API Testing Release Notes¶

Supported Versions¶

2.23.0 (May 29, 2024)¶

New switch, --disable-auth-mutations, to enable turning off attack vectors trying to change the user-supplied authorization details to the service under test.

2.22.4 (February 29, 2024)¶

Resolved an issue where mapi would panic when an invalid HTTP(S)_PROXY environment variable was detected.
Added option to opt out of Sentry integration by setting the MAPI_DISABLE_SENTRY environment variable to 1. eg: MAPI_DISABLE_SENTRY=1 mapi status

2.20.10 (February 29, 2024)¶

Resolved an issue where mapi would panic when an invalid HTTP(S)_PROXY environment variable was detected.
Added option to opt out of Sentry integration by setting the MAPI_DISABLE_SENTRY environment variable to 1. eg: MAPI_DISABLE_SENTRY=1 mapi status

2.22.3 (February 23, 2024)¶

Security updates and upgrade to newest version of ZAP API Scan when running mapi run with the --zap toggle.

2.22.2 (February 15, 2024)¶

Fixed an issue where a small number of request attributes would fail to mutate over the course of a run.

2.22.1 (February 5, 2024)¶

mapi uploads 5 sample requests per endpoint, disabled by option --upload-sample-requests-per-endpoint=0

2.21.6 (January 29, 2024)¶

mapi will now exit with code 1 if any defects are reported with high level severity
Improved javascript stacktrace detection when parsing API responses

2.21.5 (January 22, 2024)¶

JUnit and SARIF reports will now utilize CWE severity to determine API defect severity.
Requests and responses can now be uploaded as part of mapi run to help debug behaviors seen during an API run.
Fixed a display issue with the report produced by mapi --html....
Fixed an issue when accessing the Postman API in some circumstances.

2.21.4 (January 11, 2024)¶

👋 All Emojis removed from mapi CLI terminal output. Display is not consistent across operating systems and terminal applications. Existing emojis have been replaced with basic ASCII characters.

2.21.3 (January 10, 2024)¶

mapi CLI will now abort a run early if the target it is scanning is not passing sanity checks. Sanity checks include:
Too many 401, 403, 429 or 404 responses
You can opt out of this behavior by passing the --skip-sanity-check-abort to mapi run.

2.21.2 (January 5, 2024)¶

Added support for using Global Variables from a Postman workspace with when testing an API with a Postman Collection with the new --postman-global-variables option. ie: mapi run ... --postman-global-variables <workspace-id>.

2.21.1 (January 3, 2024)¶

Error based SQL Injection and NoSQL Injection classifiers now provide pattern that was matched as part of reported Defect.
Added support for testing APIs specified with Postman 2.0.0 Collection specification (in addition to 2.1.0 support).
Fixed some issues with determining branch and PR number when running mapi CLI under GitHub actions.

2.20.9 (November 3, 2023)¶

CLI - Improved CLI error reporting when encountering undefined behavior.

2.20.8 (November 2, 2023)¶

CLI - mapi login now works correctly with --insecure-mayhem argument when connecting to a Mayhem instance with a self-signed or invalid SSL/TLS cert.

2.20.7 (October 31, 2023)¶

CLI - Fixed an issue where the mapi CLI would not auto update when installed into a folder where the caller does not have write permission.
CLI - Added support for mTLS two-way authentication with a target API when fuzzing.

2.20.6 (October 6, 2023)¶

CLI - Added a new option to mapi run, --rate-limit. API Scanning works best against APIs that are not rate limited, but this may not always be an immediate option. With the new --rate-limit option, callers can limit mapi requests to a pre-determined number of requests per minute. Please run mapi run --help for more details.

2.20.5 (September 27, 2023)¶

CLI - mapi describe specification will now report resources for specifications that include encoding in the content key of a request body such as `application/json; charset=utf-8``

2.20.4 (September 22, 2023)¶

CLI - Error-based SQL and NoSQL Injection rules are now opt-in. They will not run by default, but can still be included by invoking mapi run with the --experimental-rules flag.

