Gaia, A Tool for Testing API Servers

Fuzzing API REST Cybersecurity
Published on 2024/09/17
Gaia, A Tool for Testing API Servers


We're excited to announce the release of Gaia (Global API Integrity Assessor), a portfolio tool for testing and monitoring API servers. Developed by one of our talented interns, Gaia uses fuzzing to test REST APIs by injecting them with a variety of unexpected and irregular inputs to identify vulnerabilities, and monitoring to continuously analyze their performance and security under real-world operating conditions.

What is Gaia?

Gaia is a comprehensive tool for API fuzzing and monitoring. It operates in two primary modes:

Fuzzing mode: Gaia integrates API fuzzers like Restler and Schemathesis, enabling it to automatically test APIs for common issues such as server crashes (5xx errors). Using just an OpenAPI file and a configuration file, Gaia detects vulnerabilities such as malformed input handling and unhandled exceptions.

Monitoring mode: In production environments, Gaia monitors API health, tracks metrics, and detects issues in real-time. Whether running fuzz tests or monitoring live traffic, Gaia collects detailed logs that can be analyzed later or integrated into tools like the ELK stack (Elasticsearch, Logstash, Kibana) to visualize metrics and identify trends.

Powerful Insights

Gaia doesn't stop at fuzzing and monitoring. It can also:

  • Spawn a Prometheus-Grafana instance to display real-time metrics about an API, such as CPU usage, memory consumption, file descriptors, the number of requests, and responses and the average response time.
  • Run advanced scanner-fuzzers like ZAP (Zed Attack Proxy) to discover security vulnerabilities.
  • Integrate seamlessly with post-checkers and analyzers to further validate the stability and security of your API.

Real-World Success

Gaia has been extensively tested on both internally-developed APIs, as well as on various commercial APIs. This has allowed us to validate Gaia's effectiveness in identifying vulnerabilities and ensuring robust API performance across different environments.

Try Gaia!

Gaia is open-source and available on GitLab under the MIT license. https://gitlab.com/functori/dev/gaia. Try it out, and help us make APIs more robust and secure!

|