Fuzz Test
Advanced Generation
Advanced Fuzz Testing Generation
You can adjust Skyramp’s generation command to generate fuzz tests that fit your needs.
Generate fuzz tests for all methods of an endpoint
This section explains how to change the CLI command to generate a fuzz test for an entire REST API endpoint. To reliably generate test cases, we require:
OpenAPI schema (JSON or YAML file)
Skyramp generates test cases for all available methods of the specified endpoint URL and its direct children. If the parent of the specified endpoint has relevant methods, they will also be included in the generated test.
NOTE: Skyramp does not guarantee order of execution of API requests when executing fuzz tests for all methods of an endpoint, nor does it automatically create any dependencies required for a successful API response for a fuzz test (ex. to DELETE a product, you need the product to exist first via POST). This means when you generate the test file, some test cases may not immediately pass, and you will need to update the generated test code accordingly.
If you are looking to generate a test which guarantees order and addresses dependencies for successful API responses, please refer to the Integration Testing guide.
For example:
When generating for the endpoint
https://demoshop.skyramp.dev/api/v1/products
, Skyramp generates test functions for all methods under/v1/products
and its direct child/v1/products/{product_id}
, but not for the methods under/v1/products/{product_id}/reviews
.When generating for the endpoint
https://demoshop.skyramp.dev/v1/products/{product_id}
, Skyramp will generate test functions for/v1/products/{product_id}
, its direct child/v1/products/{product_id}/reviews
, and its direct parent/v1/products
.

Generate Fuzz Test for All Methods
To create a fuzz test for an endpoint, specify the endpoint you want to test. In this example, we are using the https://demoshop.skyramp.dev/api/v1/products
as the URL to our service. When testing your service, replace it with the URL to the endpoint you want to test.
You can find the used API specification here.
Advanced Fuzz Testing Generation
You can adjust Skyramp’s generation command to generate fuzz tests that fit your needs.
Generate fuzz tests for all methods of an endpoint
This section explains how to change the CLI command to generate a fuzz test for an entire REST API endpoint. To reliably generate test cases, we require:
OpenAPI schema (JSON or YAML file)
Skyramp generates test cases for all available methods of the specified endpoint URL and its direct children. If the parent of the specified endpoint has relevant methods, they will also be included in the generated test.
NOTE: Skyramp does not guarantee order of execution of API requests when executing fuzz tests for all methods of an endpoint, nor does it automatically create any dependencies required for a successful API response for a fuzz test (ex. to DELETE a product, you need the product to exist first via POST). This means when you generate the test file, some test cases may not immediately pass, and you will need to update the generated test code accordingly.
If you are looking to generate a test which guarantees order and addresses dependencies for successful API responses, please refer to the Integration Testing guide.
For example:
When generating for the endpoint
https://demoshop.skyramp.dev/api/v1/products
, Skyramp generates test functions for all methods under/v1/products
and its direct child/v1/products/{product_id}
, but not for the methods under/v1/products/{product_id}/reviews
.When generating for the endpoint
https://demoshop.skyramp.dev/v1/products/{product_id}
, Skyramp will generate test functions for/v1/products/{product_id}
, its direct child/v1/products/{product_id}/reviews
, and its direct parent/v1/products
.