2.20.3 (September 8, 2023)¶

CLI - .mapi configuration now accepts resource hints groups in order to generate combinations of resource hints for requests. See new documentation on api success.
CLI - Addressed false positives reporter by verb tampering checker when following redirects (301 or 302) where the verb of the final request, after all redirectse, would change to GET regardless of the initial request verb.

2.19.27 (August 8, 2023)¶

CLI - Update docker image to use new https://app.mayhem.security backend.

2.19.26 (July 25, 2023)¶

CLI - Fixes an issue where Zap was crashing. Updates the Zap docker image to w2023-07-24.

2.19.25 (July 20, 2023)¶

CLI - Fixes an issue where invalid query parameters were not reported to the platform - such as command injection strings that contain a &.

2.19.24 (July 14, 2023)¶

CLI - More permissive HAR parsing.

2.19.23 (July 12, 2023)¶

CLI - insecure-mayhem flag applies in more situations.

2.19.22 (July 7, 2023)¶

CLI - Introduced a flag insecure-mayhem to the mapi CLI that permits access to Mayhem APIs over https that are running on premises without valid SSL/TLS certificates in place.

2.19.21 (June 29, 2023)¶

CLI - Improved support for more Python Traceback variants

2.19.20 (June 22, 2023)¶

CLI - Dependency updates

2.19.19 (June 22, 2023)¶

CLI - Fixed an issue when running mapi convert postman which would print debug output to stdout.

2.19.18 (June 14, 2023)¶

CLI - Suppress a false error message.

2.19.17 (June 12, 2023)¶

CLI - Resolved an issue where a certain sequence of mapi login commands with an existing pre-2.19.16 configuration file could generate a malformed user config file.

2.19.16 (June 2, 2023)¶

CLI - Backend interaction fixes.

2.19.15 (May 24, 2023)¶

CLI - Resolved an issue where issues would sometimes be replayed from unrleated public targets on the first scan of an API.

2.19.14 (May 19, 2023)¶

CLI - Resolved a false positive issue with the 'Invalid Response Spec' classifier.

2.19.13 (May 10, 2023)¶

CLI - Increase error message detail.

2.19.12 (May 8, 2023)¶

CLI - Backend interaction fixes.

2.19.11 (May 5, 2023)¶

CLI - Backend interaction fixes.

2.19.9 (May 1, 2023)¶

CLI - Fixed an issue where a stackoverflow could occur when scanning an API with circular references ($ref) in the OpenAPI schema.

2.19.8 (Apr 26, 2023)¶

CLI - Fixed authentication issue when run inside Github Action.

2.19.5 (Apr 25, 2023)¶

CLI - Improved logic used to generate non-unicode strings for regex values.

2.19.4 (Apr 20, 2023)¶

CLI - Security fixes

2.19.3 (Apr 20, 2023)¶

CLI - Backend interaction fixes.

2.19.2 (Apr 6, 2023)¶

CLI - Improvements to how mapi run inserts GitHub comment.

2.19.1 (Apr 2, 2023)¶

CLI - Fixed an issue with job status display if connection is lost to the Mayhem API.

2.19.0 (Mar 30, 2023)¶

CLI - Pass HTTP method (GET/POST/...) on the Request Rewrite Plugin interface to enable users to view and manipulate the HTTP method of a generated request.

2.18.5 (Mar 22, 2023)¶

CLI - Updated documentation in mapi --help

2.18.4 (Mar 15, 2023)¶

CLI - Resolved an issue where resource ID reuse was not working for some OpenAPI specifications that included multiple possible schemas in response content specification.
This was preventing the fuzzer from accurately covering endpoints that use IDs (or other values) returned by other requests.
An example of endpoints affected by this includes those that make use of anyOf or a combination of a schema AND example in the response content specification.

