Specification-based security analysis of REST APIs
Abstract
In the modern Internet era, web applications are typically driven by web services (WS). Web services are accessible on the Internet through their application programming interfaces (APIs). Due to the continuous exposure on the Internet, and being accessible for anyone, security testing is an increasingly important part of serious software development. Manual security testing is, however, an expensive and time-consuming activity.
Automated security analyses that do not require developers to specify individual test cases could reduce the entry barrier to get developers started with security testing. It would also help avoid large upfront costs for the development teams.
In this thesis, I introduce a set of such automated security analyses, a set of Representational State Transfer (REST) related security testing techniques, a minimalist API modelling language that the analyses use to generate test cases, and finally a proof-of-concept tool that implements and validates all of my other contributions.
An important focus in the thesis has been to keep programmer effort modest, i.e. limiting the required programmer input and required security related knowledge to the minimum sensible level, while still being able to find relevant and security crucial vulnerabilities in real-world applications.