Due to their widespread use in industry, several techniques have been proposed in the literature to fuzz REST APIs. Existing fuzzers for REST APIs have been focusing on detecting crashes (e.g., 500 HTTP server error status code). However, security vulnerabilities can have major drastic consequences on existing cloud infrastructures. In this paper, we propose a series of novel automated oracles aimed at detecting violations of access policies in REST APIs, as well as executing traditional attacks such as SQL Injection and XSS. These novel automated oracles can be integrated into existing fuzzers, in which, once the fuzzing session is completed, a ``security testing'' phase is executed to verify these oracles. When a security fault is detected, as output our technique is able to general executable test cases in different formats, like Java, Kotlin, Python and JavaScript test suites. Our novel techniques are integrated as an extension of EvoMaster, a state-of-the-art open-source fuzzer for REST APIs. Experiments are carried out on 9 artificial examples, 8 vulnerable-by-design REST APIs with black-box testing, and 36 REST APIs from the WFD corpus with white-box testing, for a total of 52 distinct APIs. Results show that our novel oracles and their automated integration in a fuzzing process can lead to detect security issues in several of these APIs.

翻译：由于REST API在工业界的广泛应用，已有多种模糊测试技术被提出。现有REST API模糊测试器主要关注崩溃检测（例如500 HTTP服务器错误状态码）。然而，安全漏洞可能对现有云基础设施造成重大影响。本文提出一系列新型自动化预言器，旨在检测REST API中的访问策略违规行为，并执行SQL注入和XSS等传统攻击。这些新型自动化预言器可集成至现有模糊测试器中：在模糊测试会话完成后，系统会执行“安全测试”阶段以验证这些预言器。当检测到安全缺陷时，我们的技术能够输出不同格式的可执行测试用例，包括Java、Kotlin、Python和JavaScript测试套件。该新技术作为扩展模块集成于EvoMaster——一款面向REST API的开源模糊测试器。实验在9个人工示例、8个具有设计漏洞的REST API（采用黑盒测试）以及WFD语料库中36个REST API（采用白盒测试）上进行，共计52个独立API。结果表明，新型预言器及其在模糊测试过程中的自动化集成可有效检测多个API中的安全问题。