Tool report: EvoMaster—black and white box search-based fuzzing for REST, GraphQL and RPC APIs

Andrea Arcuri; Man Zhang; Susruthan Seran; Juan Pablo Galeotti; Amid Golmohammadi; Onur Duman; Agustina Aldasoro; Hernan Ghianni

doi:10.1007/s10515-024-00478-1

Tool report: EvoMaster—black and white box search-based fuzzing for REST, GraphQL and RPC APIs

Andrea Arcuri^*
, Man Zhang
, Susruthan Seran
, Juan Pablo Galeotti
, Amid Golmohammadi
, Onur Duman
, Agustina Aldasoro
, Hernan Ghianni

^*Corresponding author for this work

School of Computer Science and Engineering

Research output: Contribution to journal › Article › peer-review

9 Scopus citations

Abstract

In this paper, we present the latest version 3.0.0 of EvoMaster, an open-source search-based fuzzer aimed at Web APIs. We discuss and present all its recent improvements, including advanced white-box heuristics, advanced search algorithms, support for databases and external services, as well as dealing with GraphQL and RPC APIs besides the original use case for REST APIs. The tool’s installers have been downloaded more than 3000 times. EvoMaster is in daily use for fuzzing millions of lines of code in hundreds of APIs in large Fortune 500 companies, such as for example the e-commerce Meituan.

Original language	English
Article number	4
Journal	Automated Software Engineering
Volume	32
Issue number	1
DOIs	https://doi.org/10.1007/s10515-024-00478-1
State	Published - Jun 2025

Keywords

Fuzzing
SBST
Tool
Web API

Access to Document

10.1007/s10515-024-00478-1

Cite this

@article{039354ad106f4b119d8fd45909250eb9,

title = "Tool report: EvoMaster—black and white box search-based fuzzing for REST, GraphQL and RPC APIs",

abstract = "In this paper, we present the latest version 3.0.0 of EvoMaster, an open-source search-based fuzzer aimed at Web APIs. We discuss and present all its recent improvements, including advanced white-box heuristics, advanced search algorithms, support for databases and external services, as well as dealing with GraphQL and RPC APIs besides the original use case for REST APIs. The tool{\textquoteright}s installers have been downloaded more than 3000 times. EvoMaster is in daily use for fuzzing millions of lines of code in hundreds of APIs in large Fortune 500 companies, such as for example the e-commerce Meituan.",

keywords = "Fuzzing, SBST, Tool, Web API",

author = "Andrea Arcuri and Man Zhang and Susruthan Seran and Galeotti, \{Juan Pablo\} and Amid Golmohammadi and Onur Duman and Agustina Aldasoro and Hernan Ghianni",

note = "Publisher Copyright: {\textcopyright} The Author(s) 2024.",

year = "2025",

month = jun,

doi = "10.1007/s10515-024-00478-1",

language = "英语",

volume = "32",

journal = "Automated Software Engineering",

issn = "0928-8910",

publisher = "Springer Netherlands",

number = "1",

}

TY - JOUR

T1 - Tool report

T2 - EvoMaster—black and white box search-based fuzzing for REST, GraphQL and RPC APIs

AU - Arcuri, Andrea

AU - Zhang, Man

AU - Seran, Susruthan

AU - Galeotti, Juan Pablo

AU - Golmohammadi, Amid

AU - Duman, Onur

AU - Aldasoro, Agustina

AU - Ghianni, Hernan

PY - 2025/6

Y1 - 2025/6

N2 - In this paper, we present the latest version 3.0.0 of EvoMaster, an open-source search-based fuzzer aimed at Web APIs. We discuss and present all its recent improvements, including advanced white-box heuristics, advanced search algorithms, support for databases and external services, as well as dealing with GraphQL and RPC APIs besides the original use case for REST APIs. The tool’s installers have been downloaded more than 3000 times. EvoMaster is in daily use for fuzzing millions of lines of code in hundreds of APIs in large Fortune 500 companies, such as for example the e-commerce Meituan.

AB - In this paper, we present the latest version 3.0.0 of EvoMaster, an open-source search-based fuzzer aimed at Web APIs. We discuss and present all its recent improvements, including advanced white-box heuristics, advanced search algorithms, support for databases and external services, as well as dealing with GraphQL and RPC APIs besides the original use case for REST APIs. The tool’s installers have been downloaded more than 3000 times. EvoMaster is in daily use for fuzzing millions of lines of code in hundreds of APIs in large Fortune 500 companies, such as for example the e-commerce Meituan.

KW - Fuzzing

KW - SBST

KW - Tool

KW - Web API

UR - https://www.scopus.com/pages/publications/85211082236

U2 - 10.1007/s10515-024-00478-1

DO - 10.1007/s10515-024-00478-1

M3 - 文章

AN - SCOPUS:85211082236

SN - 0928-8910

VL - 32

JO - Automated Software Engineering

JF - Automated Software Engineering

IS - 1

M1 - 4

ER -

Tool report: EvoMaster—black and white box search-based fuzzing for REST, GraphQL and RPC APIs

Abstract

Keywords

Access to Document

Other files and links

Fingerprint

Cite this