Deriving semantics-aware fuzzers from web API schemas

Hatfield-Dodds, Zac; Dygalo, Dmitry

doi:10.1145/3510454.3528637

Cited by 13 publications

(6 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For each unique URL link, APIMiner counts the number of times it appears on the page and then uses this count as the vector value. For instance, if the array of URL link elements is [URL 1 , URL 2 , URL 3 , URL 1 , URL 1 ], where URL 1 appears three times on the page, the vectorized URL link element is [3,1,1]. Second, APIMiner calculates the cosine similarity values between the three types of elements in the current page state and the corresponding category elements in the previous page state.…”

Section: State Similarity Analysismentioning

confidence: 99%

“…Given the widespread use of web applications, identifying and extracting APIs for subsequent vulnerability detection has become a popular and important research topic. Existing studies on API identification are mainly based on the user manuals of web applications [1][2][3][29][30][31][32] and identify APIs by dynamically traversing web pages [4][5][6][7][8]. In dynamic web page traversal for identifying web application APIs, existing studies utilize similarity analysis methods to mitigate the impact of similar pages on the API identification process [8][9][10][11][12].…”

Section: Related Workmentioning

confidence: 99%

“…Existing studies on web application API identification are mainly based on the user manuals of web applications [1][2][3] and identify APIs by dynamically traversing web pages (e.g., using crawlers ) [4][5][6][7][8]. These studies use methods such as regular matching to extract APIs from user manuals or machine learning to generate a large number of test cases for guessing possible APIs.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

APIMiner: Identifying Web Application APIs Based on Web Page States Similarity Analysis

Chen,

Lu,

Pan

et al. 2024

Electronics

View full text Add to dashboard Cite

Modern web applications offer various APIs for data interaction. However, as the number of these APIs increases, so does the potential for security threats. Essentially, more APIs in an application can lead to more detectable vulnerabilities. Thus, it is crucial to identify APIs as comprehensively as possible in web applications. However, this task faces challenges due to the increasing complexity of web development techniques and the abundance of similar web pages. In this paper, we propose APIMiner, a framework for identifying APIs in web applications by dynamically traversing web pages based on web page state similarity analysis. APIMiner first builds a web page model based on the HTML elements of the current web page. APIMiner then uses this model to represent the state of the page. Then, APIMiner evaluates each element’s similarity in the page model and determines the page state similarity based on these similarity values. From the different states of the page, APIMiner extracts the data interaction APIs on the page. We conduct extensive experiments to evaluate APIMiner’s effectiveness. In the similarity analysis, our method surpasses state-of-the-art methods like NDD and mNDD in accurately distinguishing similar pages. We compare APIMiner with state-of-the-art tools (e.g., Enemy of the State, Crawlergo, and Wapiti3) for API identification. APIMiner excels in the number of identified APIs (average 1136) and code coverage (average 28,470). Relative to these tools, on average, APIMiner identifies 7.96 times more APIs and increases code coverage by 142.72%.

show abstract

Section: State Similarity Analysismentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

APIMiner: Identifying Web Application APIs Based on Web Page States Similarity Analysis

Chen,

Lu,

Pan

et al. 2024

Electronics

View full text Add to dashboard Cite

show abstract

“…Testing REST APIs. Approaches for automated black-box testing of REST APIs are proposed in the literature, including RESTest [32,33], ARTE [7] -an extension to RESTest, RESTler [12,22], Semanthesis [24], RESTCT [42], RestTestGen [14,15], EvoMaster [9,10], RapiTest [19], and QuickREST [26]. Our study utilizes RESTest, as it is a black-box REST APIs testing approach, which supports realistic test data generation [7] and has shown good results in testing online applications [33].…”

Section: Related Workmentioning

confidence: 99%

“…Several approaches have been proposed for testing of web applications REST APIs such as RESTest [32], RESTler [12], Semanthesis [24], RESTCT [42], RestTestGen [14], and EvoMaster [9]. Some empirical studies have been conducted to compare different approaches for testing REST APIs, such as [11,27,30].…”

Section: Introductionmentioning

confidence: 99%

Testing Real-World Healthcare IoT Application: Experiences and Lessons Learned

Sartaj,

Ali,

Yue

et al. 2023

Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Enginee

View full text Add to dashboard Cite

Healthcare Internet of Things (IoT) applications require rigorous testing to ensure their dependability. Such applications are typically integrated with various third-party healthcare applications and medical devices through REST APIs. This integrated network of healthcare IoT applications leads to REST APIs with complicated and interdependent structures, thus creating a major challenge for automated system-level testing. We report an industrial evaluation of a state-of-the-art REST APIs testing approach (RESTest) on a real-world healthcare IoT application. We analyze the effectiveness of RESTest's testing strategies regarding REST APIs failures, faults in the application, and REST API coverage, by experimenting with six REST APIs of 41 API endpoints of the healthcare IoT application. Results show that several failures are discovered in different REST APIs with ≈56% coverage using RESTest. Moreover, nine potential faults are identified. Using the evidence collected from the experiments, we provide our experiences and lessons learned. CCS CONCEPTS• Software and its engineering → Software testing and debugging; Software verification and validation.

show abstract

Revealing inputs causing web API performance latency using response-time-guided genetic algorithm fuzzing

Huang,

Lee

2024

Artif Life Robotics

View full text Add to dashboard Cite

Deriving semantics-aware fuzzers from web API schemas

Cited by 13 publications

References 7 publications

APIMiner: Identifying Web Application APIs Based on Web Page States Similarity Analysis

APIMiner: Identifying Web Application APIs Based on Web Page States Similarity Analysis

Testing Real-World Healthcare IoT Application: Experiences and Lessons Learned

Revealing inputs causing web API performance latency using response-time-guided genetic algorithm fuzzing

Contact Info

Product

Resources

About