Frequently Asked Questions (FAQ)¶
API Testing¶
What platforms are supported?¶
The Mayhem API testing CLI (command line interface), mapi
, will run on the following platforms:
- Linux (64-bit)
- MacOS
- Windows (64-bit)
What languages are supported?¶
Mayhem scans Web APIs. It does not matter what language the API is written in, as long as it is accessible from the same network as the mapi
CLI.
For more detailed issues, Mayhem can collect stacktraces returned by the API. It is common to enable returning stacktraces when running an API in a debug mode, but not in production.
Stacktrace parsing enables Mayhem to achieve tighter integrations with tools like GitHub / Visual Studio Code with the help of SARIF results export.
The supported languages for Stacktrace parsing include:
- python
- ruby
- java
- javascript
- go
- C#
What kind of information do you collect?¶
Personal Information
When you sign up for Mayhem, we collect your email address and any other optional information that you provide such as Name and Phone Number.
When you sign up using a social login, such as Atlassian, GitLab, Github or Google, we will automatically collect your email address and Name.
If you choose to delete your account, are personal information will remove all personal information at, or before, 28 days in accordance with GDPR compliance.
Application Data
During a Mayhem scan, the mapi
CLI can make thousands, or even millions, of
requests to your API. Each run, we sample a small number of requests for every
endpoint in order to give users insight into the testing and requests that
mapi
is sending. When an issue is discovered, we collect the request that was sent
to your API, and the response that it returned to the CLI.
Other information that is considered 'secret', such as Bearer tokens used for Authentication, will be redacted prior to uploading issue details or sample requests.
Info
Organizations with Enterprise plans can run in 'local' mode. This mode prevents the mapi
CLI from uploading all run details to the mAPI API. Results will be kept local to the computer where mapi
was run. See Keeping Results Local for more details.
My API is returning 429 Too Many Requests while scanning¶
While it is good practice to configure rate limiting for your API, this has a negative impact on fuzzing. Mayhem performs best when it can make as many requests against your API as quickly as possible.
If, for whatever reason, you cannot disable Rate Limiting in your API, you can run Mayhem with rate limiting.
For example, to limit requests to 60 requests per minute, you would include
--rate-limit 60
as an option to the mapi run
sub-command.
mapi run my-project 1min openapi.yaml --url http://example.com --rate-limit 60
Code Testing¶
What is Mayhem?¶
Mayhem is an advanced fuzzer that combines the tried-and-true methods of guided fuzzing with the ingenuity of symbolic execution.
What problems does Mayhem help me solve?¶
Mayhem executes across a broad range of code to dynamically find new vulnerabilities instead of merely relying on lists of known software weaknesses or vulnerabilities. Tests are then made against these new-found vulnerabilities to make certain they pose a risk. Mayhem is comparable to a popular form of manual testing known as penetration testing but also has more advanced features.
Why Mayhem?¶
Anyone can do fuzz test automation. The real question is who can do automation with precision. Mayhem combines fast fuzz testing with systematic symbolic execution. Together, they produce the most unique inputs with the least amount of time, efficiently canvasing your software application. This allows organizations to push software out safer in less time, effort, and cost.
Does Mayhem require source code?¶
No, Mayhem does not require source code to test an application. Mayhem works with both source code and binaries. Mayhem finds vulnerabilities before and after software release.
Why is Mayhem better than just running open source honggfuzz/libfuzzer/AFL?¶
- We are a platform.
- We store all the test cases, can continue progress, perform regression tests.
- We have a structured UI to display results.
- We provide an automated framework to handle jobs, users, projects.
- We provide documentation, tutorials, easy to use CLI, docker ingest, scriptable API.
What languages does Mayhem support?¶
C, C++, Go, Rust, Java, Ada, and many more! Refer to this solution brief or the fuzzme repo for more information.
What platforms/architectures does Mayhem support?¶
Linux x86_64 compiled software. Other platforms may be compatible on a case by case basis. Refer to this solution brief for more information.
Does Mayhem really have a zero false-positive rate?¶
All defects found by Mayhem are tested three times and verified.
Will Mayhem modify my application?¶
No. Mayhem accepts arbitrary black box binaries to perform analysis and does not modify the application at all.
How much does Mayhem cost?¶
Mayhem is priced based on the tier and number of cores youâd like in your cluster. For more information, reach out to a sales representative here.
Does Mayhem perform test case de-duplication?¶
Mayhem only saves the unique test cases that get new coverage. Multiple test cases can run into the same path, but there's no reason to save them all. Similarly, multiple test cases can trigger the same defect, but thereâs no reason to save them all. To ensure regression test efficiency, we run de-duplications and only save the most useful test cases.
How is Mayhem deployed?¶
Mayhem is offered both as an on-prem and cloud solution (private and public). And, for our Federal customers in the United States, we are TAA compliant.
Is Mayhem CI/CD friendly?¶
Yes. We have designed Mayhem to integrate into your current CI/CD. Refer to this solution brief for more information. Mayhem is a versatile solution that is able to conduct a multitude of testing techniques: unit testing, regression testing, negative testing, continuous testing, dynamic testing. Based on use cases that work for organizations, Mayhem can be incorporated as a part of the development phase of the SDLC, shifting DAST and fuzz testing further left.
What kind of defects can Mayhem detect?¶
CWEs can lead to CVEs. Mayhem can detect a number of CWE defects such as Improper Input Validation, Out-of-bounds Read, Incorrect Calculation of Buffer Size, Divide By Zero, Failure to Release Memory Before Removing Last Reference ('Memory Leak'), Use of Uninitialized Variable, NULL Pointer Dereference, Free of Memory not on the Heap, Release of Invalid Pointer or Reference, Out-of-bounds Write, and Improper Control of Dynamically-Managed Code Resources. Refer to this datasheet for more information.
What CVEs have Mayhem detected?¶
An updated list can be found here: https://forallsecure.com/vulnerabilities-lab