Beyond REST: Introducing APIF for Comprehensive API Vulnerability Fuzzing

Beyond REST: Introducing APIF for Comprehensive API Vulnerability Fuzzing

연구 분야: Strategies

학회: RAID '24: Proceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses

In modern software development, APIs play a crucial role as they facilitate platform interoperability and serve as conduits for data transmission. API fuzzing has emerged to explore errors and vulnerabilities in web applications, cloud services, and IoT systems. Its effectiveness highly depends on parameter structure analysis and fuzzing request generation. However, existing methods focus more on RESTful APIs, lacking generalizability for other protocols. Additionally, shortcomings in the effectiveness of test payloads and testing efficiency have limited the large-scale application of these methods in real-world scenarios. This paper introduces APIF, a novel API fuzzing framework that incorporates three innovative designs. Firstly, by adopting a tree-structured model for parsing and mutating parameters in different API protocols, APIF breaks the limitations of existing research that are only effective for RESTful APIs, thus broadening its applicability. Secondly, APIF utilizes a recursive decoder to tackle the complex encodings in API parameters, increasing the fuzzing effectiveness. Thirdly, APIF leverages a testing priority calculation algorithm together with a parameter independence analysis algorithm to enhance fuzzing efficiency, enabling this method to be widely applied in real-world, large-scale API vulnerability fuzzing. We evaluate APIF against the state-of-the-art fuzzers on 7 open-source projects via 412 APIs. The results demonstrate APIF’s superior precision, recall, and efficiency. Moreover, in real-world API vulnerability exploration, APIF discovered 188 bugs over 60 API projects, with 26 vulnerabilities confirmed by the software maintainers.