Gelei Deng, Nanyang Technological University; Zhiyi Zhang, CodeSafe Team, Qi An Xin Group Corp.; Yuekang Li, Yi Liu, Tianwei Zhang, and Yang Liu, Nanyang Technological University; Guo Yu, China Industrial Control Systems Cyber Emergency Response Team; Dongjin Wang, Institute of Scientific and Technical Information, China Academy of Railway Sciences
RESTful APIs have become arguably the most prevalent endpoint for accessing web services. Blackbox vulnerability scanners are a popular choice for detecting vulnerabilities in web services automatically. Unfortunately, they suffer from a number of limitations in RESTful API testing. Particularly, existing tools cannot effectively obtain the relations between API operations, and they lack the awareness of the correct sequence of API operations during testing. These drawbacks hinder the tools from requesting the API operations properly to detect potential vulnerabilities.
To address this challenge, we propose NAUTILUS, which includes a novel specification annotation strategy to uncover RESTful API vulnerabilities. The annotations encode the proper operation relations and parameter generation strategies for the RESTful service, which assist NAUTILUS to generate meaningful operation sequences and thus uncover vulnerabilities that require the execution of multiple API operations in the correct sequence. We experimentally compare NAUTILUS with four state-of-art vulnerability scanners and RESTful API testing tools on six RESTful services. Evaluation results demonstrate that NAUTILUS can successfully detect an average of 141% more vulnerabilities, and cover 104% more API operations. We also apply NAUTILUS to nine real-world RESTful services, and detected 23 unique 0-day vulnerabilities with 12 CVE numbers, including one remote code execution vulnerability in Atlassian Confluence, and three high-risk vulnerabilities in Microsoft Azure, which can affect millions of users.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Gelei Deng and Zhiyi Zhang and Yuekang Li and Yi Liu and Tianwei Zhang and Yang Liu and Guo Yu and Dongjin Wang},
title = {{NAUTILUS}: Automated {RESTful} {API} Vulnerability Detection},
booktitle = {32nd USENIX Security Symposium (USENIX Security 23)},
year = {2023},
isbn = {978-1-939133-37-3},
address = {Anaheim, CA},
pages = {5593--5609},
url = {https://www.usenix.org/conference/usenixsecurity23/presentation/deng-gelei},
publisher = {USENIX Association},
month = aug
}