TL;DR
This paper presents a lightweight method to analyze REST API specifications to identify potential mass assignment vulnerabilities, revealing that a significant number of APIs are susceptible, with some confirmed as vulnerable.
Contribution
The study introduces a novel approach for mining REST API specifications to detect mass assignment vulnerabilities, validated on 100 APIs with real vulnerabilities confirmed.
Findings
25 APIs prone to mass assignment vulnerabilities
9 vulnerable operations confirmed in 6 APIs
Method effectively identifies potential security issues
Abstract
REST APIs have a pivotal role in accessing protected resources. Despite the availability of security testing tools, mass assignment vulnerabilities are common in REST APIs, leading to unauthorized manipulation of sensitive data. We propose a lightweight approach to mine the REST API specifications and identify operations and attributes that are prone to mass assignment. We conducted a preliminary study on 100 APIs and found 25 prone to this vulnerability. We confirmed nine real vulnerable operations in six APIs.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
