APIs often transmit far more data to client applications than they need, and in the context of web applications, often do so over public channels. This issue, termed Excessive Data Exposure (EDE), was OWASP’s third most significant API vulnerability of 2019. However, there are few automated tools—either in research or industry—to effectively find and remediate such issues. This is unsurprising as the problem lacks an explicit test oracle: the vulnerability does not manifest through explicit abnormal behaviours (e.g., program crashes or memory access violations).
In this work, we develop a metamorphic relation to tackle that challenge and build the first fuzzing tool—that we call EDEFuzz—to systematically detect EDEs. EDEFuzz can significantly reduce false negatives that occur during manual inspection and ad-hoc text-matching techniques, the current most-used approaches.
We tested EDEFuzz against the sixty-nine applicable targets from the Alexa Top-200 and found 33,365 potential leaks—illustrating our tool’s broad applicability and scalability. In a more-tightly controlled experiment of eight popular websites in Australia, EDEFuzz achieved a high true positive rate of 98.65% with minimal configuration, illustrating our tool’s accuracy and efficiency.
Thu 18 AprDisplayed time zone: Lisbon change
11:00 - 12:30 | Fuzzing 1Software Engineering in Practice / Journal-first Papers / Research Track at Fernando Pessoa Chair(s): Marcel Böhme MPI-SP, Bochum | ||
11:00 15mTalk | Crossover in Parametric Fuzzing Research Track Pre-print Media Attached | ||
11:15 15mTalk | SpecBCFuzz: Fuzzing LTL Solvers with Boundary Conditions Research Track Luiz Carvalho University of Luxembourg, Renzo Degiovanni Luxembourg Institute of Science and Technology, Maxime Cordy University of Luxembourg, Luxembourg, Nazareno Aguirre University of Rio Cuarto and CONICET, Yves Le Traon University of Luxembourg, Luxembourg, Mike Papadakis University of Luxembourg | ||
11:30 15mTalk | EDEFuzz: A Web API Fuzzer for Excessive Data Exposures Research Track Lianglu Pan University of Melbourne, Shaanan Cohney University of Melbourne, Toby Murray University of Melbourne, Thuan Pham The University of Melbourne | ||
11:45 15mTalk | ECFuzz: Effective Configuration Fuzzing for Large-Scale Systems Research Track Junqiang Li University of Electronic Science and Technology of China, Senyi Li University of Electronic Science and Technology of China, Keyao Li University of Electronic Science and Technology of China, Falin Luo University of Electronic Science and Technology of China, Hongfang Yu University of Electronic Science and Technology of China, Shanshan Li National University of Defense Technology, Xiang Li Academy of Military Sciences DOI Media Attached File Attached | ||
12:00 15mTalk | Mind the Gap: What Working With Developers on Fuzz Tests Taught Us About Coverage Gaps Software Engineering in Practice Carolin Brandt Delft University of Technology, Marco Castelluccio Mozilla, Christian Holler Mozilla Corporation, Jason Kratzer Mozilla Corporation, Andy Zaidman Delft University of Technology, Alberto Bacchelli University of Zurich DOI Pre-print | ||
12:15 7mTalk | CLFuzz: Vulnerability Detection of Cryptographic Algorithm Implementation via Semantic-Aware Fuzzing Journal-first Papers Yuanhang Zhou Tsinghua University, Fuchen Ma Tsinghua University, Yuanliang Chen Tsinghua University, Meng Ren Tsinghua University, Yu Jiang Tsinghua University | ||
12:22 7mTalk | FormatFuzzer: Effective Fuzzing of Binary File Formats Journal-first Papers Rafael Dutra CISPA Helmholtz Center for Information Security, Rahul Gopinath University of Sydney, Andreas Zeller CISPA Helmholtz Center for Information Security |