EDEFuzz: A Web API Fuzzer for Excessive Data Exposures
Lianglu Pan, Shaanan Cohney, Toby Murray, Van-Thuan Pham
Abstract
APIs often transmit far more data to client applications than they need, and in the context of web applications, often do so over public channels. This issue, termed Excessive Data Exposure (EDE), was OWASP's third most significant API vulnerability of 2019. However, there are few automated tools---either in research or industry---to effectively find and remediate such issues. This is unsurprising as the problem lacks an explicit test oracle: the vulnerability does not manifest through explicit abnormal behaviours (e.g., program crashes or memory access violations).
Topics & Concepts
Fuzz testingComputer scienceOracleVulnerability (computing)Context (archaeology)Computer securityWeb applicationWorld Wide WebDatabaseSoftware engineeringSoftwareOperating systemBiologyPaleontologyAdvanced Malware Detection TechniquesWeb Application Security VulnerabilitiesSecurity and Verification in Computing