TnT-Fuzzer is an OpenAPI (swagger) fuzzer written in python. It is like dynamite for your API!

TnT-Fuzzer is designed to make fuzzing, robustness testing and validation of REST APIs easy and maintainable. After the fuzzer runs, the log files state the exact history of requests to reenact a crash or misuse. TnT-Fuzzer can be used for penetration testing or continued testing of a service in development.

A project of teebytes.net

TnT-Fuzzer shifted support away from python 2 to python 3.7. If you need a python 2 compatible source, lookup TnT-Fuzzer Version 1.0.0 and below.

Just install tntfuzzer with pip and its ready for usage:

pip install tntfuzzer

Checkout git repository. Navigate into fresh cloned repository and install all dependencies needed. All dependencies are listed in requirements.txt and can be installed via pip:

pip install -r requirements.txt

However, at the moment of writing this guide the PyJFuzz dependency available via pypi is outdated only compatible with python 2 only. So, when problems installing the PyJFuzz dependency occur, install the newest version of it manually and then install the other dependencies:

git clone https://github.com/mseclab/PyJFuzz.git && cd PyJFuzz && python setup.py install
cd ..
pip install -r requirements.txt

Then all dependencies should be met and run tntfuzzer with:

python tntfuzzer/tntfuzzer.py

There are dependencies only needed for developing the fuzzer. These are listed in the requirements-dev.txt and can be installed via pip:

pip install -r requirements-dev.txt

For testing or development, have a look at the swagger petstore example. A local stub server can easily be generated and run locally.

Run software tests using the following command:

$ cd tntfuzzer
$ nosetests  tests/core/*.py tests/utils/*.py tests/*.py
........................
----------------------------------------------------------------------
Ran 41 tests in 0.028s

OK

To get a better hang what can be done with tntfuzzer, print the usage infos:

tntfuzzer -h

The most important parameter is the --url, with the URL to your OpenAPI specification json file.

The parameter --iterations will specifiy how often an API call will be fuzzed. If the --iterations parameter is not specified, every API call is fuzzed only once.

Per default only responses that are not documented in your Service's OpenAPI specification are logged. This way only undocumented errors are logged. If you want all fuzz responses to be logged, you have to specify that by setting the --log_all parameter.

If you want to connect to servers using self-signed certificates, use the --ignore-cert-errors.

Sometimes an OpenAPI file will contain an invalid host name, or point to the wrong server. If you use the --host option you can override this without making a local copy of the file. Same happens with --basepath that let you specify a different basepath for the API.

So following example run will fuzz every API call specified in the swagger.json with 100 permutations each. All responses received from the server are logged:

tntfuzzer --url http://example.com:8080/v2/swagger.json --iterations 100 --log_all

When run, TnT-Fuzzer logs all responses in a table on commandline: