Fuzz testing for APIs with malformed inputs, edge cases, and security vulnerability detection

MIT License

Free Pricing

Installation

Open Claude Code and run this command:

/plugin install api-fuzzer@claude-code-plugins-plus

Use --global to install for all projects, or --project for current project only.

What It Does

Fuzz testing for APIs with malformed inputs, edge cases, and security vulnerability detection.

Features

Malformed input generation
SQL injection testing
XSS detection
Boundary value testing
Random payload generation

Skills (1)

fuzzing-apis SKILL.md View full skill →

Configure perform API fuzzing to discover edge cases, crashes, and security vulnerabilities.

ReadWriteEditGrepGlobBash(test:fuzz-*)

API Fuzzer

Overview

Perform API fuzzing to discover crashes, unhandled exceptions, security vulnerabilities, and edge case failures by sending malformed, unexpected, and boundary-value inputs to API endpoints. Supports RESTler (stateful REST API fuzzing), Schemathesis (OpenAPI-driven property-based testing), custom fuzz harnesses with fast-check, and OWASP ZAP active scanning.

Prerequisites

API specification available (OpenAPI/Swagger, GraphQL SDL, or Protobuf definitions)
Target API running in a test environment (never fuzz production)
Fuzzing tool installed (Schemathesis, RESTler, or custom harness with fast-check/Hypothesis)
API authentication credentials for protected endpoints
Error logging enabled on the target server to capture crashes and stack traces

Instructions

Parse the API specification to identify all endpoints, methods, and input schemas:

Read OpenAPI spec files using Glob (/openapi.yaml, /swagger.json).
Catalog each endpoint's parameters (path, query, header, body) and their types.
Note validation constraints (min/max, pattern, enum, required fields).

Configure the fuzzing strategy:

Schema-based: Generate inputs that violate schema constraints (wrong types, missing fields, extra fields).
Mutation-based: Start with valid requests and mutate individual fields (bit flips, boundary values, special characters).
Dictionary-based: Use known problematic inputs (SQL injection, XSS payloads, format strings, null bytes).

Define fuzz input categories for each parameter type:

Strings: Empty, very long (10K+ chars), unicode, null bytes, format strings (%s%n), path traversal (../../etc/passwd).
Numbers: 0, -1, MAXINT, MININT, NaN, Infinity, floats where ints expected.
Arrays: Empty, single element, thousands of elements, nested arrays, mixed types.
Objects: Empty, missing required fields, extra unknown fields, deeply nested (100+ levels).
Dates: Invalid formats, epoch zero, far future, negative timestamps.

Execute the fuzzing campaign:

Run Schemathesis: schemathesis run http://localhost:3000/openapi.json --stateful=links.
Or run RESTler: restler-fuzzer fuzz --grammar_file grammar.py.
Or write custom fuzz tests with fast-check/Hypothesis for targeted endpoints.
Set a time budget (30-60 minutes for initial run).

Analyze findings:

5xx responses: Unhandled server errors -- file as bugs.
Crashes/hangs<

How It Works

/fuzz-api

Ready to use api-fuzzer?

Related Plugins

accessibility-test-scanner

A11y compliance testing with WCAG 2.1/2.2 validation, screen reader compatibility, and automated accessibility audits

api-test-automation

Automated API endpoint testing with request generation, validation, and comprehensive test coverage

browser-compatibility-tester

Cross-browser testing with BrowserStack, Selenium Grid, and Playwright - test across Chrome, Firefox, Safari, Edge

chaos-engineering-toolkit

Chaos testing for resilience with failure injection, latency simulation, and system resilience validation

contract-test-validator

API contract testing with Pact, OpenAPI validation, and consumer-driven contract verification

database-test-manager

Database testing utilities with test data setup, transaction rollback, and schema validation

Tags
testingfuzzingapisecurityedge-casesinput-validation