Fuzzing REST APIs in Industry: Necessary Features and Open Problems

View PDF HTML (experimental)

Abstract:REST APIs are widely used in industry, in all different kinds of domains. An example is Volkswagen AG, a German automobile manufacturer. Established testing approaches for REST APIs are time consuming, and require expertise from professional test engineers. Due to its cost and importance, in the scientific literature several approaches have been proposed to automatically test REST APIs. The open-source, search-based fuzzer EvoMaster is one of such tools proposed in the academic literature. However, how academic prototypes can be integrated in industry and have real impact to software engineering practice requires more investigation. In this paper, we report on our experience in using EvoMaster at Volkswagen AG, as an EvoMaster user from 2023 to 2026. We share our learnt lessons, and discuss several features needed to be implemented in EvoMaster to make its use in an industrial context successful. Feedback about value in industrial setups of EvoMaster was given from Volkswagen AG about 4 APIs. Additionally, a user study was conducted involving 11 testing specialists from 4 different companies. We further identify several real-world research challenges that still need to be solved.

Comments: Extension from conference paper published at ICST'25

Subjects:

Software Engineering (cs.SE)

Cite as: arXiv:2604.01759 [cs.SE]

(or arXiv:2604.01759v1 [cs.SE] for this version)

https://doi.org/10.48550/arXiv.2604.01759

arXiv-issued DOI via DataCite (pending registration)

Submission history

From: Andrea Arcuri [view email] [v1] Thu, 2 Apr 2026 08:27:21 UTC (110 KB)