Join the chat at Codacy Badge Maintainability Scrutinizer Code Quality Build Status Documentation Status

APIFuzzer — HTTP API Testing Framework

APIFuzzer reads your API description and step by step fuzzes the fields to validate if you application can cope with the fuzzed parameters. Does not require coding.

Supported API Description Formats

Work in progress



  1. Python3
  2. sudo apt install libcurl4-openssl-dev libssl-dev (on Ubuntu 18.04, required by pycurl)


Fetch the most recent code from GitHub

$ git clone

Install requirements. If you don't have pip installed, then sudo apt-get install python3-pip -y

$ pip3 install -r APIFuzzer/requirements.txt

Quick Start

Check the help (some of them are not implemented yet):

$$ python3 -h
usage: [-h] [-s SRC_FILE] [--src_url SRC_URL] [-r REPORT_DIR]
                 [--level LEVEL] [-u ALTERNATE_URL] [-t TEST_RESULT_DST]
                 [--log {critical,fatal,error,warn,warning,info,debug,notset}]
                 [--basic_output BASIC_OUTPUT] [--headers HEADERS]

API fuzzer configuration

optional arguments:
  -h, --help        show this help message and exit
  -s SRC_FILE, --src_file SRC_FILE
                    API definition file path. Currently only JSON format is
  --src_url SRC_URL
                    API definition url. Currently only JSON format is
  -r REPORT_DIR, --report_dir REPORT_DIR
                    Directory where error reports will be saved. Default is
                    temporally generated directory
  --level LEVEL     Test deepness: [1,2], higher is the deeper !!!Not
                    Use CLI defined url instead compile the url from the API
                    definition. Useful for testing
                    JUnit test result xml save path
  --log {critical,fatal,error,warn,warning,info,debug,notset}
                    Use different log level than the default WARNING
  --basic_output BASIC_OUTPUT
                    Use basic output for logging (useful if running in
                    jenkins). Example: --basic_output=True
  --headers HEADERS
                    Http request headers added to all request. Example:
                    '[{"Authorization": "SuperSecret"}, {"Auth2": "asd"}]'

Usage example:

Start the sample application (install the necessary packages listed in test/requirements_for_test.txt):
$ python3 test/

Start the fuzzer:
$ python3 -s test/test_swagger_definition.json -u -r /tmp/reports/ --log debug 

Check the reports:
$ ls -1 /tmp/reports/

Report example:
$ json_pp < /tmp/reports/79_1573993485.5391517.json
   "response" : "Test application exception: invalid literal for int() with base 10: '0\\x00\\x10'",
   "sub_reports" : [],
   "parsed_status_code" : 500,
   "state" : "COMPLETED",
   "test_number" : 79,
   "request_body" : null,
   "reason" : "failed",
   "name" : "target",
   "request_url" : "\u0000\u0010",
   "request_method" : "GET",
   "status" : "failed",
   "request_headers" : "{\"User-Agent\": \"APIFuzzer\", \"Accept-Encoding\": \"gzip, deflate\", \"Accept\": \"*/*\", \"Connection\": \"keep-alive\"}"