Abstract

Modern RESTful services expose RESTful APIs to integrate with diversified applications. Most RESTful API parameters are weakly typed, which greatly increases the possible input value space. This poses difficulties for automated testing tools to generate effective test cases to reveal web service defects related to parameter validation. We call this phenomenon the type collapse problem. To remedy this problem, we introduce FET (Format-encoded Type) techniques, including the FET, the FET lattice, and the FET inference to model fine-grained information for API parameters. Enhanced by FET techniques, automated testing tools can generate targeted test cases. We demonstrate Leif, a trace-driven fuzzing tool, as a proof-of-concept implementation of FET techniques. Experiment results on 27 commercial services show that FET inference precisely captures documented parameter definitions, which helps Leif to discover 11 new bugs and reduce 72% sim 86% fuzzing time as compared to state-of-the-art fuzzers.

Highlights

  • The REST (Representational State Transfer) architecture [28] nowadays has dominated the design of complex web services, such as public clouds (e.g. AWS and Azure), social networking (e.g. Facebook and Twitter), and code hosting (e.g. GitHub and GitLab)

  • How accurately do FET inference results describe RESTful API parameters of complicated real-world web services? Can Leif generate effective test cases and help developers to detect web service vulnerabilities in practice? Does Leif have better bug-finding capability with reduced fuzzing time when compared to existing state-of-the-art trace-driven and specificationdriven fuzz testing tools?

  • We feed example requests gained from the documents to FET inference, compare the inferred FETs with the ground truth, and observe three levels of matching: (1) exact match, the inferred FET is said to be an exact match if it has the exactly same data type and the value format as the ground truth; (2) partial match, the inferred FET is said to be a partial match if it has the exact data type, but its value format is a proper superset of the ground truth; (3) mismatch, for the remaining cases

Read more

Summary

Introduction

The REST (Representational State Transfer) architecture [28] nowadays has dominated the design of complex web services, such as public clouds (e.g. AWS and Azure), social networking (e.g. Facebook and Twitter), and code hosting (e.g. GitHub and GitLab). According to a recent survey of 40 real-world popular RESTful web services [36], modern services involve an average of 64 APIs and over 20 parameters per API Testing such an input space of possible parameter value combinatorics is challenging, and automated testing is indispensable. Many automated REST testing tools are ineffective while RESTful web services suffer from various input-related attacks, such as integer overflow attacks and SQL injection attacks [18]. We call this phenomenon the type collapse problem. A datetime parameter may require an ISO8601 date string This motivates us to introduce the FET (Format-encoded Type) which combines data types and value formats to describe parameters in fine grains.

Motivation
FET Techniques
Type Lattice
FET Inference
FET-enhanced REST Fuzzing
FET-aware Trace-driven Fuzzing
Evaluation
FET Inference Accuracy Evaluation
Leif Effectiveness Evaluation
Pinduoduo
Comparative Evaluation
Related Work
Conclusion and Future Work
30. Google
41. Open API CSA Working Group

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.