API Fuzzing Testing

The TEST tab in the Risk Findings shows findings from fuzzing test applied to APIs.

API fuzzing tests are used to evaluate APIs for security issues. They take a few minutes to run (depending on the type of test), after which results are shown in this tab, as well as in the Security Posture tab.
You can run fuzzing tests on Internal APIs.

Enable fuzzing testing on a cluster

To run API fuzzing tests on the APIs for a cluster, you must enable it in the cluster settings.

  1. Navigate to the DEPLOYMENTS page.
  2. For a new cluster, click Connect Cluster and follow the steps described here. In the Cluster Properties step, set API Testing to Yes:
  1. Alternatively, for an existing cluster, click Edit cluster for the cluster.
  1. In the Cluster Properties section, set API Testing to Yes, and then click FINISH.
  2. Download the new or modified cluster installation files, as described here.

Run Fuzzing Tests

Start fuzzing tests in the TESTS tab.

  1. Select the API from the list in the the INTERNAL APIS tab.
  2. Select RISK FINDINGS, and then select the TEST tab.
  3. Click Start new fuzz test.
  4. Select the type of test to run (see below).
  5. Select the authentication type to be used to access the API, and the required credentials, according to the type.
  6. Click FINISH. The test will run on the cluster.

Fuzzing test types

You can select one of these types of fuzzing tests:

  • quick - these scans take about 5 minutes
  • default - these tests take about 15 minutes
  • deep - these tests take about 30 minutes

View Fuzzing test findings

When complete, the results will be shown in the tab.


They will also be shown in the Security Posture tab, along with findings from other sources. The source will be marked as 'api_fuzzer'. These findings can also be downloaded as JSON files.