Generate Fuzz Test for All Methods
To create a fuzz test for an endpoint, specify the endpoint you want to test. In this example, we are using the https://demoshop.skyramp.dev/api/v1/products
as the URL to our service. When testing your service, replace it with the URL to the endpoint you want to test.
You can find the used API specification here.
Advanced Fuzz Testing Generation
You can adjust Skyramp’s generation command to generate fuzz tests that fit your needs.
Generate fuzz tests for all methods of an endpoint
This section explains how to change the CLI command to generate a fuzz test for an entire REST API endpoint. To reliably generate test cases, we require:
OpenAPI schema (JSON or YAML file)
Skyramp generates test cases for all available methods of the specified endpoint URL and its direct children. If the parent of the specified endpoint has relevant methods, they will also be included in the generated test.
NOTE: Skyramp does not guarantee order of execution of API requests when executing fuzz tests for all methods of an endpoint, nor does it automatically create any dependencies required for a successful API response for a fuzz test (ex. to DELETE a product, you need the product to exist first via POST). This means when you generate the test file, some test cases may not immediately pass, and you will need to update the generated test code accordingly.
If you are looking to generate a test which guarantees order and addresses dependencies for successful API responses, please refer to the Integration Testing guide.
For example:
When generating for the endpoint
https://demoshop.skyramp.dev/api/v1/products
, Skyramp generates test functions for all methods under/v1/products
and its direct child/v1/products/{product_id}
, but not for the methods under/v1/products/{product_id}/reviews
.When generating for the endpoint
https://demoshop.skyramp.dev/v1/products/{product_id}
, Skyramp will generate test functions for/v1/products/{product_id}
, its direct child/v1/products/{product_id}/reviews
, and its direct parent/v1/products
.

Generate Fuzz Test for All Methods
To create a fuzz test for an endpoint, specify the endpoint you want to test. In this example, we are using the https://demoshop.skyramp.dev/api/v1/products
as the URL to our service. When testing your service, replace it with the URL to the endpoint you want to test.
You can find the used API specification here.
Python
skyramp generate fuzz rest https://demoshop.skyramp.dev/api/v1/products \
--language python \
--framework pytest \
--api-schema
This command generates one file:
products_fuzz_test.py
.
Explanation of Command
https://demoshop.skyramp.dev/api/v1/products
: Defines the URL to the endpoint we aim to test.NOTE: No API method is specified in this generation command. When paired with an OpenAPI spec, Skyramp will generate tests for all endpoints at the URL, its direct parent (if any), and its direct children.
--language
: Specifies the test output language. For fuzz testing, we currently support Python and TypeScript.--framework
: Specify the test execution framework of choice.--api-schema
: Points to the OpenAPI schema used to generate the test. We also support sample data as an input for fuzz test generation.
Adjustments
Below are a few flags to customize the test generation. Additional flags are explained here.
--auth-header
: This flag allows you to specify the key of your authentication header, e.g.--auth-header X-API-KEY
. By default, we assumeBearer.
--response-status-code
: Specify the expected status code. For fuzz tests, we default to40x
.--path-params
: This flag allows you to override path parameters from your endpoint URL or the pre-defined values in the API schema, e.g.--path-params id=3fa85f64-5717-4562-b3fc-2c963f66afa6
--output
: Specify the name of the generated test file.--output-dir
: Specify the directory to store the generated test file in.
Execute the Fuzz Test
You can execute the generated tests without any additional adjustments to the code. However, based on the application you want to test, you can pass your authentication token to Skyramp Tests via an environment variable. In a later section, we will elaborate on how to make changes to the code, if needed.
Set environment variable for authentication (if applicable)
Skyramp’s sample application doesn't require any authentication.
To test against an application that does require authentication, pass your token using an environment variable. By default, Skyramp expects a Bearer Token but we support additional authentication methods as outlined in the Examples page.
export SKYRAMP_TEST_TOKEN=$your_auth_token
Run the test
Run the tests using Pytest. If you don’t have Pytest, install it with pip by running the following command in your terminal:
# Prerequisites
pip3 install pytest
# Execution of fuzz test for products/POST
python3 -m pytest products_fuzz_test.py --tb
Review Test Results
Pytest’s default test output will print a line for each test that is being run and listing all failures at the end.
We ran the above Pytest command using a shorter test output, which prints a line for each test that is run but prints only the failed assertions at the end. You can adjust Pytest’s output behavior following this documentation.
Test failure
We can see that the test checks 5 methods that one out of five test cases pass.

