Restcheck - An automatic REST API fuzzing tool based on property-based testing techniques

What is restcheck?

restcheck is a REST API fuzzing tool based on property-based testing techniques. It provides an interface for the automatic generation and execution of integration test suites that validate the behaviour of a REST API against an API specification.

Quickstart

  1. Get an OpenAPI 3.0 specification for the API you want to test. For example: users.json.

  2. Add restcheck as a project plugin in your rebar3 project.

{project_plugins, [
    {restcheck, {git, "https://github.com/nomasystems/restcheck.git", {branch, "main"}}}
]}.
  1. Configure it within the restcheck key of your rebar.config.
{restcheck, [
    {spec_path, string()},
    {spec_parser, module()}, % defaults to erf_oas_3_0
    {pbt_backend, module()}, % defaults to restcheck_triq
    {host, string()}, % defaults to "localhost"
    {port, inet:port_number()}, % defaults to 8080
    {ssl, boolean()}, % defaults to false
    {auth, restcheck_client:auth()}, % disabled by default
    {timeout, pos_integer()}, % defaults to 5000
    {num_requests, pos_integer()}, % defaults to 5000
    {log_file, string()} % disabled by default
]}.
  1. Run rebar3 restcheck and check your API behaviour.
$ rebar3 restcheck
===> Analyzing applications...
===> Compiling restcheck
===> Running restcheck for Users REST API
+-----+--------------------------------+--------------------------------+
| OK? |                    OperationId |                    Description |
+-----+--------------------------------+--------------------------------+
|  ✅ |                    create_user |                        Success |
|  ✅ |                       get_user |                        Success |
|  ✅ |                    delete_user |                        Success |
+-----+--------------------------------+--------------------------------+
===> All restcheck tests passed for Users REST API. (3/3)

Choosing a custom property-based testing framework

By default, restcheck provides a built-in implementation for its property-based testing features using the triq library. However, if you have specific requirements or prefer to use a custom property-based testing framework, restcheck offers flexibility in selecting your own implementation.

To choose a custom property-based testing framework, follow these steps:

  1. Implement the restcheck_backend behaviour in your custom module.

  2. Update the pbt_backend configuration key in your rebar.config file with the module name of your custom implementation.

Links

restcheck repository: GitHub - nomasystems/restcheck: 🔍 An automatic REST API fuzzing tool based on property-based testing techniques.
restcheck docs: restcheck v0.1.0 — Documentation

6 Likes

Does this work with any rest api:s?

If I have a rest api using GitHub - novaframework/nova: Web framework for Erlang. could I use this for checking the api?

Any plan to support PropEr?

Yes, as long as the REST API developed using this framework provides an OAS3 specification (or if a custom parser for its specification format is used), it should be compatible with restcheck. Under the hood, the tool sends HTTP requests to your service so it does not depend on the implementation platform.

While the tool does not provide a built-in pbt_backend for PropEr, it supports custom backend implementations. This means a PropEr backend for restcheck that implements the restcheck_backend behaviour can be used by configuring it as a parameter {pbt_backend, module()}. Note that this would be an external dependency as PropEr 's license is incompatible with restcheck 's.