Tool report: EvoMaster-black and white box search-based fuzzing for REST, GraphQL and RPC APIs

Andrea Arcuri; Man Zhang; Susruthan Seran; Juan Pablo Galeotti; Amid Golmohammadi; Onur Duman; Agustina Aldasoro; Hernan Ghianni

doi:10.1007/s10515-024-00478-1

Tool report: EvoMaster-black and white box search-based fuzzing for REST, GraphQL and RPC APIs

Autom Softw Eng. 2025;32(1):4. doi: 10.1007/s10515-024-00478-1. Epub 2024 Nov 29.

Authors

Andrea Arcuri^{1

2}, Man Zhang³, Susruthan Seran¹, Juan Pablo Galeotti^{1

4}, Amid Golmohammadi¹, Onur Duman¹, Agustina Aldasoro⁴, Hernan Ghianni⁴

Affiliations

¹ School of Economics, Innovation, and Technology, Kristiania University College, Kirkegata 24-26, 0153 Oslo, Norway.
² Department of Computer Science, Oslo Metropolitan University, Pilestredet 35, 0166 Oslo, Norway.
³ Beihang University, Beijing, China.
⁴ University of Buenos Aires, Buenos Aires, Argentina.

Abstract

In this paper, we present the latest version 3.0.0 of EvoMaster, an open-source search-based fuzzer aimed at Web APIs. We discuss and present all its recent improvements, including advanced white-box heuristics, advanced search algorithms, support for databases and external services, as well as dealing with GraphQL and RPC APIs besides the original use case for REST APIs. The tool's installers have been downloaded more than 3000 times. EvoMaster is in daily use for fuzzing millions of lines of code in hundreds of APIs in large Fortune 500 companies, such as for example the e-commerce Meituan.

Keywords: Fuzzing; SBST; Tool; Web API.