{"id":"https://openalex.org/W7116079470","doi":"https://doi.org/10.48550/arxiv.2512.15554","title":"WuppieFuzz: Coverage-Guided, Stateful REST API Fuzzing","display_name":"WuppieFuzz: Coverage-Guided, Stateful REST API Fuzzing","publication_year":2025,"publication_date":"2025-12-17","ids":{"openalex":"https://openalex.org/W7116079470","doi":"https://doi.org/10.48550/arxiv.2512.15554"},"language":"en","primary_location":{"id":"pmh:oai:oai-pmh.tno.nl:81140","is_oa":false,"landing_page_url":"https://resolver.tno.nl/uuid:00000000-0000-0000-0000-0000a1023730","pdf_url":null,"source":{"id":"https://openalex.org/S7407055233","display_name":"TNO Repository","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"info:eu-repo/semantics/conferencePaper"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2512.15554","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":null,"display_name":"Rooijakkers, Thomas","orcid":null},"institutions":[{"id":"https://openalex.org/I148297040","display_name":"Netherlands Organisation for Applied Scientific Research","ror":"https://ror.org/01bnjb948","country_code":"NL","type":"funder","lineage":["https://openalex.org/I148297040"]}],"countries":["NL"],"is_corresponding":true,"raw_author_name":"Rooijakkers, Thomas","raw_affiliation_strings":["The Netherlands Organisation for Applied Scientific Research"],"affiliations":[{"raw_affiliation_string":"The Netherlands Organisation for Applied Scientific Research","institution_ids":["https://openalex.org/I148297040"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Nijsten, Anne","orcid":null},"institutions":[{"id":"https://openalex.org/I148297040","display_name":"Netherlands Organisation for Applied Scientific Research","ror":"https://ror.org/01bnjb948","country_code":"NL","type":"funder","lineage":["https://openalex.org/I148297040"]}],"countries":["NL"],"is_corresponding":false,"raw_author_name":"Nijsten, Anne","raw_affiliation_strings":["The Netherlands Organisation for Applied Scientific Research"],"affiliations":[{"raw_affiliation_string":"The Netherlands Organisation for Applied Scientific Research","institution_ids":["https://openalex.org/I148297040"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Daniele, Cristian","orcid":null},"institutions":[{"id":"https://openalex.org/I145872427","display_name":"Radboud University Nijmegen","ror":"https://ror.org/016xsfp80","country_code":"NL","type":"education","lineage":["https://openalex.org/I145872427"]}],"countries":["NL"],"is_corresponding":false,"raw_author_name":"Daniele, Cristian","raw_affiliation_strings":["Radboud University, Nijmegen, The Netherlands"],"affiliations":[{"raw_affiliation_string":"Radboud University, Nijmegen, The Netherlands","institution_ids":["https://openalex.org/I145872427"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Weitenberg, Erieke","orcid":null},"institutions":[{"id":"https://openalex.org/I148297040","display_name":"Netherlands Organisation for Applied Scientific Research","ror":"https://ror.org/01bnjb948","country_code":"NL","type":"funder","lineage":["https://openalex.org/I148297040"]}],"countries":["NL"],"is_corresponding":false,"raw_author_name":"Weitenberg, Erieke","raw_affiliation_strings":["The Netherlands Organisation for Applied Scientific Research"],"affiliations":[{"raw_affiliation_string":"The Netherlands Organisation for Applied Scientific Research","institution_ids":["https://openalex.org/I148297040"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Groenewegen, Ringo","orcid":null},"institutions":[{"id":"https://openalex.org/I148297040","display_name":"Netherlands Organisation for Applied Scientific Research","ror":"https://ror.org/01bnjb948","country_code":"NL","type":"funder","lineage":["https://openalex.org/I148297040"]}],"countries":["NL"],"is_corresponding":false,"raw_author_name":"Groenewegen, Ringo","raw_affiliation_strings":["The Netherlands Organisation for Applied Scientific Research"],"affiliations":[{"raw_affiliation_string":"The Netherlands Organisation for Applied Scientific Research","institution_ids":["https://openalex.org/I148297040"]}]},{"author_position":"last","author":{"id":null,"display_name":"Melissen, Arthur","orcid":null},"institutions":[{"id":"https://openalex.org/I148297040","display_name":"Netherlands Organisation for Applied Scientific Research","ror":"https://ror.org/01bnjb948","country_code":"NL","type":"funder","lineage":["https://openalex.org/I148297040"]}],"countries":["NL"],"is_corresponding":false,"raw_author_name":"Melissen, Arthur","raw_affiliation_strings":["The Netherlands Organisation for Applied Scientific Research"],"affiliations":[{"raw_affiliation_string":"The Netherlands Organisation for Applied Scientific Research","institution_ids":["https://openalex.org/I148297040"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":6,"corresponding_author_ids":[],"corresponding_institution_ids":["https://openalex.org/I148297040"],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10743","display_name":"Software Testing and Debugging Techniques","score":0.9302999973297119,"subfield":{"id":"https://openalex.org/subfields/1712","display_name":"Software"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10743","display_name":"Software Testing and Debugging Techniques","score":0.9302999973297119,"subfield":{"id":"https://openalex.org/subfields/1712","display_name":"Software"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12127","display_name":"Software System Performance and Reliability","score":0.04149999842047691,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.004600000102072954,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/fuzz-testing","display_name":"Fuzz testing","score":0.920799970626831},{"id":"https://openalex.org/keywords/stateful-firewall","display_name":"Stateful firewall","score":0.7860999703407288},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.5479999780654907},{"id":"https://openalex.org/keywords/robustness","display_name":"Robustness (evolution)","score":0.5260000228881836},{"id":"https://openalex.org/keywords/rest","display_name":"Rest (music)","score":0.5152000188827515},{"id":"https://openalex.org/keywords/web-service","display_name":"Web service","score":0.41940000653266907},{"id":"https://openalex.org/keywords/backward-compatibility","display_name":"Backward compatibility","score":0.3905999958515167},{"id":"https://openalex.org/keywords/software-bug","display_name":"Software bug","score":0.3808000087738037},{"id":"https://openalex.org/keywords/code","display_name":"Code (set theory)","score":0.3635999858379364}],"concepts":[{"id":"https://openalex.org/C111065885","wikidata":"https://www.wikidata.org/wiki/Q1189053","display_name":"Fuzz testing","level":3,"score":0.920799970626831},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7907000184059143},{"id":"https://openalex.org/C22927095","wikidata":"https://www.wikidata.org/wiki/Q1784206","display_name":"Stateful firewall","level":3,"score":0.7860999703407288},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.5479999780654907},{"id":"https://openalex.org/C63479239","wikidata":"https://www.wikidata.org/wiki/Q7353546","display_name":"Robustness (evolution)","level":3,"score":0.5260000228881836},{"id":"https://openalex.org/C77265313","wikidata":"https://www.wikidata.org/wiki/Q879844","display_name":"Rest (music)","level":2,"score":0.5152000188827515},{"id":"https://openalex.org/C35578498","wikidata":"https://www.wikidata.org/wiki/Q193424","display_name":"Web service","level":2,"score":0.41940000653266907},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.41530001163482666},{"id":"https://openalex.org/C20574231","wikidata":"https://www.wikidata.org/wiki/Q844605","display_name":"Backward compatibility","level":2,"score":0.3905999958515167},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.38589999079704285},{"id":"https://openalex.org/C1009929","wikidata":"https://www.wikidata.org/wiki/Q179550","display_name":"Software bug","level":3,"score":0.3808000087738037},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.3635999858379364},{"id":"https://openalex.org/C2780416260","wikidata":"https://www.wikidata.org/wiki/Q2063","display_name":"JSON","level":2,"score":0.3427000045776367},{"id":"https://openalex.org/C172086080","wikidata":"https://www.wikidata.org/wiki/Q62270","display_name":"Remote procedure call","level":2,"score":0.3384000062942505},{"id":"https://openalex.org/C118643609","wikidata":"https://www.wikidata.org/wiki/Q189210","display_name":"Web application","level":2,"score":0.3287999927997589},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.3264000117778778},{"id":"https://openalex.org/C99613125","wikidata":"https://www.wikidata.org/wiki/Q165194","display_name":"Application programming interface","level":2,"score":0.3206000030040741},{"id":"https://openalex.org/C77088390","wikidata":"https://www.wikidata.org/wiki/Q8513","display_name":"Database","level":1,"score":0.3109000027179718},{"id":"https://openalex.org/C557433098","wikidata":"https://www.wikidata.org/wiki/Q94","display_name":"Android (operating system)","level":2,"score":0.30149999260902405},{"id":"https://openalex.org/C77714075","wikidata":"https://www.wikidata.org/wiki/Q5452017","display_name":"Firewall (physics)","level":5,"score":0.2994999885559082},{"id":"https://openalex.org/C149635348","wikidata":"https://www.wikidata.org/wiki/Q193040","display_name":"Embedded system","level":1,"score":0.29919999837875366},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.29679998755455017},{"id":"https://openalex.org/C93996380","wikidata":"https://www.wikidata.org/wiki/Q44127","display_name":"Server","level":2,"score":0.28349998593330383},{"id":"https://openalex.org/C167981075","wikidata":"https://www.wikidata.org/wiki/Q2667186","display_name":"Sandbox (software development)","level":2,"score":0.28290000557899475},{"id":"https://openalex.org/C43126263","wikidata":"https://www.wikidata.org/wiki/Q128751","display_name":"Source code","level":2,"score":0.28209999203681946},{"id":"https://openalex.org/C62913178","wikidata":"https://www.wikidata.org/wiki/Q7554361","display_name":"Software security assurance","level":4,"score":0.27880001068115234},{"id":"https://openalex.org/C65399332","wikidata":"https://www.wikidata.org/wiki/Q749568","display_name":"Representational state transfer","level":3,"score":0.273499995470047},{"id":"https://openalex.org/C117447612","wikidata":"https://www.wikidata.org/wiki/Q1412670","display_name":"Software quality","level":4,"score":0.27129998803138733},{"id":"https://openalex.org/C43364308","wikidata":"https://www.wikidata.org/wiki/Q8799","display_name":"Byte","level":2,"score":0.25679999589920044},{"id":"https://openalex.org/C174183944","wikidata":"https://www.wikidata.org/wiki/Q334661","display_name":"MIT License","level":3,"score":0.25600001215934753}],"mesh":[],"locations_count":2,"locations":[{"id":"pmh:oai:oai-pmh.tno.nl:81140","is_oa":false,"landing_page_url":"https://resolver.tno.nl/uuid:00000000-0000-0000-0000-0000a1023730","pdf_url":null,"source":{"id":"https://openalex.org/S7407055233","display_name":"TNO Repository","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"info:eu-repo/semantics/conferencePaper"},{"id":"doi:10.48550/arxiv.2512.15554","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2512.15554","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2512.15554","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2512.15554","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Many":[0],"business":[1],"processes":[2],"currently":[3],"depend":[4],"on":[5,68,165],"web":[6,17],"services,":[7],"often":[8,144],"using":[9],"REST":[10,14,64],"APIs":[11,15],"for":[12],"communication.":[13],"expose":[16],"service":[18],"functionality":[19],"through":[20],"endpoints,":[21,37,49],"allowing":[22],"easy":[23],"client":[24],"interaction":[25],"over":[26,191],"the":[27,31,44,106,112,129,155,166,171,174,178,195,198],"Internet.":[28],"To":[29],"reduce":[30,141],"security":[32],"risk":[33],"resulting":[34],"from":[35],"exposed":[36],"thorough":[38],"testing":[39,51],"is":[40],"desired.":[41],"Due":[42],"to":[43,100,121,124,140,157,169,193],"generally":[45],"vast":[46],"number":[47],"of":[48,56,88,90,150,173,180,197],"automated":[50],"techniques,":[52],"like":[53],"fuzzing,":[54],"are":[55,93,152],"interest.":[57],"This":[58],"paper":[59],"introduces":[60],"WuppieFuzz,":[61],"an":[62,77,83],"open-source":[63],"API":[65,168],"fuzzer":[66,156],"built":[67],"LibAFL,":[69],"supporting":[70],"white-box,":[71],"grey-box":[72],"and":[73,97,177,188],"black-box":[74],"fuzzing.":[75,147],"Using":[76],"OpenAPI":[78],"specification,":[79],"it":[80,136],"can":[81],"generate":[82],"initial":[84],"input":[85],"corpus":[86],"consisting":[87],"sequences":[89,120],"requests.":[91],"These":[92],"mutated":[94],"with":[95],"REST-specific":[96],"LibAFL-provided":[98],"mutators":[99],"explore":[101],"different":[102,181],"code":[103,189],"paths":[104],"in":[105,128,146],"software":[107,130],"under":[108,131],"test.":[109,132],"Guided":[110],"by":[111,154],"measured":[113],"coverage,":[114],"WuppieFuzz":[115],"then":[116],"selects":[117],"which":[118],"request":[119],"send":[122],"next":[123],"reach":[125],"complex":[126],"states":[127],"In":[133],"this":[134],"process,":[135],"automates":[137],"harness":[138],"creation":[139],"manual":[142],"efforts":[143],"required":[145],"Different":[148],"kinds":[149],"reporting":[151],"provided":[153],"help":[158],"fixing":[159],"bugs.":[160],"We":[161,184],"evaluated":[162],"our":[163],"tool":[164],"Petstore":[167],"assess":[170],"robustness":[172],"white-box":[175],"approach":[176],"effectiveness":[179],"power":[182],"schedules.":[183],"further":[185],"monitored":[186],"endpoint":[187],"coverage":[190],"time":[192],"measure":[194],"efficacy":[196],"approach.":[199]},"counts_by_year":[],"updated_date":"2026-04-05T17:49:38.594831","created_date":"2025-12-19T00:00:00"}