Mining REST APIs for Potential Mass Assignment Vulnerabilities (2405.01111v2)

Abstract: REST APIs have a pivotal role in accessing protected resources. Despite the availability of security testing tools, mass assignment vulnerabilities are common in REST APIs, leading to unauthorized manipulation of sensitive data. We propose a lightweight approach to mine the REST API specifications and identify operations and attributes that are prone to mass assignment. We conducted a preliminary study on 100 APIs and found 25 prone to this vulnerability. We confirmed nine real vulnerable operations in six APIs.

• The paper introduces LightMass, a novel approach that mines API specifications to uncover potential mass assignment vulnerabilities.
• It employs specification parsing, cross-reference resolution, and Jaccard similarity to identify suspicious attribute patterns, flagging 25 vulnerable systems out of 100 tested.
• The findings enable early detection of security flaws, complementing runtime tools by highlighting read-only attributes that require manual review and mitigation.

Mining REST APIs for Potential Mass Assignment Vulnerabilities

The paper "Mining REST APIs for Potential Mass Assignment Vulnerabilities" introduces a novel approach to identifying a specific type of security vulnerability in REST APIs known as mass assignment. Mass assignment arises when APIs allow unintended modification of object attributes, potentially leading to unauthorized manipulation of sensitive data. This paper presents a tool named LightMass, designed to mine API specifications and detect factors prone to such vulnerabilities.

Introduction to Mass Assignment Vulnerabilities

Mass assignment vulnerabilities occur when REST APIs permit the auto-binding of input data attributes to backend data entities, such as database columns. This automatic mapping between similarly named fields can inadvertently expose critical, read-only attributes, enabling attackers to manipulate internal data structures through crafted requests. Crucially, this vulnerability may arise due to incorrect configurations in popular REST frameworks that facilitate attribute binding.

The LightMass Approach

LightMass is designed to proactively assess API specification files for attributes and operations susceptible to mass assignment. Unlike existing tools that require interaction with a running API, LightMass operates solely on the API specification, allowing developers to identify potential vulnerabilities as soon as the specification is available.

Workflow of LightMass

1. Specification Parsing: LightMass begins by parsing the OpenAPI specification to extract endpoints, operations, and attributes.
2. Cross-reference Resolution: It resolves $ref entries to ensure comprehensive attribute examination.
3. Attribute Extraction: The tool identifies and analyzes GET and other operations (POST, PUT, PATCH) attributes.
4. Operation Similarity Assessment: Using text processing techniques and Jaccard similarity, LightMass evaluates whether the attributes from different operations indicate possible vulnerabilities.
5. Reporting Candidates: Attributes only present in the GET response and not in the corresponding POST, PUT, or PATCH request are flagged as read-only and potential mass assignment candidates.

Identification of Vulnerabilities

LightMass flags attributes as potential vulnerabilities and requires further manual verification by developers to confirm if appropriate safeguards are absent.

Evaluation and Results

The efficacy of LightMass was evaluated by applying it to 100 REST APIs sourced from various repositories and studies, resulting in 25 potentially vulnerable systems. When compared against automated detection tools like Akto and RestTestGen, LightMass showcased comparable robustness, successfully identifying prevalent vulnerabilities across open-source API implementations. Although Akto and RestTestGen matched LightMass' results on confirmed vulnerabilities, LightMass excelled in providing early detection capabilities directly from the API specification without needing a running environment.

Related Work and Tool Comparison

While existing tools such as RestTestGen perform detailed black-box testing on running APIs, LightMass promises early detection based on specification mining, bridging gaps in security testing pipelines by spotlighting potential vulnerabilities prior to deployment. It complements automated runtime testing tools by enabling proactive attention to security risks.

Implications and Future Research Directions

LightMass allows developers early visibility into potential mass assignment issues, encouraging proactive mitigation strategies. Its application showcases improvements in specification-based vulnerability detection, thus aiding security auditors and API developers. Future research may focus on enhancing LightMass by integrating threshold adjustment capabilities and further refining attribute similarity measures to reduce false positives.

Conclusion

LightMass presents an effective means of detecting potential mass assignment vulnerabilities from REST API specifications. By flagging suspicious attributes early in the development lifecycle, LightMass empowers developers to adopt precautionary configurations against a pervasive yet underexplored security threat. As the tool matures, additional studies should explore its false positive rate and extend capabilities to dynamic runtime verification of actual vulnerability exploitation.