Checking Security Properties of Cloud Services REST APIs

Vaggelis Atlidakis; Patrice Godefroid; Marina Polishchuk

Checking Security Properties of Cloud Services REST APIs

Vaggelis Atlidakis ,
Patrice Godefroid ,
Marina Polishchuk

MSR-TR-2019-1 | February 2019

Published by Microsoft

Revised version published in ICST'2020, March 2020.

Download BibTex

Most modern cloud and web services are programmatically accessed through REST APIs. This paper discusses how an attacker might compromise a service by exploiting vulnerabilities in its REST API. We introduce four security rules that capture desirable properties of REST APIs and services. We then show how a stateful REST API fuzzer can be extended with active property checkers that automatically test and detect violations of these rules. We discuss how to implement such checkers efficiently and in a modular way. Thanks to these checkers, we found new bugs in several deployed production Azure and Office-365 cloud services, and we discuss their security implications.

Publication Downloads

REST API Fuzz Testing

November 16, 2020

This self-hosted service developed for Azure, including its orchestration engine and security tools (including MSR's RESTler), enables developers to embed security tooling into their CI/CD workflows.

Download Data

RESTler-Fuzzer

November 16, 2020

RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.

Download Data

Fuzzing to improve the security and reliability of cloud services with RESTler

In the past few years, cloud services have experienced tremendous growth. Most of these services are programmatically accessed through REST APIs. As the pace of development increases, both the APIs and service implementations are evolving rapidly. There is an urgent need for automated tools to test the reliability and security of cloud services that can keep up with today’s fast-paced service development and deployment—tools that provide the necessary level of automation and coverage for the growing number of APIs being deployed across the web. In this webinar, join Marina Polishchuk, a Software Engineer at Microsoft Research, in exploring how RESTler—the first stateful REST API fuzzer—can help efficiently find security and reliability bugs in cloud services. RESTler analyzes a Swagger/OpenAPI specification and produces a fuzzing grammar…