2.18.3 (Mar 15, 2023)¶

CLI - Performance improvements

2.18.2 (Mar 14, 2023)¶

CLI - Ensure Linux musl builds are running the latest CLI.

2.18.1 (Mar 14, 2023)¶

CLI - Fixed an issue where Results link is not always displayed at the end of a run.

2.18.0 (Mar 7, 2023)¶

CLI - Include more rule checkers with run option --experimental-rules

2.17.3 (Mar 6, 2023)¶

CLI - New option for mapi run, --max-response-size. APIs with endpoints that return very large documents can lead to degraded performance and out of memory issues while fuzzing. This setting configures the threshold for which responses will be ignored if they exceed this maximum size. Setting this too high can result in out of memory issues, while setting it too low may lead to less test coverage against your API. The default value is 100KB. Values can be configured as 100B, 500KB.

2.17.2 (Feb 28, 2023)¶

CLI - Issues from previous runs will no longer be replayed if they were suppressed. See [Suppressing Issues] for more details on issue suppression.

2.17.1 (Feb 17, 2023)¶

CLI - Cancelling a mapi run in progress (CTRL+C) will now cancel issue replay at the end of the run as well.

2.17.0 (Feb 15, 2023)¶

CLI - Support for limiting mapi memory usage with option --max-memory-usage

2.16.5 (Feb 2, 2023)¶

CLI - Improved support for $ref JSON References when working with OpenAPI specifications. This should reduce the number of warnings displayed when a $ref is made to a resource that is not under #/components/* (such as #/paths/*.

2.16.4 (Jan 30, 2023)¶

CLI - fix issue matching content-type header value against Open API specification

2.16.3 (Jan 19, 2023)¶

CLI - fixed an issue where issues from multiple previous jobs would replay at the end of a run, rather than one previous job.

2.16.2 (Jan 16, 2023)¶

Authentication Bypass checker will no longer be triggered when Authorization header is set using a Request Rewrite plugin.

2.16.1 (Jan 3, 2023)¶

CLI - Added support to keep run results local with --local flag passed to mapi run (mapi run --local ...). Local results are limited to Organizations with an active 'Enterprise' plan.

2.15.11 (Dec 12, 2022)¶

CLI - Response values used for request generation are no longer case-sensitive. For example, a response containing a field named id will now be considered for a request field named ID.

2.15.10 (Dec 6, 2022)¶

CLI
Issue replay now replays issues from the default branch of the target.
- If a parent commit sha is available, issues found in the last job matching the sha are used.
- If no parent commit sha is available, issues found in last job for the default branch are used.
Git commit author, author email, and subject are now detected and used for better identification of jobs.

2.15.9 (Nov 23, 2022)¶

CI/CD support for job diffs based on git in a number of CI systems. Default branches have recently been added to target settings and are required to populate diffs in new jobs.

2.15.8 (Nov 14, 2022)¶

Updated default Docker tag for ZAP's API Scan to tag owasp/zap2docker-weekly:w2022-07-25 for runs using the --zap flag.

2.15.7 (Nov 10, 2022)¶

New CI/CD documentation along with native support for Circle CI with our Circle CI Orb!
We are rolling out changes to help you understand the health of your APIs over time. With new support for "Default Branch" (accessible from your Target Settings page), you will be able to see how your changes are impacting your API against your default branch when you run Mayhem API testing in continuous build and deploy pipelines (CI/CD).
We are making lots of changes to our website to improve the user experience. Our goal is to make it easier to find and understand your Mayhem API testing results.
CLI - Added support to override the timeout (default of 5 seconds) to connect and communicate with your API targets with mapi run --timeout...
CLI - Support for fuzzing endpoints with content type application/octet-stream.
CLI - We are increasing the variety of data we send to your APIs by complimenting fully random inputs with locale-specific fake data with the help of the fake-rs library. The motivation here is to make more successful requests against your APIs so that we can go deeper and find harder-to-reach bugs and security issues.

2.15.6 (Oct 27, 2022)¶

CLI - Improved support for more regular expression formats in your specification.

2.15.5 (Oct 26, 2022)¶

CLI - Support for Postman environment files. Added checksums on CLI download page.

2.15.4 (Oct 13, 2022)¶

CLI - Upgraded to the latest JSON Schema document for validating OpenAPI specifications: https://spec.openapis.org/oas/3.1/schema/2022-10-07

2.15.3 (Oct 13, 2022)¶

CLI - Parsing improvements for java stacktraces - get more issue details for APIs that include Java stacktraces in the response.

2.15.2 (Oct 7, 2022)¶

CLI - Fixed an issue where statistics stop updating when running mapi run with the --interactive flag.

2.15.1 (Oct 5, 2022)¶

CLI - Support for Postman dynamic variables in request headers, paths, query parameters and request bodies.

2.15.0 (Oct 3, 2022)¶

CLI - Improved integration for Postman Collections, Postman Environments and Postman Authorization. Mayhem now supports reading collections directly from Postman. Supply a --postman-api-key and set the target to a collection id.

2.14.2 (Sep 29, 2022)¶

CLI - Fixed some problems with issue replay and display.

2.14.0 (Sep 5, 2022)¶

The OWASP Zed Attack Proxy, or ZAP, is an open-source web app scanner, and the de-facto industry standard for automated security scanning of web applications. While ZAP takes a different approach to API security testing, we believe that it is complementary to Mayhem. We have built a super-easy way to run ZAP's API Scan tool alongside Mayhem. Just add a --zap flag to your existing mapi run invocation to get started!

See Zed Attack Proxy (ZAP) Integration for more details.

2.13.4 (Aug 8, 2022)¶

CLI - Fixed Server Crash false positives seen primarily when servers close connections quickly after the first response, but before a second request is sent. This false positive is seen often when running against FastAPI based APIs where this behavior occurs whenever an unhandled exception is triggered. Note that this can happen on with other API frameworks as well and is not limited to FastAPI.

2.13.2 (Aug 2, 2022)¶

CLI - Added SOCKS5 proxy support. See HTTP Proxy Configuration for more details.

2.13.1 (Jul 26, 2022)¶

CLI - Improvements to SARIF report
run.invocations will now be included in SARIF output
version property will now appear in the correct order in SARIF output as per the SARIF specification:

Although the order in which properties appear in a JSON object value is not semantically significant, the version property SHOULD appear first.

https://docs.oasis-open.org/sarif/sarif/v2.0/csprd02/sarif-v2.0-csprd02.html#_Toc10127671).

2.13.0 (Jul 26, 2022)¶

New Issue: Invalid Request Spec
If Mayhem is able to elicit a successful response from an endpoint using a payload that's invalid according to that endpoint's spec, it will now raise an issue. Much like Invalid Response Spec and Verb Tampering, these may indicate simple specification problems, but can sometimes indicate serious underlying problems.
New Issue: PII Disclosure
If Mayhem detects anything that appears to be PII in response payloads, it will raise an issue. For now, this is limited to credit card numbers.

2.12.0 (Jul 7, 2022)¶

New Issue: Verb Tampering
Mayhem will make requests to endpoints with HTTP Verbs (ie: GET, POST, PATCH...) that are invalid, or not part of the specification. If the API responds successfully, then a Verb Tampering issue will be raised. This may simply be an issue with the specification, or it could be indicative of a security-related misconfiguration on the API server.

2.11.3 (Jun 28, 2022)¶

CLI - Reduced logging noise significantly when running mapi run at info level logging (the default -- configurable with the MAPI_LOG environment variable).
Updated fuzzer so that checkers will run more frequently when running with more than 2 workers with mapi run and --concurrency argument of 2 or higher.