Successful test
To fix the test, we need to update the expected status codes for each request body tested.
Here is the fix for each test:
test_products_post
Problem: Python evaluates
True
fuzzed value to trueSolution: Update the fuzzed expected response code body for
in_stock
field (line 132) from40x
to20x
expected_products_post_status_code = { "category": "40x", "description": "40x", "image_url": "40x", "in_stock": "20x", "name": "40x", "price": "40x"
test_products_product_id_get
,test_products_product_id_put
,test_products_product_id_delete
Problem: Product 0 does not exist in Demo Shop
Solution: Change the
expected_code
of the original non-fuzzed request (lines 194, 254, 304) to40x
products_product_id_PUT_response = client.send_request( url=URL, path="/api/v1/products/{product_id}", method="PUT", body=products_product_id_PUT_request_body, headers=headers, path_params={"product_id": product_id}, expected_code="40x"
Adding these fixes will cause the fuzz test to pass.

Next Steps
Congratulations! You have successfully generated a full suite of fuzz tests for a REST endpoint. You can adjust the expected status code and fuzzing strategies directly in the output file (see Test File Anatomy link for an example with a single method).
Related topics
Python
skyramp generate fuzz rest https://demoshop.skyramp.dev/api/v1/products \
--language python \
--framework pytest \
--api-schema
This command generates one file:
products_fuzz_test.py
.
Explanation of Command
https://demoshop.skyramp.dev/api/v1/products
: Defines the URL to the endpoint we aim to test.NOTE: No API method is specified in this generation command. When paired with an OpenAPI spec, Skyramp will generate tests for all endpoints at the URL, its direct parent (if any), and its direct children.
--language
: Specifies the test output language. For fuzz testing, we currently support Python and TypeScript.--framework
: Specify the test execution framework of choice.--api-schema
: Points to the OpenAPI schema used to generate the test. We also support sample data as an input for fuzz test generation.
Adjustments
Below are a few flags to customize the test generation. Additional flags are explained here.
--auth-header
: This flag allows you to specify the key of your authentication header, e.g.--auth-header X-API-KEY
. By default, we assumeBearer.
--response-status-code
: Specify the expected status code. For fuzz tests, we default to40x
.--path-params
: This flag allows you to override path parameters from your endpoint URL or the pre-defined values in the API schema, e.g.--path-params id=3fa85f64-5717-4562-b3fc-2c963f66afa6
--output
: Specify the name of the generated test file.--output-dir
: Specify the directory to store the generated test file in.
Execute the Fuzz Test
You can execute the generated tests without any additional adjustments to the code. However, based on the application you want to test, you can pass your authentication token to Skyramp Tests via an environment variable. In a later section, we will elaborate on how to make changes to the code, if needed.
Set environment variable for authentication (if applicable)
Skyramp’s sample application doesn't require any authentication.
To test against an application that does require authentication, pass your token using an environment variable. By default, Skyramp expects a Bearer Token but we support additional authentication methods as outlined in the Examples page.
export SKYRAMP_TEST_TOKEN=$your_auth_token
Run the test
Run the tests using Pytest. If you don’t have Pytest, install it with pip by running the following command in your terminal:
# Prerequisites
pip3 install pytest
# Execution of fuzz test for products/POST
python3 -m pytest products_fuzz_test.py --tb
Review Test Results
Pytest’s default test output will print a line for each test that is being run and listing all failures at the end.
We ran the above Pytest command using a shorter test output, which prints a line for each test that is run but prints only the failed assertions at the end. You can adjust Pytest’s output behavior following this documentation.
Test failure
We can see that the test checks 5 methods that one out of five test cases pass.

Successful test
To fix the test, we need to update the expected status codes for each request body tested.
Here is the fix for each test:
test_products_post
Problem: Python evaluates
True
fuzzed value to trueSolution: Update the fuzzed expected response code body for
in_stock
field (line 132) from40x
to20x
expected_products_post_status_code = { "category": "40x", "description": "40x", "image_url": "40x", "in_stock": "20x", "name": "40x", "price": "40x"
test_products_product_id_get
,test_products_product_id_put
,test_products_product_id_delete
Problem: Product 0 does not exist in Demo Shop
Solution: Change the
expected_code
of the original non-fuzzed request (lines 194, 254, 304) to40x
products_product_id_PUT_response = client.send_request( url=URL, path="/api/v1/products/{product_id}", method="PUT", body=products_product_id_PUT_request_body, headers=headers, path_params={"product_id": product_id}, expected_code="40x"
Adding these fixes will cause the fuzz test to pass.

