Litcius/Paper detail

EDEFuzz: A Web API Fuzzer for Excessive Data Exposures

Lianglu Pan, Shaanan Cohney, Toby Murray, Van-Thuan Pham

202411 citationsDOI

Abstract

APIs often transmit far more data to client applications than they need, and in the context of web applications, often do so over public channels. This issue, termed Excessive Data Exposure (EDE), was OWASP's third most significant API vulnerability of 2019. However, there are few automated tools---either in research or industry---to effectively find and remediate such issues. This is unsurprising as the problem lacks an explicit test oracle: the vulnerability does not manifest through explicit abnormal behaviours (e.g., program crashes or memory access violations).

Topics & Concepts

Fuzz testingComputer scienceOracleVulnerability (computing)Context (archaeology)Computer securityWeb applicationWorld Wide WebDatabaseSoftware engineeringSoftwareOperating systemBiologyPaleontologyAdvanced Malware Detection TechniquesWeb Application Security VulnerabilitiesSecurity and Verification in Computing