2.11.1 (Jun 21, 2022)¶

CLI - Fix a regression in OpenAPI 3.0 support

2.11.0 (Jun 20, 2022)¶

CLI - Enable HAR uploads up to 200 MB in size

2.10.0 (Jun 14, 2022)¶

CLI -Support for OpenAPI 3.1 specifications
CLI -auto run duration support to mapi run. mapi will automatically determine how long to fuzz a target. It is still possible to specify a duration.
CLI - Improved support for multipart/form-data endpoints

2.9.9 (Jun 6, 2022)¶

CLI -Fix service account authentication.

2.9.8 (Jun 3, 2022)¶

CLI -Performance enhancements for CLI talking to MAPI API.

2.9.7 (May 17, 2022)¶

CLI -mapi-action posts a run report to the pull request commment thread.

2.9.6 (May 16, 2022)¶

CLI -mapi issue detail will now include issue stacktrace, if one was captured during a run
CLI -Added --verbosity flag to mapi CLI for improved control of logging verbosity
CLI -Improved validation when converting specifications (ie: Postman -> OpenAPI)

2.9.5 (May 5, 2022)¶

CLI -mapi status now includes account details if you are logged in
CLI issue replay will only replay issues from the last "Completed" run by default

2.9.3 (Mar 22, 2022)¶

CLI - Release preview for resource hint support in mapi run. This option allows callers to specify values that should be used by mapi whenever it generates API requests.

2.9.2 (Mar 9, 2022)¶

CLI - Security update for CVE-2022-24713

2.9.0 (Feb 25, 2022)¶

CLI - BREAKING CHANGE - mapi login will only support logging with an API token going forward. Support for interactive login with GitHub or username/password will no longer be supported as we are reworking our authentication services.
API Tokens can be managed on the website
CLI - Handle OpenAPI/Swagger JSON specification with unsupported regex patterns. Patterns with arbitrary look-ahead and back-references are not supported at this time.

2.8.2 (Feb 9, 2022)¶

CLI - Automatically disable the InvalidResponseSpec rule when working with converted specifications.

2.8.0 (Feb 3, 2022)¶

New Issue: Timeout
When an API server doesn't respond in a reasonable amount of time, the fuzzer will give up on its request. This issue can lead to an efficient Denial-of-Service attack. An attacker can leverage problematic requests to consume server resources disproportionate to their own effort.

2.7.21 (Feb 1, 2022)¶

CLI - Fixed an issue where responses specified with a content-type containing a suffix, such as image/svg+xml, would be reported as Invalid Response Spec issue.

2.7.19 (Jan 25, 2022)¶

CLI - Fixed replay logic to respect the endpoint and rule filtering command-line arguments.
CLI - Fine-tuned some fuzzing parameters to more predictably generate payloads checking for known vulnerabilities.
CLI - Fixed issues with checking certain responses for issues they could not exhibit, wasting effort and conceivably causing false positives.
CLI - Fixed an issue when minimizing multi-request programs.

2.7.17 (Dec 22, 2021)¶

CLI - mapi run duration now accepts human-friendly strings such as mapi run <target> 30sec ...
CLI - Improve console output when running mapi issue replay

2.7.16 (Dec 17, 2021)¶

CLI - Fixed an issue where job logs may be truncated when running mapi run with --interactive flag.
CLI - Issues replayed at the end of mapi run will track issues from the same SCM branch, if one is detected.

2.7.15 (Nov 30, 2021)¶

CLI - Added new flag to mapi run, --warnaserror, that will treat Issues with Severity of 'Warning' as errors. The junit report will include warnings when --warnaserror flag is specified and mapi will exit with an exit code of 1 if any 'Warning' level Issues are discovered during a run.

2.7.13 (Nov 23, 2021)¶

CLI - Fixed an issue where the junit report produced by mapi run --junit may be missing issues

2.7.11 (Nov 5, 2021)¶

CLI - Added a number of prompts for further configuration steps users can take to deepen testing.
CLI - Fixed a case-sensitivity issue in token redaction.

2.7.10 (Nov 1, 2021)¶

CLI - Handle OpenAPI/Swagger JSON specification with regex patterns containing escaped forward slashes (for example \\w+:(\\/?\\/?)[^\\s]+")

2.7.9 (Oct 15, 2021)¶

CLI - Added mapi job delete subcommand

2.7.8 (Oct 6, 2021)¶

CLI - Fixed generated SARIF when parsed stacktraces reference "line 0"
CLI - Added ability to filter fuzzed endpoints by their OpenAPI tags

2.7.7 (Sep 30, 2021)¶

CLI - Expanded response spec validation warnings
CLI - Fixed an issue with failing to stop a run against an unreachable API

2.7.6 (Sep 21, 2021)¶

CLI - Added experimental support for response classifying plugins, which can be used to implement arbitrary logic for identifying issues

2.7.3 (Aug 11, 2021)¶

CLI - If present, OpenAPI tags will be used to organize and group issues
CLI - Fixed an issue with authentication redaction in issue details

2.7.2 (Aug 3, 2021)¶

Invalid specification issues will now be reported with "warning" severity if API responses do not conform with the API specification.
SARIF/JUnit Report - Fixed an issue where an extra '/' prefix may appear in path display

2.7.1 (Jul 27, 2021)¶

CLI - Support suppressing issues - see [Suppressing Issues] for more details.
Checkers - Added support for Error-based NoSQL Injection for MongoDB

2.7.0 (Jul 13, 2021)¶

CLI - mapi will report warnings when responses are incompatible with the specification used to fuzz your target
CLI - Fixed some issues with C# stacktrace parsing
CLI/SARIF - It is now possible to report multiple issues for the same path, method and rule id. This is most effective when fuzzing a target that is running in debug mode and will respond with a stacktrace/traceback on error.
For example, a 500 Internal Server Error triggered on GET /foo, resulting in different stacktraces will be reported as two separate issues:
- Issue 1: GET /foo?bar=1 -> Internal Server Error (NullPointerException)
- Issue 2: GET /foo?bar=0 -> Internal Server Error (DivideByZeroException)

2.6.18 (Jul 2, 2021)¶

CLI - Save fuzzing run output to an HTTP Archive (.har file) with mapi run ... --har out.har

2.6.16 (Jun 24, 2021)¶

CLI - Added beta support for fuzzing with an HTTP Archive (.har file) for the specification.
mapi run will now accept a .har file for the specification argument
It is recommended to convert a .har to an OpenAPI specification with mapi convert har... to inspect the converted specification before running a job
CLI - Added mapi convert command. This runs automatically when calling mapi run with a document which supports conversion.

The convert subcommand provides an opportunity to inspect the converted OpenAPI 3.0 document prior to fuzzing an API. - Convert HTTP Archive .har file to an OpenAPI spec with mapi convert har <recording.har> - Convert Swagger 2.0 json or yaml file to an OpenAPI spec with mapi convert swagger2 <spec.json|yaml> - Convert Postman 2.x collection json or yaml file to an OpenAPI spec with mapi convert postman <collection.json|yaml> - Run mapi convert --help for more details

2.6.14 (Jun 18, 2021)¶

CLI - Issues from the most recent previous job will now be replayed at the end of a run. The intent of this change is to reduce issues fluctuating between jobs.
To opt-out of this behavior, pass the --no-replay flag to mapi run.

2.6.13 (Jun 14, 2021)¶

The CLI now handles specifications with missing path parameters. If a path parameter is not in the specification, Mayhem will now infer it automatically and fuzz it. Previously, the CLI would exit early with an error.

