Introducing Aperio Security

Aperio is a black-box fuzzer for your web application or API. Seed it with example requests, point it at a testing deployment, and let it find behaviors you didn’t know existed.

Aperio generates reproducible sequences of requests. An example request for a photo sharing site might be:

Create Album

Request

POST /api/create-album
{
    name: 'My Album`
}

Response

HTTP/1.1 200 OK
{
    album_id: 342987
}
Delete Album

Request

POST /api/delete-album
{
    album_identifier: 342987
}

Response

HTTP/1.1 200 OK
Edit Album

Request

POST /api/edit-album
{
    album_identifier: 342987
}

Response

HTTP/1.1 500 Server Error

Notice how the token album_id from the first request flows through to the later responses. Aperio learns these data flows, to generate interesting (and reproducible) sequences.

Aperio is distributed via docker, and is fully cross platform. Give it a try now.

Why make this?

I was participating in a couple of bug bounty programs on weekends and felt like one of the proverbial “infinite monkeys”, copying data from one request to another to try to find unexpected behaviors.

There are few things more infuriating to most developers than a menial task you just know can be automated.

Updated: