Introduction

Let’s start your API testing journey! There’s a lot to learn, but every journey starts somewhere. In this tutorial, we’ll ultimately show you how to do the following:

1. Install the API testing command-line client on Linux, macOS, or Windows.
2. Use the CLI to test our first API.
3. Monitor progress.

How Does Mayhem Test APIs?

Mayhem can automatically test REST APIs by bringing the full might of fuzzing methodology to API testing. With the guidance of an API specification, Mayhem provides accurate and informative test coverage tailored to any REST API.

Mayhem uses a fuzzing engine to automatically generate a comprehensive suite of inputs used to test function and robustness of an application’s API infrastructure. By using fuzzing techniques to generate inputs and observing the response from the application, Mayhem can quickly iterate through multitudes of test cases to find weakness in an API’s functionality or security.

Why Should I Use Mayhem for My API Testing?

It is no secret that web APIs have become increasingly important to the operation of modern business. Many business models for new products and services are constructed based on APIs such as billing and identity providers. Trust has become a necessity for APIs. APIs that perform consistently and with high quality earn trust, and those that fail are abandoned. Mayhem helps you build trust in your APIs in a number of ways:

• Resilience - Mayhem is great for discovering troublesome 500 Internal Server Error responses and server crashes automatically, before your clients do.
• Security - With a growing list of Security Checkers, Mayhem can discover issues such as Server Side Request Forgery (SSRF) and SQL Injection.
• Quality - Mayhem validates all the responses returned from your API with your specification to identify endpoints which are inconsistent with the spec, such as missing fields or incorrect response codes. Keeping your API synchronized with your specification ensures that API consumers are not caught of guard with unexpected behavior.
• Performance - Latency statistics of every endpoint are recorded on every run to provide a clear picture of what endpoints have inconsistent or degraded performance.

The Mayhem website provides reproduction steps so that you can replay any issues either with curl or with the mapi CLI.

Mayhem is not a replacement for existing automated tests. It is complementary! With the help of fuzzing, Mayhem identifies blind spots in your existing testing, without the bias or the tedium of manually written tests.

Point and Shoot

Setting up the API fuzzer is a breeze. Once you have signed up for an account on tutorial.forallsecure.com all you need to do is download the mapi CLI and start testing your API with a compatible specification such as OpenAPI or a Postman Collection.

Reach out!

We aim to provide a great experience. Please reach out to us on Discord or by emailing support@forallsecure.com if you have any suggestions or run into any issues. We're more than happy to help!