2.6.12 (Jun 14, 2021)¶

CLI - Resolve an issue where the CLI may panic when generating some invalid URLs during a fuzzing run
Fixed an issue where calling mapi run with a path to the specification on Windows (C:\path\to\spec.yaml) would fail to read specification

2.6.11 (Jun 10, 2021)¶

CLI - Resolved an issue that could cause duplicate reported issues in certain corner conditions
Issue replay now supports providing a modified OpenAPI/Swagger/Postman specification
MAPI_LOG environment variable will now correctly output trace and debug level logs

2.6.10 (Jun 3, 2021)¶

CLI -Support for issue replay. Replay issues using mapi issue replay <job_id>
Try mapi issue replay --help to see more details
Note that some issues depend on the state of your API and may not always reproduce

2.6.9 (Jun 1, 2021)¶

CLI -Show incomplete request counts in interactive job display
CLI -Add markdown display support to SARIF output
Header parameters listed in API specifications will now be fuzzed

2.6.7 (May 27, 2021)¶

New Issue: Server Crash
Server crashes are now detected and reported in Job Issues.
A server that can be forced to crash may be vulnerable to denial-of-service attacks.
CLI -mapi issue list print a list of issues for a job

2.6.5 (May 11, 2021)¶

Fix parsing of stacktraces generated on windows host.

2.6.4 (May 10, 2021)¶

Authentication data is now redacted from buggy requests before being uploaded to our API. Note that in some cases, slightly mutated auth tokens might still be updated to our API (since they might be necessary to demonstrate authentication bypasses)
Add support for C# stacktraces with async code and nested exceptions

2.6.3 (May 5, 2021)¶

Legacy github token (which are not prefixed by ghp_) are now accepted.

2.6.0 (Apr 29, 2021)¶

Enable new security checkers by default: Command injection, Blind command injection, Path traversals, SSRF (assumes CLI can be reached through localhost from the API)
Improve authentication bypass checker by differentiating between -H (for regular headers) and --header-auth (for authentication header).
Redirect loops will not terminate a run anymore
Improvements in the fuzzing engine to increase coverage

2.5.16¶

CLI: Ignore errors with the --ignore-rule option to mapi run. Callers may ignore specific errors such as InternalServerError or AuthenticationBypass when including this flag.

2.5.13¶

CLI: Upload code scanning results to GitHub from anywhere by passing --github-token with a token to mapi run.
CLI: Upload code scanning results to your on-premise GitHub instance by passing --github-api-url to mapi run.
CLI: Auto-detect build information from the environment in Drone CI
CLI: Golang stacktrace parsing, in addition to the existing parsing for Ruby, JS, Python and Java.

2.5.10¶

CLI: Add SARIF support. mapi run now accepts a --sarif <output-file> option which outputs a SARIF file that you can upload to supported systems, like GitHub if you have enterprise plan.

2.5.7¶

The CLI now has beta support for postman 2.x collections 🚀! You can pass your collection to mapi run instead of an OpenAPI specifications.

2.5.6¶

CLI: mapi run can now automatically create a new API Target if the --url option is supplied.

2.5.5¶

Security: Added support for detecting authentication configuration issues. The fuzzer will now periodically remove or mangle any authentication parameters used for a job. Any endpoints that are specified as with security configuration will be marked as buggy if they can be accessed successfully with missing or altered authentication parameters.

2.5.4¶

Security: Added support for detecting SQL Injection errors. See the new documentation on configuring your API for tips on improving detection of SQL Injection problems.
CLI: Change the logging level of the mapi CLI with the MAPI_LOG environment variable. Supported values include trace,debug,info,warn,error. The default is set to info.

2.4.1¶

Renamed cohorts to organizations

2.3.28¶

Added experimental path traversal detection, enabled by setting the MAPI_FEATURE_PATH_TRAVERSAL environment variable.

2.3.19¶

Added support to CLI for rending email verification with mapi signup resend-verify <email-address>

2.3.18¶

Creating a new account when joining a Cohort now requires email verification
Added support to CLI for completing email verification with mapi signup verify

2.3.16¶

Improve parsing of URLs given through --url
Fix memory leak in type generation during fuzzing

2.3.15¶

Renamed the product to 'Mayhem for API' and the CLI to 'mapi'. Please re-download the CLI.

