Litcius/Paper detail

Checking Security Properties of Cloud Service REST APIs

Vaggelis Atlidakis, Patrice Godefroid, Marina Polishchuk

202062 citationsDOI

Abstract

Most modern cloud and web services are programmatically accessed through REST APIs. This paper discusses how an attacker might compromise a service by exploiting vulnerabilities in its REST API. We introduce four security rules that capture desirable properties of REST APIs and services. We then show how a stateful REST API fuzzer can be extended with active property checkers that automatically test and detect violations of these rules. We discuss how to implement such checkers in a modular and efficient way. Using these checkers, we found new bugs in several deployed production Azure and Office365 cloud services, and we discuss their security implications. All these bugs have been fixed.

Topics & Concepts

Fuzz testingStateful firewallRest (music)Computer scienceCloud computingComputer securityService (business)Web serviceModular designOperating systemProgramming languageSoftwareNetwork packetEconomyCardiologyEconomicsMedicineWeb Application Security VulnerabilitiesSoftware Testing and Debugging TechniquesAdvanced Malware Detection Techniques
Checking Security Properties of Cloud Service REST APIs | Litcius