INFDok - Dokumentenvolltextserver des Fachbereichs Informatik

Kurzfassung auf Englisch:

APIs are ubiquitious in all industries, powering client-server applications, such as mobile apps, web platforms or IoT devices. Since these services expose sensitive data like financial, health, business and other personal information, precautions must be taken to ensure a secure and private implementation and operation of those complex systems. History shows the dramatic consequences that can happen because of insecure REST APIs. It is absolutely crucial for developers and penetration testers to find and fix such vulnerabilities before threat actors have the chance to exploit them for malicious activities. Fuzzing is an effective method for finding security vulnerabilities in software. REST-focused fuzzers specifically target REST APIs and generally work with a formal specification of the API protocol, with OpenAPI being the de-facto standard for these API specifications. However, many REST APIs remain undocumented, e.g. proprietary SaaS APIs, or are only partially or informally documented. In such cases, effective fuzzing requires reverse-engineering of the API protocol and proper documentation using OpenAPI’s standardized format. This thesis proposes new methods for fuzzing-based REST API reverse engineering, leveraging reasoning of API dependencies, discovery of authentication requirements, detailed parameter type inference, and exploration of other interesting API characteristics. For REST-based protocol reverse engineering, this is the first time that fuzzing techniques are applied. It is evaluated how effective these methods work using a novel, specification-based approach, and how effectively exploitative REST fuzzers can use those reverse-engineered specifications to find new API issues. The results demonstrate favorable outcome and deeper understanding of undocumented REST APIs: Compared to current methods, the proposed techniques achieve a notable improvement of 9.3% for reconstructed information, and a significant boost of 71.2% for information that was completely undocumented previously. The evaluation results show the potential for exposing further security vulnerabilities, but also depict current limitations of exploitative REST fuzzers.