{"id":"https://openalex.org/W4386841578","doi":"https://doi.org/10.48550/arxiv.2309.08360","title":"Advanced White-Box Heuristics for Search-Based Fuzzing of REST APIs","display_name":"Advanced White-Box Heuristics for Search-Based Fuzzing of REST APIs","publication_year":2023,"publication_date":"2023-09-15","ids":{"openalex":"https://openalex.org/W4386841578","doi":"https://doi.org/10.48550/arxiv.2309.08360"},"language":"en","primary_location":{"id":"pmh:oai:arXiv.org:2309.08360","is_oa":true,"landing_page_url":"http://arxiv.org/abs/2309.08360","pdf_url":"https://arxiv.org/pdf/2309.08360","source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"","raw_type":"text"},"type":"preprint","indexed_in":["arxiv","datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://arxiv.org/pdf/2309.08360","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5052735480","display_name":"Andrea Arcuri","orcid":"https://orcid.org/0000-0003-0799-2930"},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Arcuri, Andrea","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100353083","display_name":"Man Zhang","orcid":"https://orcid.org/0000-0003-1204-9322"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Zhang, Man","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5041433839","display_name":"Juan Pablo Galeotti","orcid":"https://orcid.org/0000-0002-0747-8205"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Galeotti, Juan Pablo","raw_affiliation_strings":[],"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":3,"corresponding_author_ids":["https://openalex.org/A5052735480"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":true,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10743","display_name":"Software Testing and Debugging Techniques","score":0.9994999766349792,"subfield":{"id":"https://openalex.org/subfields/1712","display_name":"Software"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10743","display_name":"Software Testing and Debugging Techniques","score":0.9994999766349792,"subfield":{"id":"https://openalex.org/subfields/1712","display_name":"Software"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12127","display_name":"Software System Performance and Reliability","score":0.9972000122070312,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9912999868392944,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/fuzz-testing","display_name":"Fuzz testing","score":0.9669593572616577},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8474764823913574},{"id":"https://openalex.org/keywords/heuristics","display_name":"Heuristics","score":0.657586932182312},{"id":"https://openalex.org/keywords/white-box","display_name":"White box","score":0.5935653448104858},{"id":"https://openalex.org/keywords/rest","display_name":"Rest (music)","score":0.49301478266716003},{"id":"https://openalex.org/keywords/extension","display_name":"Extension (predicate logic)","score":0.47415536642074585},{"id":"https://openalex.org/keywords/black-box","display_name":"Black box","score":0.45153409242630005},{"id":"https://openalex.org/keywords/programming-language","display_name":"Programming language","score":0.4031023383140564},{"id":"https://openalex.org/keywords/software-engineering","display_name":"Software engineering","score":0.3394201397895813},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.25600868463516235},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.24184522032737732},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.16234281659126282}],"concepts":[{"id":"https://openalex.org/C111065885","wikidata":"https://www.wikidata.org/wiki/Q1189053","display_name":"Fuzz testing","level":3,"score":0.9669593572616577},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8474764823913574},{"id":"https://openalex.org/C127705205","wikidata":"https://www.wikidata.org/wiki/Q5748245","display_name":"Heuristics","level":2,"score":0.657586932182312},{"id":"https://openalex.org/C180932941","wikidata":"https://www.wikidata.org/wiki/Q997233","display_name":"White box","level":2,"score":0.5935653448104858},{"id":"https://openalex.org/C77265313","wikidata":"https://www.wikidata.org/wiki/Q879844","display_name":"Rest (music)","level":2,"score":0.49301478266716003},{"id":"https://openalex.org/C2778029271","wikidata":"https://www.wikidata.org/wiki/Q5421931","display_name":"Extension (predicate logic)","level":2,"score":0.47415536642074585},{"id":"https://openalex.org/C94966114","wikidata":"https://www.wikidata.org/wiki/Q29256","display_name":"Black