Existing REST API testing approaches often fail to effectively cover business-sensitive functionality due to the absence of business-level constraints. This work proposes LoBREST, the first method to incorporate business context derived from historical request logs into REST API testing. By slicing operation sequences, identifying missing operations, and completing resource dependencies, LoBREST constructs business-aware enhanced inputs and integrates them with a business-logic-guided fuzzing strategy, thereby overcoming the limitations of specification-driven testing. Evaluation on 17 real-world services demonstrates that LoBREST substantially outperforms eight state-of-the-art tools, achieving 2.1× higher operation coverage and 1.2× greater line coverage on average, while uncovering 108 distinct 5XX errors—38 of which were uniquely identified by LoBREST.

REST APIs enable collaboration among microservices. A single fault in a REST API can bring down the entire microservice system and cause significant financial losses, underscoring the importance of REST API testing. Effectively testing REST APIs requires thoroughly exercising the functionalities behind them. To this end, existing techniques leverage REST specifications (e.g., Swagger or OpenAPI) to generate test cases. Using the resource constraints extracted from specifications, these techniques work well for testing simple, business-insensitive functionalities, such as resource creation, retrieval, update, and deletion. However, for complex, business-sensitive functionalities, these specification-based techniques often fall short, since exercising such functionalities requires additional business constraints that are typically absent from REST specifications. In this paper, we present LoBREST, a log-based, business-aware REST API testing technique that leverages historical request logs (HRLogs) to effectively exercise the business-sensitive functionalities behind REST APIs. To obtain compact operation sequences that preserve clean and complete business constraints, LoBREST first employs a locality-slicing strategy to partition HRLogs into smaller slices. Then, to ensure the effectiveness of the obtained slices, LoBREST enhances them in two steps: (1) adding slices for operations missing from HRLogs, and (2) completing missing resources within the slices. Finally, to improve test adequacy, LoBREST uses these enhanced slices as initial seeds to perform business-aware fuzzing. LoBREST outperformed eight tools (including Arat-rl, Morest, and Deeprest) across 17 real-world services. It achieved top operation coverage on 16 services and line coverage on 15, averaging 2.1x and 1.2x improvements over the runner-up. LoBREST detected 108 5XX bugs, including 38 found by no other tool.