An automated RESTful multi-API security vulnerability testing tool

Web security has been a concern given how often people access web applications be it for work or leisure. Users do not understand that there could be underlying security vulnerabilities that could jeopardize their privacy. However, even web application developers overlook these issues themselves due...

Full description

Saved in:
Bibliographic Details
Main Author: Lee, Chong Yu
Other Authors: Liu Yang
Format: Final Year Project
Language:English
Published: Nanyang Technological University 2021
Subjects:
Online Access:https://hdl.handle.net/10356/147998
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Nanyang Technological University
Language: English
Description
Summary:Web security has been a concern given how often people access web applications be it for work or leisure. Users do not understand that there could be underlying security vulnerabilities that could jeopardize their privacy. However, even web application developers overlook these issues themselves due to time constraints and lacking expertise on software security. Also, locating vulnerabilities is not an easy task for security experts. When such issues are not fixed, they pose risks to service and data. As such, there is a need for an automated tool that can assist those that lack expertise in security domain to detect software bugs and security vulnerabilities efficiently and increase the efficiency of security experts to escalate vulnerabilities in web applications. In this project, the focus will be to explore the security vulnerabilities in RESTful web applications, designing part of a current software testing tool to incorporate security methodologies, as well as create an extension to the tool. For phase 1, we explored different API security vulnerabilities to design an API input generation methodology with security payloads, which is incorporated into the software testing tool to test on 22 real-world targets and compared with other similar tools. We then discuss the outcome of the tests and re-designing of the JSON parser to improve on the performance of the tool. For phase 2, a tree traversal algorithm is designed to execute specific sequences and check for vulnerabilities triggered in multi-API calls.