Enhancing REST API Fuzzing with Access Policy Violation Checks and Injection Attacks

The post discusses an arXiv article that explores enhancing REST API fuzzing by incorporating security checks. It highlights that fuzzing can detect faults like HTTP 500 errors and OpenAPI specification mismatches, as well as security properties such as inconsistent access policies (e.g., a denied PUT/PATCH request followed by an accepted DELETE). The study tested over 50 APIs using nine types of security "oracle" checks, implemented in the open-source fuzzer EvoMaster.