How to generate an OpenAPI spec if you don't already have one

Welcome to Mayhem Tips and Tricks series! Our goal is to help you learn about the best features of Mayhem in small bite-size chunks. Today, we’ll show you how to generate your own OpenAPI specification using a .har recording with Mayhem for API.

Mayhem for API is able to intelligently fuzz test your API by using the API specification to craft fuzzed test cases, as well as understand what types of responses are to be expected from a particular endpoint. But what if you don’t have an API spec? Maybe you’re running a pen-test on an API that doesn’t expose its spec, or maybe your API is just in its infancy and hasn’t built out an API spec yet. Whatever the case, not to fear! You can use Mayhem for API to convert an HTTP Archive recording (.har) into an API spec, which you can then use to fuzz with Mayhem for API!

The first step is to generate your .har file. In most modern browsers, you can use the developer pane to record network activity within the browser. I’ll be using Chrome for this example.

Open your browser and navigate to your API. We’ll be using our hosted Petstore demo for this example (which already has an API Spec - but we’ll operate on the assumption that it doesn’t for our purposes).

Open your developer tools:

Under the network tab, you’ll see that we’re already recording network activity.

The next step is to perform some actions on the API. The network log should show your recorded actions:

Then, you can save the log:

I’ve saved my recording as “petstore-recording.har”. Now, I can use mAPI to convert the recording:

$ mapi convert har petstore-recording.har --out petstore-openapispec.yaml
Sending specification to https://mayhem4api.forallsecure.com/api/v1/convert/har for conversion...
Successfully converted HAR to OpenAPI 3.0!

And then, we can check the output:

$ cat petstore-openapispec.yaml
{
   "components": {
      "schemas": {
         "ErrorModel": {
            "properties": {
               "code": {
                  "type": "string"
               }
            },
            "type": "object"
         }
      },
      "securitySchemes": {
         "JWT": {
            "description": "You can create a JSON Web Token (JWT) during auth.\nUsage format: `Bearer <JWT>`\n",
            "in": "header",
            "name": "Authorization",
            "type": "apiKey"
         }
      }
   },
   "info": {
      "description": "TODO: Add Description",
      "title": "OpenAPI specification converted from HAR",
      "version": "1.0",  
      "x-mayhem4api-converted": "2022-03-10 15:48:09.495928816 -05:00 (from har)"
   },
   "openapi": "3.0.0",
   "paths": {
      "/v2/pet/findByStatus": {
         "get": {
            "parameters": [
               {
                  "in": "query",
                  "name": "status",
                  "required": true,
                  "schema": {
                     "type": "string"
                  }
               }
            ],
            "responses": {
               "200": {
                  [etc...]

Now we have an API spec created from a .har recording! You should now be able to test your API using this generated specification. We hope that you found this Tips and Tricks article helpful. If you have any questions, please email us at support@forallsecure.com.

Sincerely,

Your ForAllSecure Customer Success Team