FuseDrill - Remove bugs by fuzzing your application openapi.

Introduction

FuseDrill is a tool for fuzzing and simulation testing of OpenAPIs using snapshots. It helps you identify open API contract changes from the previous version to the current one.

Features

Automated Fuzzing: Generates permutations of all API input requests of all API methods with randomizer.
Detailed Reports: Get a json report on the fuzz test result that will be committed to your source control to create a baseline of correctness.
CI/CD Integration: Integrate with your CI/CD pipeline.
AI helper bot: Reads the fuzzing diff report analyzes it and adds suggestion list comment on a pull request.

Usage

To use FuseDrill, you need to set up a GitHub Actions workflow. Here is an example configuration:

Remote fuzzing

name: FuseDrill Fuzzing/Simulation Testing

on:
  push:
    branches:
      - main  # Runs on push to the main branch
  pull_request:
    branches:
      - main  # Runs on pull requests to the main branch

jobs:
  fuzz-test:
    runs-on: ubuntu-latest

    steps:
    - name: Pull FuseDrill Docker Image
      run: docker pull ghcr.io/fusedrill/fusedrill-cli:latest # Add docker image versioning later

    - name: Run FuseDrill CLI in Docker
      run: |
         docker run --network host --rm \
          -e FUSEDRILL_BASE_ADDRESS="https://api.apis.guru/v2" \
          -e FUSEDRILL_OPENAPI_URL="https://api.apis.guru/v2/openapi.yaml" \
          -e FUSEDRILL_OAUTH_HEADER="Bearer your-API-test-account-oauth-token"  \
          -e GITHUB_TOKEN="${{ secrets.GITHUB_TOKEN }}" \
          -e SMOKE_FLAG="true" \
          -e GITHUB_REPOSITORY_OWNER="${{ github.repository_owner }}" \
          -e GITHUB_REPOSITORY="${{ github.repository }}" \
          -e GITHUB_HEAD_REF="${{ github.head_ref }}" \
          -e GEMINI_API_KEY="${{ secrets.GEMINI_API_KEY }}" \
          ghcr.io/fusedrill/fusedrill-cli:latest

      - name: Post-run step
        run: |
          echo "Fuzzing test completed"

💬 Example fuzzing report of API SPEC.

{
  "Seed": 1234567,
  "TestSuites": [
    {
      "ApiCalls": [
        {
          "MethodName": "GetMetrics_http_get_Async",
          "Order": 2,
          "Response": {
            "NumSpecs": 3992,
            "NumAPIs": 2529,
            "NumEndpoints": 108837,
            "Unreachable": 166,
            "Invalid": 688,
            "Unofficial": 25,
            "Fixes": 84860,
            "FixedPct": 23,
            "Datasets": [
              {
                "data": {
                  "adyen.com": [],
                  "amadeus.com": [],
                  "amazonaws.com": [],
                  "apideck.com": [],
                  "apisetu.gov.in": [],
                  "azure.com": [],
                  "ebay.com": [],
                  "fungenerators.com": [],
                  "github.com": [],
                  "googleapis.com": [],
                  "hubapi.com": [],
                  "interzoid.com": [],
                  "mastercard.com": [],
                  "microsoft.com": [],
                  "nexmo.com": [],
                  "nytimes.com": [],
                  "Others": [],
                  "parliament.uk": [],
                  "sportsdata.io": [],
                  "twilio.com": [],
                  "vtex.local": [],
                  "windows.net": []
                },
                "title": []
              }
            ],
            "Stars": 3151,
            "Issues": 35,
            "ThisWeek": {
              "Added": 9,
              "Updated": 437
            },
            "NumDrivers": 10,
            "NumProviders": 677
          },
          "HttpMethod": "get"
        }
      ]
    },
    {
      "ApiCalls": [
        {
          "MethodName": "GetAPI_http_get_Async",
          "Order": 1,
          "Request": [
            "RandomString275",
            "RandomString157"
          ],
          "Response": {
            "StatusCode": 404,
            "Message": "The HTTP status code of the response was not expected (404).  Status: 404 Response:  <!DOCTYPE html> <html>   <head>     <meta http-equiv=\"Content-type\" content=\"text/html; charset=utf-8\">     <meta http-equiv=\"Content-Security-Policy\" content=\"default-src 'none'; style-src 'unsafe-inline'; img-src data:; connect-src 'self'\">     <title>Page not found &middot; GitHub Pages</title>     <style type=\"text/css\" media=\"screen\">       body {         background-color: #f1f1f1;         margin: 0;         font-family: \"Helvetica Neue\", Helvetica, Arial, sans-serif;       }        .container { margin",
            "TypeName": "ApiException"
          },
          "HttpMethod": "get"
        },
        {
          "MethodName": "GetMetrics_http_get_Async",
          "Order": 3,
          "Response": {
            "NumSpecs": 3992,
            "NumAPIs": 2529,
            "NumEndpoints": 108837,
            "Unreachable": 166,
            "Invalid": 688,
            "Unofficial": 25,
            "Fixes": 84860,
            "FixedPct": 23,
            "Datasets": [
              {
                "data": {
                  "adyen.com": [],
                  "amadeus.com": [],
                  "amazonaws.com": [],
                  "apideck.com": [],
                  "apisetu.gov.in": [],
                  "azure.com": [],
                  "ebay.com": [],
                  "fungenerators.com": [],
                  "github.com": [],
                  "googleapis.com": [],
                  "hubapi.com": [],
                  "interzoid.com": [],
                  "mastercard.com": [],
                  "microsoft.com": [],
                  "nexmo.com": [],
                  "nytimes.com": [],
                  "Others": [],
                  "parliament.uk": [],
                  "sportsdata.io": [],
                  "twilio.com": [],
                  "vtex.local": [],
                  "windows.net": []
                },
                "title": []
              }
            ],
            "Stars": 3151,
            "Issues": 35,
            "ThisWeek": {
              "Added": 9,
              "Updated": 437
            },
            "NumDrivers": 10,
            "NumProviders": 677
          },
          "HttpMethod": "get"
        }
      ]
    }
....

📋 Fuzzing inside CI/CD example

name: FuseDrill Fuzzing/Simulation Testing

on:
  push:
    branches:
      - main  # Runs on push to the main branch
  pull_request:
    branches:
      - main  # Runs on pull requests to the main branch

jobs:
  fuzz-test:
    runs-on: ubuntu-latest

    steps:
# ------------ Deploy your app or run inside the GitHub CI/CD 
      - name: Pull FuseDrill test api Docker Image
        run: docker pull ghcr.io/fusedrill/fusedrill/testapi:latest
        
      - name: Run Test API
        run: |
          docker run -d \
            -e ASPNETCORE_ENVIRONMENT="Development" \
            -p 8080:8080 \
            ghcr.io/fusedrill/fusedrill/testapi:latest
          
      - name: Wait for Test API to be Ready
        run: |
          # Wait for the API to start and be reachable on port 8080
          until curl -s http://localhost:8080/swagger/v1/swagger.json; do
            echo "Waiting for Test API to start..."
            sleep 5
          done
# ------------------------------------------------------
    - name: Pull FuseDrill Docker Image
      run: docker pull ghcr.io/fusedrill/fusedrill-cli:latest # Add docker image versioning later

    - name: Run FuseDrill CLI in Docker
      run: |
         docker run --network host --rm \
          -e FUSEDRILL_BASE_ADDRESS="http://localhost:8080/" \
          -e FUSEDRILL_OPENAPI_URL="http://localhost:8080/swagger/v1/swagger.json" \
          -e FUSEDRILL_OAUTH_HEADER="Bearer your-API-test-account-oauth-token"  \
          -e GITHUB_TOKEN="${{ secrets.GITHUB_TOKEN }}" \
          -e SMOKE_FLAG="true" \
          -e GITHUB_REPOSITORY_OWNER="${{ github.repository_owner }}" \
          -e GITHUB_REPOSITORY="${{ github.repository }}" \
          -e GITHUB_HEAD_REF="${{ github.head_ref }}" \
          -e GEMINI_API_KEY="${{ secrets.GEMINI_API_KEY }}" \
          ghcr.io/fusedrill/fusedrill-cli:latest

      - name: Post-run step
        run: |
          echo "Fuzzing test completed"

Futures

Reduce combinations using LLMs: Permutations create a lot of test cases, exploiting the symmetry of A rest API by first doing POST then DELETE would reduce cases.
HPC fuzzing: Combining the clusters would eliminate permutation search space using thousands of docker containers. (Already have docker/container support)
CI/CD Integration: Integrate with your CI/CD pipeline.
AI helper bot: Reads the fuzzing diff report analyzes it and adds suggestion list comment on a pull request.
Vertical fuzzing: Every internal interaction captured of your dynamic system to a ASCII tree structure .

Product Pricing and Features

Basic	Team	Enterprise
Free open source	$8 / month	Custom Pricing
Great for individuals or small teams just starting out.	Perfect for growing teams and businesses that need more advanced features.	Designed for complicated requirements. Get in touch with us for a tailored solution.
Runs locally	1 repository	Unlimited repositories
Single user	Access to all local features	AI enhanced fuzzing with your local AI models
Free Forever	AI enhanced fuzzing	24/7 Priority Support
No Credit Card required	AI summaries of snapshots	AI summaries of snapshots with your local AI model
Local snapshot diff comparison	CI/CD Integration with GitHub	Custom Integrations
Only c sharp now	Fuzz your apis inside docker container	24/7 Priority Support
Other languages coming soon if there is need		Your cloud
		Your AI
		Your data
Go to open source	Sign Up and add Workflow to Github	Let’s explore your requirements

FAQ for Your API Fuzzer

General Questions

Q1: What is an API fuzzer?
A: An API fuzzer is a tool that tests APIs by sending random, unexpected, or malicious inputs to identify potential vulnerabilities or issues in the system. With AI-enhanced fuzzing, the tool crafts more sophisticated and context-aware test cases, increasing the likelihood of uncovering complex issues and ensuring better coverage during testing.

Q2: Why is fuzzing important for my API?
A: Fuzzing is crucial for identifying and fixing hidden vulnerabilities or bugs in your API before they reach your clients. By detecting unexpected behavior early, the tool ensures your changes are expected and won’t disrupt your users’ experience when released. It helps maintain trust and reliability in your services.

Q3: Who is this API fuzzer designed for?
A: Our API fuzzer is designed for individuals, teams, and enterprises aiming to improve their API security and reliability, with tailored features for each level.

Q4: What’s the difference between the Basic, Team, and Enterprise plans?
A:

Basic Plan: Free, runs locally, limited to a single user, and includes local snapshot diff comparison.
Team Plan: Includes all Basic features, AI-enhanced fuzzing, CI/CD integration, and summaries of snapshots.
Enterprise Plan: Designed for large-scale needs with unlimited repositories, custom integrations, AI using local models, and 24/7 priority support.

Q5: How does AI-enhanced fuzzing work?
A: AI-enhanced fuzzing leverages LLM models to generate more intelligent and context-aware test cases, improving the efficiency of API testing.

Q6: What are snapshot comparisons?
A: Snapshot comparison allows you to compare the current state of your API responses against previously saved snapshots, making it easy to spot unintended changes.

Integration and Compatibility

Q7: Does the fuzzer integrate with CI/CD pipelines?
A: Yes, the Team and Enterprise plans include CI/CD integration, allowing seamless testing within your development workflows, including GitHub Actions.

Q8: Is the API fuzzer compatible with my local environment?
A: Absolutely. The Basic and Team plans are designed to run locally, ensuring no data leaves your environment unless you choose to integrate external tools.

Q9: Can I use my own AI models for fuzzing?
A: Yes, the Enterprise plan supports local AI model integration, enabling custom testing scenarios with your proprietary models.

Security and Privacy

Q10: Is my data secure while using the API fuzzer?
A: We prioritize your data security. Local testing ensures data never leaves your environment unless explicitly configured, and the Enterprise plan allows full control over your cloud and data.

Q11: Does the fuzzer store sensitive information?
A: No, the fuzzer does not store sensitive information unless you configure it to do so. All testing is designed with privacy in mind.

Support and Pricing

Q12: What kind of support is available?
A:

Basic plan: Community support.
Team plan: Access to knowledge base and support tickets.
Enterprise plan: 24/7 priority support.

Q13: How much does the API fuzzer cost?
A:

Basic: Free.
Team: $8/month.
Enterprise: Custom pricing based on your requirements—contact us for a quote.

Q14: How do I upgrade my plan?
A: You can upgrade directly from your account dashboard. For the Enterprise plan, contact our sales team to discuss your needs.

Getting Started

Q15: How do I install the API fuzzer?
A: The Basic version is open-source and available on GitHub. Follow the installation guide in the repository to set it up locally.

If you have further questions, feel free to reach out via our support channels!

Blog

Practical Fuzzing for today’s software