box","level":2,"score":0.45153409242630005},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.4031023383140564},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.3394201397895813},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.25600868463516235},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.24184522032737732},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.16234281659126282},{"id":"https://openalex.org/C71924100","wikidata":"https://www.wikidata.org/wiki/Q11190","display_name":"Medicine","level":0,"score":0.0},{"id":"https://openalex.org/C164705383","wikidata":"https://www.wikidata.org/wiki/Q10379","display_name":"Cardiology","level":1,"score":0.0}],"mesh":[],"locations_count":2,"locations":[{"id":"pmh:oai:arXiv.org:2309.08360","is_oa":true,"landing_page_url":"http://arxiv.org/abs/2309.08360","pdf_url":"https://arxiv.org/pdf/2309.08360","source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"","raw_type":"text"},{"id":"doi:10.48550/arxiv.2309.08360","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2309.08360","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"pmh:oai:arXiv.org:2309.08360","is_oa":true,"landing_page_url":"http://arxiv.org/abs/2309.08360","pdf_url":"https://arxiv.org/pdf/2309.08360","source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"","raw_type":"text"},"sustainable_development_goals":[{"score":0.6100000143051147,"display_name":"Industry, innovation and infrastructure","id":"https://metadata.un.org/sdg/9"}],"awards":[{"id":"https://openalex.org/G251920327","display_name":"Using Evolutionary Algorithms to Understand and Secure Web/Enterprise Systems","funder_award_id":"864972","funder_id":"https://openalex.org/F4320320300","funder_display_name":"European Commission"},{"id":"https://openalex.org/G8318064016","display_name":null,"funder_award_id":"Horizon","funder_id":"https://openalex.org/F4320320300","funder_display_name":"European Commission"}],"funders":[{"id":"https://openalex.org/F4320320300","display_name":"European Commission","ror":"https://ror.org/00k4n6c32"},{"id":"https://openalex.org/F4320335478","display_name":"Secretar\u00eda de Ciencia y T\u00e9cnica, Universidad de Buenos Aires","ror":null}],"has_content":{"grobid_xml":false,"pdf":true},"content_urls":{"pdf":"https://content.openalex.org/works/W4386841578.pdf"},"referenced_works_count":0,"referenced_works":[],"related_works":["https://openalex.org/W2047881532","https://openalex.org/W2727407240","https://openalex.org/W1984273188","https://openalex.org/W154189287","https://openalex.org/W3033197410","https://openalex.org/W3083665950","https://openalex.org/W2601181618","https://openalex.org/W1855700431","https://openalex.org/W2385964753","https://openalex.org/W3016331820"],"abstract_inverted_index":{"Due":[0],"to":[1,47,118,142],"its":[2],"importance":[3],"and":[4,75],"widespread":[5],"use":[6],"in":[7,22,32,52,70,123,131,168],"industry,":[8],"automated":[9],"testing":[10],"of":[11,29,66,72,100,110,165,170],"REST":[12,101],"APIs":[13,153],"has":[14,35],"attracted":[15],"major":[16,84],"interest":[17],"from":[18,154],"the":[19,23,30,33,64,92,155,166],"research":[20,60],"community":[21],"last":[24],"few":[25],"years.":[26],"However,":[27],"most":[28],"work":[31],"literature":[34],"been":[36,45],"focused":[37],"on":[38,151],"black-box":[39,87],"fuzzing.":[40],"Although":[41],"existing":[42,53,94],"fuzzers":[43],"have":[44],"used":[46],"automatically":[48],"find":[49],"many":[50],"faults":[51],"APIs,":[54],"there":[55],"are":[56,82,137],"still":[57],"several":[58],"open":[59],"challenges":[61],"that":[62,96],"hinder":[63],"achievement":[65],"better":[67],"results":[68,167],"(e.g.,":[69],"terms":[71],"code":[73],"coverage":[74],"fault":[76],"finding).":[77],"For":[78],"example,":[79],"under-specified":[80,121,129],"schemas":[81,130],"a":[83,108],"issue":[85],"for":[86,115],"fuzzers.":[88],"Currently,":[89],"EvoMaster":[90],"is":[91],"only":[93],"tool":[95],"supports":[97],"white-box":[98,112],"fuzzing":[99],"APIs.":[102,172],"In":[103],"this":[104],"paper,":[105],"we":[106],"provide":[107],"series":[109],"novel":[111,135],"heuristics,":[113],"including":[114],"example":[116],"how":[117],"deal":[119],"with":[120],"constrains":[122],"API":[124],"schemas,":[125],"as":[126,128,139],"well":[127],"SQL":[132],"databases.":[133],"Our":[134],"techniques":[136],"implemented":[138],"an":[140],"extension":[141],"our":[143],"open-source,":[144],"search-based":[145],"fuzzer":[146],"EvoMaster.":[147],"An":[148],"empirical":[149],"study":[150],"14":[152],"EMB":[156],"corpus,":[157],"plus":[158],"one":[159],"industrial":[160],"API,":[161],"shows":[162],"clear":[163],"improvements":[164],"some":[169],"these":[171]},"counts_by_year":[],"updated_date":"2026-04-13T07:58:08.660418","created_date":"2025-10-10T00:00:00"}