RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.

CATS is a REST API Fuzzer and negative testing tool for OpenAPI endpoints. CATS automatically generates, runs and reports tests with minimum configuration and no coding effort. Tests are self-healing and do not require maintenance.

The first open-source AI-driven tool for automatically generating system-level test cases (also known as fuzzing) for web/enterprise applications. Currently targeting whitebox and blackbox testing of Web APIs, like REST, GraphQL and RPC (e.g., gRPC and Thrift).

REST API Fuzz Testing (RAFT): Source code for self-hosted service developed for Azure, including the API, orchestration engine, and default set of security tools (including MSR's RESTler), that enables developers to embed security tooling into their CI/CD workflows

REST API Automation framework for functional, integration, fuzzing, and performance testing

Fuzz test your REST API calls

Burp Suite extension for API security testing with 15 attack types, 108+ payloads, intelligent fuzzing, BOLA/IDOR detection, AI integration, and automated reconnaissance. Supports REST/GraphQL/SOAP APIs with Nuclei, Turbo Intruder, and external tool integration. OWASP API Top 10 coverage.

Derive property based testing fast-check into a fuzzer for REST APIs

Hsuan-Fuzz: REST API Fuzzing by Coverage Level Guided Blackbox Testing

:mag: An automatic REST API fuzzing tool based on property-based testing techniques.

Web Fuzzer & Vulnerability Scanner for Penetration Testing & Bug Bounty. ffuf/gobuster alternative with 200+ features: WAF Bypass, API Fuzzing (REST/GraphQL/WebSocket), CAPTCHA Detection, Directory Bruteforce, Subdomain Enumeration, Security Testing, CORS/XSS/SQLi scanning. Fast (162 req/sec), Rust-powered. For pentesters & security researchers 🔐

A tool for fuzzing and negative testing of REST APIs. Run thousands of self-regenerating API tests in minutes without writing any code. Provides comprehensive, intelligent, customizable, and self-regenerating testing with a quick start guide available.

🤖 LLM-Augmented Stateful Fuzz Testing of REST API

GitHub Actions pipeline that uses multiple REST API fuzzers to test software

An example fuzz testing a REST API with generated data.

A workshop exploring how to perform load and fuzz testing on a REST API using Artillery and Playwright,

A Rest API fuzz testing application built with Python and Django

Python fuzzer for testing BOLA vulnerabilities in REST APIs via OWASP ZAP

An example of fuzz testing a REST API with data generated from an Open API spec.

A lab exploring security testing fuzzing from two different perspectives: SharpFuzz for individual assemblies over .NET applications and WuppieFuzz for wider, REST API infrastructures

Enterprise-grade API penetration testing platform with multi-protocol support (REST/GraphQL/SOAP/gRPC/WebSocket), intelligent fuzzing, OWASP Top 10 detection, CVE scanning, and comprehensive vulnerability assessment for modern APIs.

REST API for ETF portfolio analytics & backtesting. A high-quality testing playground featuring FastAPI, deterministic financial fixtures, and a robust CI/CD stack: Pytest (Unit/API/Contract), Schemathesis (Fuzzing), Newman (Smoke), and k6 (Performance).

CATS is a REST API Fuzzer and negative testing tool for OpenAPI endpoints. CATS automatically generates, runs and reports tests with minimum configuration and no coding effort. Tests are self-healing and do not require maintenance.

This project extends RestTestGen, a black-box REST API fuzzer with native support for the WFC standard. The work covers WFC Authentication (and a novel signupEndpoint extension), WFC Fault, WFC report, and a curated test dataset of 17 Dockerized open-source REST APIs.