2FWuppieFuzz/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/TNO-S3","download_url":"https://codeload.github.com/TNO-S3/WuppieFuzz/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":236967540,"owners_count":19233688,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["api-fuzzer","fuzzer","fuzzing","openapi","rest-api-test"],"created_at":"2024-10-06T19:01:58.486Z","updated_at":"2025-10-18T14:30:27.918Z","avatar_url":"https://github.com/TNO-S3.png","language":"Rust","funding_links":[],"categories":["Rust","Tools"],"sub_categories":["API"],"readme":"# WuppieFuzz v1.3.0\n\n\u003cpicture\u003e\n  \u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"assets/WuppieFuzz-dark.svg\"\u003e\n  \u003csource media=\"(prefers-color-scheme: light)\" srcset=\"assets/WuppieFuzz.svg\"\u003e\n  \u003cimg alt=\"Logo of WuppieFuzz.\" src=\"assets/WuppieFuzz.svg\" width=\"40%\" min-width=\"250px\" align=\"right\"\u003e\n\u003c/picture\u003e\n\nTNO developed WuppieFuzz, a coverage-guided REST API fuzzer developed on top of\nLibAFL, targeting a wide audience of end-users, with a strong focus on\nease-of-use, explainability of the discovered flaws and modularity. WuppieFuzz\nsupports all three settings of testing (black box, grey box and white box).\n\nWuppieFuzz was featured in\n[the ONE Conference e-magazine 2024](https://emagazine.one-conference.nl/2024/finally-validate-your-publicly-exposed-interfaces-with-ease/).\n\n\u003e [!NOTE]  \n\u003e For a quick, follow-along guidance please follow the [tutorial](./tutorial)!\n\n## Quick install\n\nFor quick installation of WuppieFuzz for popular operating systems (MacOS,\nWindows, Linux) see [releases](https://github.com/TNO-S3/WuppieFuzz/releases/) or use [`brew install wuppiefuzz`](https://formulae.brew.sh/formula/wuppiefuzz)\n\n### Short how-to\n\n[![How to use WuppieFuzz? - YouTube](./assets/demo_video.png)](https://www.youtube.com/watch?v=-oR4d9aXrqo)\n\n## Prerequisites for development\n\nTo build the project you need to install the following dependencies and tooling\n\n- build-essential `sudo apt install build-essential`\n- pkg-config `sudo apt install pkg-config`\n- Rust `curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh`\n\n## Run\n\n\u003cpicture\u003e\n  \u003cimg alt=\"WuppieFuzz in action.\" src=\"assets/WuppieFuzz-action.jfif\" width=\"40%\" min-width=\"250px\" align=\"right\"\u003e\n\u003c/picture\u003e\n\nBefore running WuppieFuzz, you have to start your (instrumented) target\napplication.\n\nAdditionally, you must supply WuppieFuzz with an **OpenAPI-specification** so it\nknows how to generate and mutate its requests. For help on the command line\narguments, use the following:\n\n```sh\n$ cargo run -- --help # shows help for required parameters and flags\n\nUsage: wuppiefuzz [OPTIONS] [OPENAPI_SPEC.YAML]\n...\n```\n\nFor example, to run WuppieFuzz against a Java target with the JaCoCo agent\nattached, you specify its OpenAPI file (containing the URL the target is running\non in the API specification). In addition, you specify that the coverage format\nis JaCoCo, and give the classes directory as follows:\n\n```sh\ncargo run -- fuzz openapi.yaml --coverage-format jacoco --jacoco-class-dir ../Targets/app/target/classes/\n```\n\n## Configuration file\n\nIf you want to use a configuration file instead of/in combination with command\nline arguments, you can use the flag `--config \u003cCONFIG_FILE\u003e`. In case you use\ncommand line arguments in combination with a configuration file, command line\narguments take precedence.\n\nThe configuration file should be a yaml file and contain a line for each command\nline argument you want to specify, for example:\n\n```yaml\ncoverage_format: jacoco\noutput_format: human-readable\nsource_dir: \"/swagger-petstore/src/main/java\"\njacoco_class_dir: \"/swagger-petstore/target\"\ntimeout: 20\n```\n\nAn example run command could in this case be:\n\n```sh\n$ cargo run -- fuzz --config=config.yaml --report --coverage-host=localhost:6300 --timeout=10 ./openapi.yaml\n```\n\nThis line would combine the arguments from the command line and from the config\nfile. Since the flag `--timeout` is specified in both, the timeout specified in\nthe command line (10 seconds) will take precedence.\n\nIn the directory `example_configs/` you will find two example config files to\nuse for generating coverage reports with JaCoCo for Java code and for generating\ncoverage reports with LCOV for Python code.\n\n## Reports\n\nWhen you WuppieFuzz with the `--report` flag, a subdirectory is made inside\n`reports/` with a timestamp as its name. All supported coverage report(s) are\nwritten into this subdirectory. There are two types of coverage reports:\n\n1. **endpoint coverage**: this can always be generated since it only requires\n   the OpenAPI-spec.\n2. **code coverage**: currently only supported for JaCoCo, but we aim to support\n   more. The tricky part is that this requires a mapping from coverage to source\n   files, and robust report generation that uses this.\n\nOn top of that a database is filled with all request information related to your\nfuzzing campaign. This database can be visualised and explored through the\nGrafana dashboard.\n\n## Structure of this repository\n\n- **assets**: logos, images, etc.\n- **coverage_agents**: code and instructions for coverage tracking to slap onto\n  various targets\n- **example_configs**: example configuration files to configure WuppieFuzz\n- **src**: source code of WuppieFuzz\n- **tutorial**: an in-depth and low-level tutorial about how to fuzz a specific\n  target and how to interpret fuzzing results\n- **dashboard**: tooling to triage the fuzzing results and performance\n\nFor more information on each of these, see the READMEs in these directories.\n\n## Generating documentation\n\n`cargo doc --no-deps` to generate documentation from comments in the source\ncode. The main page of the documentation will be\n`target/doc/wuppiefuzz/index.html`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FTNO-S3%2FWuppieFuzz","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FTNO-S3%2FWuppieFuzz","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FTNO-S3%2FWuppieFuzz/lists"}