{"id":13428523,"url":"https://github.com/microsoft/restler-fuzzer","last_synced_at":"2025-05-14T00:07:46.071Z","repository":{"id":37498785,"uuid":"282320787","full_name":"microsoft/restler-fuzzer","owner":"microsoft","description":"RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.","archived":false,"fork":false,"pushed_at":"2025-04-10T23:25:12.000Z","size":5851,"stargazers_count":2716,"open_issues_count":290,"forks_count":314,"subscribers_count":37,"default_branch":"main","last_synced_at":"2025-05-07T23:47:40.834Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/microsoft.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-07-24T21:40:11.000Z","updated_at":"2025-04-30T04:26:05.000Z","dependencies_parsed_at":"2023-02-19T12:31:17.786Z","dependency_job_id":"d5bae346-3074-425f-a0ae-6452bbecbf69","html_url":"https://github.com/microsoft/restler-fuzzer","commit_stats":null,"previous_names":[],"tags_count":25,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/microsoft%2Frestler-fuzzer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/microsoft%2Frestler-fuzzer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/microsoft%2Frestler-fuzzer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/microsoft%2Frestler-fuzzer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/microsoft","download_url":"https://codeload.github.com/microsoft/restler-fuzzer/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254043843,"owners_count":22005025,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T01:00:59.565Z","updated_at":"2025-05-14T00:07:46.058Z","avatar_url":"https://github.com/microsoft.png","language":"Python","funding_links":[],"categories":["⚙ Projects","Python","Tools","others","Инструменты","Application Security","Projects","Rest API Testing"],"sub_categories":["Fuzzing","API Fuzzing","API Testing","Dynamic Analysis"],"readme":"# RESTler\n\n## What is RESTler?\n\nRESTler is the *first stateful REST API fuzzing tool* for automatically\ntesting cloud services through their REST APIs and finding security and\nreliability bugs in these services. For a given cloud service\nwith an OpenAPI (formerly Swagger) specification, RESTler analyzes its entire specification,\nand then generates and executes tests that exercise the service through its REST API.\n\nRESTler intelligently infers producer-consumer dependencies among request types from the OpenAPI definition.\nDuring testing, it checks for specific classes of bugs\nand dynamically learns how the service behaves from prior service responses.\nThis intelligence allows RESTler to explore deeper service states\nreachable only through specific request sequences and to find more bugs.\n\nRESTler is described in these peer-reviewed research papers:\n\n1. [RESTler: Stateful REST API Fuzzing](https://patricegodefroid.github.io/public_psfiles/icse2019.pdf) (ICSE'2019)\n2. [Checking Security Properties of Cloud Service REST APIs](https://patricegodefroid.github.io/public_psfiles/icst2020.pdf) (ICST'2020)\n3. [Differential Regression Testing for REST APIs​](https://patricegodefroid.github.io/public_psfiles/issta2020.pdf) (ISSTA'2020)\n4. [Intelligent REST API Data Fuzzing​​](https://patricegodefroid.github.io/public_psfiles/fse2020.pdf) (FSE'2020)\n\nIf you use RESTler in your research, please cite the (default) ICSE'2019 paper ([BibTeX](./docs/user-guide/icse2019.bib)).\n\nRESTler includes multiple test generation strategies.  In order to get a comprehensive comparative view w.r.t. to (i) efficiency \n(i.e., how quickly can RESTler find crashes) and (ii) effectiveness \n(i.e., how many crashes can RESTler find in a give time frame), \nwe recommend comparing against all documented `fuzzing_mode(s)`\nbecause each one provides a different trade-off between breadth and depth of state space exploration.\nWe also recommend running `test` mode before any fuzzing, as described below, \nto discover and fix setup issues (e.g. adding required pre-requisite parameter values to the dictionary) prior to fuzzing.\n\nRESTler was created at Microsoft Research and is still under active development.\n\nFor an overview and demo on how to get started, see [Webinar - Fuzzing to Improve the Security and Reliability of Cloud Services](https://www.youtube.com/watch?v=FYmiPoRwEbE).\n\n![RESTler architecture](./docs/user-guide/RESTler-arch.png)\n\n## Maintainer Away Notice\n\nHello Everyone,\n\nI (the primary maintainer) am currently on leave and expect to return in August 2025. During this time, I won't be able to review pull requests or issues. If you are a Microsoft employee and need immediate assistance, please contact my manager. \n\nThank you for your understanding.\n\n## Build Status\n\n[![Build Status](https://dev.azure.com/ms/restler-fuzzer/_apis/build/status/restler-build-validation?branchName=main)](https://dev.azure.com/ms/restler-fuzzer/_build/latest?definitionId=422\u0026branchName=main)\n\n\n## Setting up RESTler\n\nRESTler was designed to run on 64-bit machines with Windows or Linux.  Experimental support for macOS is also enabled.\n\n### **Build instructions**\n\n#### Docker\n\nIn the root of this repo, run\n\n```shell\ndocker build -t restler .\n```\n\nThe resulting docker container will have RESTler available in directory `/RESTler/restler` with main binary `Restler`. \n\nYou can then use this docker image as basis to add the application under test to execute fuzzing inside isolated docker containers.\n\n#### Local\n\nPrerequisites: Install [Python 3.12.8](https://www.python.org/downloads/) and\n[.NET 8.0](https://dotnet.microsoft.com/download/dotnet-core?utm_source=getdotnetcorecli\u0026utm_medium=referral), for your appropriate OS.\n\nCreate a directory where you'd like to place the RESTler binaries:\n\n```mkdir restler_bin```\n\nSwitch to the repo root directory and run the following Python script:\n\n```python ./build-restler.py --dest_dir \u003cfull path to restler_bin above\u003e```\n\nNote: if you get nuget error NU1403 when building, a quick workaround is to clear your cache with this command\n\n```dotnet nuget locals all --clear```\n\n\n## Using RESTler\n\nRESTler runs in 4 main modes (in order):\n\n1. **Compile:** from an OpenAPI JSON or YAML definition (and optionally examples), generate a RESTler grammar. See [Compiling](./docs/user-guide/Compiling.md).\n2. **Test:** execute quickly all of the endpoints+methods in a compiled RESTler grammar for debugging the test setup and compute what parts of the OpenAPI definition are covered. This mode is also called a *smoketest*.\nSee [Testing](./docs/user-guide/Testing.md). To use custom test engine settings, see [Test Engine Settings](./docs/user-guide/SettingsFile.md).\n3. **Fuzz-lean:** execute once every endpoint+method in a compiled RESTler grammar with a default set of checkers to see if bugs can be found quickly. See [Fuzzing](./docs/user-guide/Fuzzing.md).\n4. **Fuzz:** bug hunting - explore a RESTler fuzzing grammar in smart breadth-first-search mode (deeper search mode) for finding more bugs.\n**Warning:** This type of fuzzing is more aggressive and may create outages in the service under test if the service is poorly implemented (e.g., fuzzing might create resource leaks, perf degradation, backend corruptions, etc.).\nSee [Fuzzing](./docs/user-guide/Fuzzing.md).\n\n## Quick Start\n\nFor a quick intro with simple examples, see this [Tutorial](./docs/user-guide/TutorialDemoServer.md).\n\nTo quickly try RESTler on your API, see [Quick Start](./docs/user-guide/QuickStart.md).\n\n## Bugs found by RESTler\nThere are currently two categories of bugs found by RESTler.\n\n- **Error code**: currently, any time a response with status code ```500``` (\"Internal Server Error\") is received, a bug is reported.\n- **Checkers**: each checker tries to trigger specific bugs by executing targeted additional requests or sequences of requests at certain points during fuzzing, determined by context.  Some checkers try to find additional 500s, while other checkers try to find specific logic bugs such as resource leaks or hierarchy violations.  For a full description of checkers, see [Checkers](./docs/user-guide/Checkers.md).\n\nWhen a bug is found, RESTler reports bugs triaged in bug buckets, and provides a replay log that can be used to reproduce the bug (see [Replay](./docs/user-guide/Replay.md)).\n\n\n## Advanced Topics\n\nFor tips on using RESTler effectively, please see [Best Practices](./docs/user-guide/BestPractices.md) and [Improving API Coverage](./docs/user-guide/ImprovingCoverage.md).\n\nSee also these [Frequently Asked Questions](./docs/user-guide/FAQ.md).\n\nIf you're interested in using RESTler at scale as part of your CI/CD pipeline, check out\nthe [REST API Fuzz Testing self-hosted service](https://github.com/microsoft/rest-api-fuzz-testing).\n\n## Questions\n\nIf you have a request/suggestion/question, please file an issue.\nSee [Contributing.md](./docs/contributor-guide/Contributing.md) for instructions.\n\n## Contributing\n\nThis project welcomes contributions and suggestions. Most contributions require you to\nagree to a Contributor License Agreement (CLA) declaring that you have the right to,\nand actually do, grant us the rights to use your contribution. For details, visit\nhttps://cla.microsoft.com.\n\nWhen you submit a pull request, a CLA-bot will automatically determine whether you need\nto provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the\ninstructions provided by the bot. You will only need to do this once across all repositories using our CLA.\n\nThis project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).\nFor more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/)\nor contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.\n\nFor more information, see [Contributing.md](./docs/contributor-guide/Contributing.md).\n\n## Trademarks\n\nThis project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark \u0026 Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.\n\n## Data collection\n\nThe software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the repository. There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft's privacy statement. Our privacy statement is located at https://go.microsoft.com/fwlink/?LinkID=824704. You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices.\n\nFor more information, see [Telemetry.md](./docs/user-guide/Telemetry.md).\n\n## Reporting Security Issues\n\nSecurity issues and bugs should be reported privately, via email, to the\nMicrosoft Security Response Center (MSRC) at\n[secure@microsoft.com](mailto:secure@microsoft.com). You should receive a\nresponse within 24 hours. If for some reason you do not, please follow up via\nemail to ensure we received your original message. Further information,\nincluding the [MSRC PGP](https://technet.microsoft.com/en-us/security/dn606155)\nkey, can be found in the [Security TechCenter](https://technet.microsoft.com/en-us/security/default).\n\nFor additional details, see [Security.md](SECURITY.md).\n\n\n# Privacy \u0026 Cookies\n\nhttps://go.microsoft.com/fwlink/?LinkId=521839\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmicrosoft%2Frestler-fuzzer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmicrosoft%2Frestler-fuzzer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmicrosoft%2Frestler-fuzzer/lists"}