Security Testing of RESTful Web APIs with RESTler

Abstract

Web Application Programming Interfaces (APIs) consist of one or many endpoints defining request-response architecture. Modern Web APIs follow the Representational State Transfer (RESTful) architecture which is accessible to the clients through Hypertext Transfer Protocol (HTTP) interactions. Security testing is a process to reveal flaws in the security mechanism of the system that protect data and maintain the functionality of the system. The oracle problems like distinguishing correct from incorrect behavior is suffering and it is manually impractical to handle, which can be prevented with a good security testing process. The adequate security testing process involves checking various aspects of the system like authentication, authorization, confidentiality, availability, integrity, resilience and so on. This thesis extends a tool “RESTler”, which is the first stateful REST API fuzzing tool to automate the cloud services testing and finding security and reliability bugs in the system. The extension includes Metamorphic Relation Output Patterns (MROPs) that capture desired properties of REST APIs. This thesis showcases how to extend a fuzzing tool with active property checkers, which as a whole automates the testing of security related issues. The checkers follow a metamorphic testing approach which uses target function or also known as metamorphic relations to generate follow-up test cases and verify it automatically. This approach eliminates the oracle problems like determining the correct output for a given input.