REST APIs have a pivotal role in accessing protected resources. Despite the availability of security testing tools, mass assignment vulnerabilities are common in REST APIs, leading to unauthorized manipulation of sensitive data. We propose a lightweight approach to mine the REST API specifications and identify operations and attributes that are prone to mass assignment. We conducted a preliminary study on 100 APIs and found 25 prone to this vulnerability. We confirmed nine real vulnerable operations in six APIs.
Cite
@article{arxiv.2405.01111,
title = {Mining REST APIs for Potential Mass Assignment Vulnerabilities},
author = {Arash Mazidi and Davide Corradini and Mohammad Ghafari},
journal= {arXiv preprint arXiv:2405.01111},
year = {2024}
}