What is it?
Befuzzed is a tool for black box API testing. It sends JSON formatted API requests and checks the status code against the allowed list.
Since it can generate data based on JSON schemas, common in input validation forms, all requests should reach your own code rather than get stuck in “invalid request”. This can help you improve any validation not possible in pure schema, or catch other crashes. See how to use befuzzed for more information.
You get a binary file that you can download and run, or run in a container however and whenever you want. See download for more information. There’s no GUI, it’s a terminal based tool.
You pay for and get to keep the full version forever, and get any following releases for one year. See pricing for more information.
What is it not?
Since it’s black box fuzzing there’s no coverage guided fuzzing. This is currently unlikely to change.
Each request is currently considered standalone, series of requests might cause crashes but only the last one will be reported.
Currently no support for property testing, meaning once it finds a crashing input it will not attempt to minimize that input to the smallest possible version still causinga crash.
JSON Schema support
The full JSON schema spec is not currently supported, work to include more types of schemas is ongoing. See below for specifics.
Supported
- object
- array
- string
- allOf
- oneOf
- bool
- const
- enum
- defs, and ref to parts of the same schema
Not yet supported
Support for more types is coming, currently befuzzed is lacking support for these things: