Fuzzing for Microservices - A Software Testing Miracle

November 16 2020

CI Fuzz is an automated application testing platform. It offers easy IDE integration that saves developers’ time and effort while drastically improving the stability and reliability of the codebase. CI Fuzz is based on modern fuzzing technologies. Learn more about fuzzing on this infographic.

CI Fuzz offers an easy-to-use interface to apply these advanced technologies. No deep technical fuzzing knowledge is required. Instead, developers are able to define which functions or interfaces (e.g. RESTControllers) they want to have tested and our software is able to generate test cases automatically. Furthermore, CI Fuzz easily integrates into a standard CI/CD workflow such as Jenkins. The fuzz tests are run automatically with each new code change and incidents are reported promptly. Fuzzing tests can be scaled on-demand on a Kubernetes cluster.

While OSS fuzzers (e.g. AFL, hongfuzz, …) are only able to test C/C++/Go APIs and detect normal bugs, CI Fuzz is also able to test Web APIs and even conducts system tests. The procedure is similar to OWASP Zap, but adds the feedback-loop to the fuzzing process on top. Therefore, CI Fuzz reaches an unrivalled level of code coverage and thus detects more bugs. If you are interested in the CVEs that have been detected with CI Fuzz, you should check out our trophies page.  

Our testing platform covers mainly two scenarios for microservices: One for fuzzing supported frameworks (high automation) and one framework agnostic (requires OpenAPI definitions and some fine-tuning). This blog will focus on the first one.

One-Click Setup for Fuzz Testing

In order to create a fuzz test for a Java microservice application, CI Fuzz automatically detects the applied framework (in this case Spring Boot) and offers a simple one-click wizard to create fuzz tests.

create new fuzz test

Automated Endpoint Detection

During the project initialization phase, CI Fuzz scans all the endpoints of the application. The scan allows CI Fuzz to identify the types of requests that are expected at every endpoint (Rest calls, web forms, etc.). This enables CI Fuzz to craft valid requests against the application’s endpoints and to test only interesting parts of the requests (e.g. only parameter values, not parameter names). This smart fuzzing approach allows CI Fuzz to reach code deep inside your application’s business logic. The following code snippet should make this clear:

Code example automated endpoint detection

Per default, the automatically generated fuzz test will test all the endpoints. If the user is more interested in testing selected endpoints, he can filter and select the endpoints to test.

select endpoint for new fuzz test

Advanced Monitoring of Fuzzing Process

Once the fuzzing started, the dashboard of CI Fuzz provides you with interesting live monitoring of the fuzzing process. The leftmost metric is the total number of code blocks, edges, and additional metrics covered by executing the current corpus. Our fuzz engines use different metrics to evaluate the code coverage: edge coverage, edge counters, value profiles, indirect caller/callee pairs, equal bytes, etc. The graph in the middle displays the performance over time in execution per second. Fuzzers will start fast, with many executions per second. For example, a sudden decrease in performance can indicate bugs like endless loops, memory exhaustion or timeouts.


Review Findings Within Seconds

Once the fuzzer finds bugs, the bugs get reported in multiple places in the UI. The list view of “all findings” provides the user with an overview of the detected bugs. Clicking on one of the entries will open a detailed overview of the finding, with further information on the severity of the bug and useful resources regarding the type of bug.

findings overiew

Have You Become Curious?

You are lucky! We have just launched the closed beta of our Fuzzing as a Service Platform. Besides C++ our focus is mainly on Java Spring Boot projects. Are you the maintainer of an open source project or developer in a startup? Then the entire platform is 100% free for you. For all other interested parties we will find a solution on request. Secure your place now and become an AppSec pioneer:

Apply for Closed Beta

Recent Posts

Share Article

Subscribe to updates