### Web API Fuzz Testing

Web API fuzzing performs fuzz testing of API operation parameters. Fuzz testing sets operation parameters to unexpected values in an effort to cause unexpected behavior and errors in the API backend. This helps you discover bugs and potential security issues that other QA processes may miss.

You can run a Web API fuzzing scan using the following methods:

-   [OpenAPI Specification](https://docs.gitlab.com/ee/user/application_security/api_fuzzing/#openapi-specification)- version 2, and 3.
-   [HTTP Archive](https://docs.gitlab.com/ee/user/application_security/api_fuzzing/#http-archive-har) (HAR)
-   [Postman Collection](https://docs.gitlab.com/ee/user/application_security/api_fuzzing/#postman-collection) - version 2.0 or 2.1

See the scanning results in a merge request:

![api-fuzzing-in-mr](./api-fuzzing-in-mr.png)  

Example projects using these methods are available: [Example HTTP Archive (HAR)](https://jihulab.com/ultimate-plan/demo/api-fuzzing/http-archive/-/tree/1-api-fuzzing)

https://docs.gitlab.com/ee/user/application_security/api_fuzzing/