BreakMyAPI: AI Robustness Testing Suite

Standard API load testing tools (like JMeter or k6) rely on static request payloads. They measure performance but completely miss logical bugs, unhandled exceptions, and security vulnerabilities that only occur with complex, malformed inputs or specific state sequences.

Writing test scripts for every endpoint, query parameter, and payload schema in a large-scale application is incredibly tedious and frequently becomes outdated as APIs evolve.

I am currently designing and prototyping BreakMyAPI, an autonomous agent that reads Swagger/OpenAPI specifications and dynamically attacks REST endpoints:

• Specification Parser: Ingests OpenAPI JSON files and maps routes, data types, parameter requirements, and authentication schemes.
• Gemini Mutation Engine: An LLM-driven core that analyzes schemas and generates highly probable breaking payloads (e.g. boundary exceptions, SQL injections, nested JSON bomb structures, authorization bypass attempts).
• Dockerized Test Runners: Spin up containerized instances to execute concurrent mutation queries while logging server response codes and memory footprints.

A primary engineering challenge is preventing the agent from triggering destructive cascade failures in test environments (e.g. deleting all reference records in a database in step 1, which invalidates all subsequent read/write tests).

The roadmap features a State Dependency Graph. The testing agent maps routes based on HTTP methods (e.g. POST before PUT, and DELETE strictly at the end of a session flow) and utilizes database transactions that automatically rollback at the end of each test thread.

We are also designing a feedback loop that evaluates API responses (like 500 Internal Server Errors) and instructs the agent to narrow down the fuzzing payload on that specific path to pinpoint the code-level unhandled exception.