Abstract
Web Application Programming Interfaces (APIs) allow systems to be addressed programmatically and form the backbone of the internet. RESTful and RPC APIs are among the most common API architectures used. In the last decades, researchers have proposed various techniques for automated testing of RESTful APIs, however, to the best of the authors' knowledge there exists no work on testing JSON-RPC (one of the two data formats supported by RPC) APIs. To address this limitation, we propose a grammar-based evolutionary fuzzing approach for testing JSON-RPC APIs that uses a novel black-box heuristic. Specifically, we use a diversity-based fitness function based on hierarchical clustering to quantity the differences in API method responses. Our hypothesis is that responses that are unlike previously seen ones are an indication that new uncovered code paths are reached. We evaluate our approach on the XRP ledger, a large-scale industrial blockchain system that uses JSON-RPC APIs. Our results show that the proposed approach performs significantly better than the baseline (grammar-based fuzzer) and covers an additional 240 branches.
Original language | English |
---|---|
Title of host publication | The 16th International Workshop on Search-Based and Fuzz Testing |
Publisher | IEEE / ACM |
Pages | 33-36 |
Number of pages | 4 |
DOIs | |
Publication status | Published - 2023 |
Event | 16th International Workshop on Search-Based and Fuzz Testing - Melbourne, Australia Duration: 14 May 2023 → 14 May 2023 Conference number: 16 |
Workshop
Workshop | 16th International Workshop on Search-Based and Fuzz Testing |
---|---|
Abbreviated title | SBFT 2023 |
Country/Territory | Australia |
City | Melbourne |
Period | 14/05/23 → 14/05/23 |
Bibliographical note
Green Open Access added to TU Delft Institutional Repository ‘You share, we take care!’ – Taverne project https://www.openaccess.nl/en/you-share-we-take-careOtherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.
Keywords
- Search-based Software Engineering
- Fuzzing
- Test Case Generation
- API Testing
- Hierarchical Clustering