I want to fuzz a third-party web app (BlackBox-GreyBox) , Can Mayhem For API help with this?

Can I fuzz APIs that I do not have access to source code. Best case scenario I’ll have a swagger spec but not usually. Is Mayhem useful for this use case?

Absolutely. There are a couple of options:

  • Use the swagger spec. It doesn’t need to be complete, so you can also create one of the fly.
  • Load an API in the browser and record the HAR file. Instructions here: HAR Analyzer

MAPI can use either to fuzz.