Mayhem for API

Hi! Co-founder here. Over the past year we’ve been developing a new fuzzer for web JSON APIs. Today, we're launching a free plan with up to 50 free scans per month so that solo devs and small teams, which don't often have a ton of budget, can test their APIs.

To give a bit of background, a fuzzer generates random inputs and sends them to the application being tested. The fuzzer monitors the application to detect crashes. Fuzzing has been super helpful at finding bugs and security vulnerabilities, especially in memory unsafe code. libfuzzer and syzkaller are two projects that are good examples of what fuzzing can do.

We've been applying some of those fuzzing concepts to web APIs. We start from a specification (OpenAPI, Swagger, Postman, or even a HAR file) as a loose grammar to generate an infinite stream of requests that we send to the API being tested. The fuzzer uses API responses to generate better requests, and to detect bugs and security vulnerabilities. This is a DAST, for those familiar with that terminology. Mayhem for API has been really good at finding internal server errors and API crashes. And we've been adding more and more security checks (SQL injection, command injection, auth bypass, SSRF, path traversal).

We’ve been developing the fuzzer from scratch using Rust. Our experience with Rust has been phenomenal, and we can't recommend it enough. Rust has enabled us to move quickly & fearlessly. It makes it a lot easier to build fault-tolerant systems compared to previous systems I've built in dynamic languages, thanks to the strong typing & explicit errors in return types. Happy to chat about using Rust if you have any questions!

Our product is still pretty early, and we're actively working on making it better. Our goal is to help automate some of the API non-functional and security testing as part of CI, since we know it's hard for testing to keep up with the speed of development. I would love to hear what y'all think, and if this fuzzer could help you in any way!