Next Steps
Congratulations! You have successfully generated a full suite of fuzz tests for a REST endpoint. You can adjust the expected status code and fuzzing strategies directly in the output file (see Test File Anatomy link for an example with a single method).
Related topics
Python
skyramp generate fuzz rest https://demoshop.skyramp.dev/api/v1/products \
--language python \
--framework pytest \
--api-schema
This command generates one file:
products_fuzz_test.py
.
Explanation of Command
https://demoshop.skyramp.dev/api/v1/products
: Defines the URL to the endpoint we aim to test.NOTE: No API method is specified in this generation command. When paired with an OpenAPI spec, Skyramp will generate tests for all endpoints at the URL, its direct parent (if any), and its direct children.
--language
: Specifies the test output language. For fuzz testing, we currently support Python and TypeScript.--framework
: Specify the test execution framework of choice.--api-schema
: Points to the OpenAPI schema used to generate the test. We also support sample data as an input for fuzz test generation.
Adjustments
Below are a few flags to customize the test generation. Additional flags are explained here.
--auth-header
: This flag allows you to specify the key of your authentication header, e.g.--auth-header X-API-KEY
. By default, we assumeBearer.
--response-status-code
: Specify the expected status code. For fuzz tests, we default to40x
.--path-params
: This flag allows you to override path parameters from your endpoint URL or the pre-defined values in the API schema, e.g.--path-params id=3fa85f64-5717-4562-b3fc-2c963f66afa6
--output
: Specify the name of the generated test file.--output-dir
: Specify the directory to store the generated test file in.
Execute the Fuzz Test
You can execute the generated tests without any additional adjustments to the code. However, based on the application you want to test, you can pass your authentication token to Skyramp Tests via an environment variable. In a later section, we will elaborate on how to make changes to the code, if needed.
Set environment variable for authentication (if applicable)
Skyramp’s sample application doesn't require any authentication.
To test against an application that does require authentication, pass your token using an environment variable. By default, Skyramp expects a Bearer Token but we support additional authentication methods as outlined in the Examples page.
export SKYRAMP_TEST_TOKEN=$your_auth_token
Run the test
Run the tests using Pytest. If you don’t have Pytest, install it with pip by running the following command in your terminal:
# Prerequisites
pip3 install pytest
# Execution of fuzz test for products/POST
python3 -m pytest products_fuzz_test.py --tb
Review Test Results
Pytest’s default test output will print a line for each test that is being run and listing all failures at the end.
We ran the above Pytest command using a shorter test output, which prints a line for each test that is run but prints only the failed assertions at the end. You can adjust Pytest’s output behavior following this documentation.
Test failure
We can see that the test checks 5 methods that one out of five test cases pass.

Successful test
To fix the test, we need to update the expected status codes for each request body tested.
Here is the fix for each test:
test_products_post
Problem: Python evaluates
True
fuzzed value to trueSolution: Update the fuzzed expected response code body for
in_stock
field (line 132) from40x
to20x
expected_products_post_status_code = { "category": "40x", "description": "40x", "image_url": "40x", "in_stock": "20x", "name": "40x", "price": "40x"
test_products_product_id_get
,test_products_product_id_put
,test_products_product_id_delete
Problem: Product 0 does not exist in Demo Shop
Solution: Change the
expected_code
of the original non-fuzzed request (lines 194, 254, 304) to40x
products_product_id_PUT_response = client.send_request( url=URL, path="/api/v1/products/{product_id}", method="PUT", body=products_product_id_PUT_request_body, headers=headers, path_params={"product_id": product_id}, expected_code="40x"
Adding these fixes will cause the fuzz test to pass.

Next Steps
Congratulations! You have successfully generated a full suite of fuzz tests for a REST endpoint. You can adjust the expected status code and fuzzing strategies directly in the output file (see Test File Anatomy link for an example with a single method).