2.3.8¶

Parallel fuzzing is now available using -j when invoking mapi run (defaults to 1). This will allow you to potentially find concurrency issues, and load test your APIs.

2.3.7¶

bug fix: better support for reference loops in specifications

2.3.5¶

mapi run will now generate a human-friendly html report when --html is given.

2.3.4¶

CLI prints warnings on unexpected properties in the specification instead of aborting.

2.3.3¶

API Targets will now include their owner when presented in the CLI or when referenced to start a new run.

You may continue to refer to any existing API Targets without the owner; however, shared API Targets will require the owner to be specified.

2.3.2¶

Windows support: Our CLI can now run natively on 64-bit windows.

2.3.0¶

Users can specify cookies for the fuzzer to authenticate to the target API.

2.2.4¶

EULA agreement

2.2.3¶

GitHub Cloud Integration support is now available. Please reach out to us at support@forallsecure.com so that you can get connected with GitHub. Once you have been approved, you can connect with the CLI with the command:

mapi github connect

Our GitHub app is also live. During Limited Availability it will not be accessible via the marketplace, but can be installed into your Personal or Organization account by following this link:

https://github.com/apps/mayhem-for-api

2.2.2¶

Preparation for GitHub support. The CLI will attempt to gather CI details from GitHub Actions, Jenkins, or simply invocations of git to synchronize Job Status with GitHub checks. If details cannot be inferred from the environment, then they may be provided manually with new optional arguments passed to mapi run.
GitHub integration support will be fully supported once the Mayhem for API app is available in the GitHub marketplace.

2.2.1¶

CLI will auto-update across patch and minor versions

2.2.0¶

CLI supports API pagination for job and target API resources

2.1.10¶

Fix unresponsive arrow keys in interactive job status

2.1.9¶

JUnit output contains percentile response times per endpoint.
Fuzzer better uses examples in the API specification, which allows users to give a hint to the fuzzer when it cannot generate 200 responses on its own.
Fuzzer warns if the API closes a connection early before sending a full response. This will eventually be classified as a bug.

2.1.8¶

For accounts registered via GitHub, a New Token may now be requested when using mapi github connect --new-token.

2.1.7¶

Added interactive mode to mapi run with the new --interactive flag. This will now open the interactive UI that was previously only accessible with the mapi job status sub-command.
Job status UI now detects when a tty is not present. In instances where a tty is not present, the job log and coverage table will be printed to standard output.
All covered endpoints and statistics will now print to the console at the end of a run

2.1.6¶

Bug fixes for GitHub connect

2.1.5¶

Fuzzer will not consider HTTP response code 501 as an error
CLI will exit with return code 2 on fuzzer error
CLI will now automatically detect Swagger 2.0 specifications and attempt to convert them to OpenAPI 3.0 automatically with the help of the openapi-webconverter

2.1.4¶

CLI can now override API Target authentication parameters when calling mapi run

2.1.3¶

CLI support for handling upcoming pagination changes to job and target API resources

Breaking Changes¶

As Mayhem for API is continuously evolving, we make an effort to avoid breaking changes. Not breaking your workflow and CI builds is of utmost important to us. We want it to just work, always.

There are times due to security constraints or technical limitations that require us to make a breaking change. We aim to make this as painless as possible, usually requiring no more than downloading a newer CLI. If breaking changes are required, we will try to make it as painless as possible:

We will give you a heads up if we notice you are using a version that will become incompatible.
We aim to provide command-line arguments backwards compatibility, so that you can always use the latest release without having to change your invocation.
We give you tips on how to integrate the fuzzer into your builds so that you automatically use new releases.
When necessary, we will slowly deprecate features or workflows, giving you enough time to upgrade.

Unsupported versions¶

2.1.2¶

CLI includes request and response in junit failures

2.1.1¶

CLI support for blacklisting endpoints when calling mapi run

2.1.0¶

CLI improved logging, feedback and error handling
Fixed cascade delete for API Targets