Efficient fuzz testing of web services

Kód výsledku v IS VaVaI

<a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F68407700%3A21240%2F23%3A00371943" target="_blank" >RIV/68407700:21240/23:00371943 - isvavai.cz</a>

Výsledek na webu

<a href="https://doi.org/10.1109/QRS60937.2023.00037" target="_blank" >https://doi.org/10.1109/QRS60937.2023.00037</a>

DOI - Digital Object Identifier

<a href="http://dx.doi.org/10.1109/QRS60937.2023.00037" target="_blank" >10.1109/QRS60937.2023.00037</a>

Jazyk výsledku

angličtina

Název v původním jazyce

Efficient fuzz testing of web services

Popis výsledku v původním jazyce

This paper proposes a novel approach to web service fuzzing that utilizes the OpenAPI Specification. The proposed smart black-box generation-based fuzzer, named openapi-fuzzer, generates and minimizes random payloads to detect vulnerabilities in web services. It is able to minimize the bug-triggering payload to its canonical form. Due to this minimization, it is easy to detect the root cause of an underlying bug. To evaluate its performance, openapi-fuzzer was tested on 3 relevant web services. Kubernetes, Hashicorp Vault, and Gitea. The results demonstrate that openapi-fuzzer outperforms other state-of-the-art web service fuzzers in terms of the number of bugs found and running time.Furthermore, openapi-fuzzer conducts a performance analysis to identify endpoints that are susceptible to Denial-of-Service attacks. By providing developers with detailed statistics, openapi-fuzzer helps them identify and fix performance issues in their web services.

Název v anglickém jazyce

Efficient fuzz testing of web services

Popis výsledku anglicky

This paper proposes a novel approach to web service fuzzing that utilizes the OpenAPI Specification. The proposed smart black-box generation-based fuzzer, named openapi-fuzzer, generates and minimizes random payloads to detect vulnerabilities in web services. It is able to minimize the bug-triggering payload to its canonical form. Due to this minimization, it is easy to detect the root cause of an underlying bug. To evaluate its performance, openapi-fuzzer was tested on 3 relevant web services. Kubernetes, Hashicorp Vault, and Gitea. The results demonstrate that openapi-fuzzer outperforms other state-of-the-art web service fuzzers in terms of the number of bugs found and running time.Furthermore, openapi-fuzzer conducts a performance analysis to identify endpoints that are susceptible to Denial-of-Service attacks. By providing developers with detailed statistics, openapi-fuzzer helps them identify and fix performance issues in their web services.

Druh

D - Stať ve sborníku

CEP obor

—

OECD FORD obor

10201 - Computer sciences, information science, bioinformathics (hardware development to be 2.2, social aspect to be 5.8)

Projekt

—

Návaznosti

I - Institucionalni podpora na dlouhodoby koncepcni rozvoj vyzkumne organizace

Rok uplatnění

2023

Kód důvěrnosti údajů

S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů

Název statě ve sborníku

Proceedings of the 23rd IEEE International Conference on Software Quality, Reliability, and Security

ISBN

979-8-3503-1959-0

ISSN

2693-9185

e-ISSN

2693-9177

Počet stran výsledku

10

Strana od-do

291-300

Název nakladatele

IEEE

Místo vydání

Halifax

Místo konání akce

Chiang Mai

Datum konání akce

22. 10. 2023

Typ akce podle státní příslušnosti

WRD - Celosvětová akce

Kód UT WoS článku

—