Over the last several weeks, we’ve made a number of updates to both our flagship Mayhem for Code product and Mayhem for API.
Recent improvements to Mayhem for Code (version 2.1) include:
- Automated Behavior Testing service
- Slow Tests Reporting
- Dismay / Client side fuzzing updates
Recent improvements to Mayhem for API (version 2.15.7) include:
- Default branch
- Postman Collection
- ZAP integration
Let’s take a look at each:
Automated Behavior Testing Service (Mayhem for Code)
In Mayhem for Code 2.1, all cores are now maximized without any user interaction. This increases the likelihood that Mayhem will find defects by running longer runs … automatically. Results from our Mayhem Heroes program show ~41% (4,058/9,769) of defects were found during an auto run session and ~71% (1,486,536/2,072,146) of test cases were generated during an auto run session.
Need to run a fuzzing session right now? Not a problem. Mayhem will stop an autorun and allow a manual session. When that session ends, the autorun will start back up. This way, you are constantly fuzzing your code.
Slow Tests Reporting (Mayhem for Code)
We’ve found that some targets generate test cases that are either really slow or time out, so there is a need to observe the performance of your target related to the input given. We’ve found that often the target is behaving poorly and that Mayhem itself is not slow. So Mayhem will report back time measurements for all test cases generated by Mayhem, allowing you to see any timeouts that occurred and how long each test case took to run.
This opens Mayhem to new categories of software defects to be reported, such as algorithmic attacks. With this update, you can also track the performance and quality of your software with each revision to see how the fixes are improving your overall performance.
Client Side Fuzzing Updates (Mayhem for Code)
Customers have told us that they need to be able to run Mayhem locally so that they can:
- ”Get feedback more quickly in case my runs fail”
- Not have to wait for anything to upload or for workers on the deployment to become available in order to test their application
Our recent client side fuzzing updates allow you to provide local smoke testing to determine whether deployed software is stable, solving both problems. This update also includes AFL++ support, triaging uninstrumented targets, and dynamic rescheduling.
Default Branch (Mayhem for API)
To help understand the health of your APIs over time, we’ve added "Default Branch" (accessible from your Target Settings page). Here you will be able to see how your changes are impacting your API against your default branch when you run Mayhem for API in continuous build and deploy pipelines (CI/CD).
Postman Collection (Mayhem for API)
Mayhem now compliments Postman tests with security tests for all of the edge cases your tests do not cover.
If the API you are testing requires authentication, you probably already have that configured in your Postman collection. Mayhem now has the capability to leverage your collection’s settings. We now support API Key, Bearer Token, Basic Auth, and OAuth 2.0. Note that for OAuth 2.0, the access token must be synced in order for Mayhem to pick it up.
You can learn more about how Mayhem for API handles Postman here.
ZAP Integration (Mayhem for API)
OWASP ZAP is an open-source web application security scanner that can be used by both those new to application security as well as professional penetration testers. It can detect the OWASP API Top 10. By integrating ZAP, Mayhem for API automates REST API testing with bringing the full might of fuzzing methodology.
ZAP API scan is a script packaged with ZAP Docker images tuned for performing active scans against APIs. It is tuned to APIs, so it doesn’t bother looking for things like XSS. ZAP by itself is very noisy, returning multiples of the same defect. Mayhem bucketizes these ZAP results, prioritizing for you the most important, alongside the defects that Mayhem for API itself has found.
You can try your own comparison of the results from ZAP and Mayhem for API here.