Replay-Based Crash Deduplication for Stateful REST API Fuzzing
Cyber Security
Semester programme:Master Applied IT
Client company:TNO
Project group members:Stegeran Darius
Thomas Rooijakkers
Stefan Vandenberg
Project description
This project adds an offline crash deduplication feature to an open-source REST API fuzzer, designed to reduce hundreds of raw crash files from a fuzzing campaign into a small set of distinct behavioral clusters. Instead of relying on internal program signals, the tool replays each saved crash and groups it by externally observable behavior such as endpoint, HTTP status, and response type.
Context
Stateful REST API fuzzers can generate many crash files that look different but actually expose the same underlying bug, making manual triage time-consuming. This project explores how far a lightweight, black-box replay approach can go in automatically separating distinct failures from duplicate ones, without requiring access to server-side internals.
Results
Across 12 independent fuzzing runs, the tool consistently reduced 141–853 raw crash files down to exactly 16 stable behavioral clusters, a median reduction of about 94%. The evaluation also reveals the approach's limits: some distinct bugs were merged together, and some single bugs were split across multiple clusters, providing a clear, repeatable picture of where this triage method works well and where it doesn't.