Automated Black-box Testing of Mass Assignment Vulnerabilities in RESTful APIs
Mass assignment is one of the most prominent vulnerabilities in RESTful APIs. This vulnerability originates from a misconfiguration in common web frameworks, such that naming convention and automatic binding can be exploited by an attacker to craft malicious requests writing confidential resources and (massively) overriding data, that should be read-only and/or confidential. In this paper, we adopt a black-box testing perspective to automatically detect mass assignment vulnerabilities in RESTful APIs. Execution scenarios are generated purely based on the OpenAPI specification, that lists the available operations and their message format. Clustering is used to group similar operations and reveal read-only fields, the latter are candidate for mass assignment. Then, interaction sequences are automatically generated by instantiating abstract testing templates, trying to exploit the potential vulnerabilities. Finally, test cases are run, and their execution is assessed by a specific oracle, in order to reveal whether the vulnerability could be successfully exploited. The proposed novel approach has been implemented and evaluated on a set of case studies written in different programming languages. The evaluation highlights that the approach is quite effective in detecting seeded vulnerabilities, with a remarkably high accuracy.
Fri 19 MayDisplayed time zone: Hobart change
15:45 - 17:15 | Vulnerability testing and patchingTechnical Track / Journal-First Papers / DEMO - Demonstrations at Meeting Room 105 Chair(s): Cristian Cadar Imperial College London, UK | ||
15:45 15mTalk | Silent Vulnerable Dependency Alert Prediction with Vulnerability Key Aspect Explanation Technical Track Jiamou Sun CSIRO's Data61, Zhenchang Xing , Qinghua Lu CSIRO’s Data61, Xiwei (Sherry) Xu CSIRO’s Data61, Liming Zhu CSIRO’s Data61, Thong Hoang Data61, CSIRO, Dehai Zhao Australian National University, Australia | ||
16:00 15mTalk | Compatible Remediation on Vulnerabilities from Third-Party Libraries for Java Projects Technical Track Lyuye Zhang Nanyang Technological University, Chengwei Liu Nanyang Technological University, Singapore, Zhengzi Xu Nanyang Technological University, Sen Chen Tianjin University, Lingling Fan Nankai University, Lida Zhao Nanyang Technological University, Wu Jiahui Nanyang Technological University, Yang Liu Nanyang Technological University | ||
16:15 15mTalk | Automated Black-box Testing of Mass Assignment Vulnerabilities in RESTful APIs Technical Track Davide Corradini University of Verona, Michele Pasqua University of Verona, Mariano Ceccato University of Verona Pre-print | ||
16:30 7mTalk | Patchmatch: A Tool for Locating Patches of Open Source Project Vulnerabilities DEMO - Demonstrations Kedi Shen Zhejiang university city college, Yun Zhang Zhejiang University City College, Lingfeng Bao Zhejiang University, Zhiyuan Wan Zhejiang University, Zhuorong Li Zhejiang university city college, Minghui Wu Zhejiang University City College} | ||
16:37 8mTalk | Software Updates Strategies: a Quantitative Evaluation against Advanced Persistent Threats Journal-First Papers Giorgio Di Tizio University of Trento, Michele Armellini University of Trento, Fabio Massacci University of Trento; Vrije Universiteit Amsterdam | ||
16:45 7mTalk | SSPCatcher: Learning to Catch Security Patches Journal-First Papers Arthur D. Sawadogo Université du Québec à Montréal, Tegawendé F. Bissyandé SnT, University of Luxembourg, Naouel Moha École de Technologie Supérieure (ETS), Kevin Allix CentraleSupelec Rennes, Jacques Klein University of Luxembourg, Li Li Beihang University, Yves Le Traon University of Luxembourg, Luxembourg | ||
16:52 15mTalk | CoLeFunDa: Explainable Silent Vulnerability Fix Identification Technical Track Jiayuan Zhou Huawei, Michael Pacheco Centre for Software Excellence, Huawei, Jinfu Chen Centre for Software Excellence, Huawei, Canada, Xing Hu Zhejiang University, Xin Xia Huawei, David Lo Singapore Management University, Ahmed E. Hassan Queen’s University | ||