Vulnerability-oriented Testing for RESTful APIs
Wenlong Du, Jian Li, Yanhao Wang, Libo Chen, Zhengguang Han, Yijun Wang, Zhi Xue
33rd USENIX Security Symposium · Day 1 · USENIX Security '24
RESTful APIs have become the backbone of modern software architecture, powering everything from cloud services and enterprise applications to IoT devices. Their widespread adoption, however, has unfortunately been accompanied by a surge in security vulnerabilities, leading to significant incidents like the Facebook API bug that reportedly affected millions of users. Addressing this escalating threat requires robust and efficient methods for discovering API security weaknesses. This talk introduces **V-API**, a novel inspection framework designed to tackle this challenge by employing a **vulnerability-oriented strategy**.
AI review
This research presents a highly effective, novel framework for API vulnerability discovery by formalizing the attacker's intuition: linking API function to specific vulnerability types. V-API significantly outperforms generic testing tools, identifying 26 previously unknown vulnerabilities and securing 7 CVEs in real-world applications. This is a critical advancement for API security.