Detecting Excessive Data Exposures in Web Server Responses with Metamorphic Fuzzing

by   Lianglu Pan, et al.

APIs often transmit far more data to client applications than they need, and in the context of web applications, often do so over public channels. This issue, termed Excessive Data Exposure (EDE), was OWASP's third most significant API vulnerability of 2019. However, there are few automated tools – either in research or industry – to effectively find and remediate such issues. This is unsurprising as the problem lacks an explicit test oracle: the vulnerability does not manifest through explicit abnormal behaviours (e.g., program crashes or memory access violations). In this work, we develop a metamorphic relation to tackle that challenge and build the first fuzzing tool – that we call EDEFuzz – to systematically detect EDEs. EDEFuzz can significantly reduce false negatives that occur during manual inspection and ad-hoc text-matching techniques, the current most-used approaches. We tested EDEFuzz against the sixty-nine applicable targets from the Alexa Top-200 and found 33,365 potential leaks – illustrating our tool's broad applicability and scalability. In a more-tightly controlled experiment of eight popular websites in Australia, EDEFuzz achieved a high true positive rate of 98.65 efficiency.


page 1

page 2

page 3

page 4


Revealing Performance Issues in Server-side WebAssembly Runtimes via Differential Testing

WebAssembly (Wasm) is a bytecode format originally serving as a compilat...

Securing Password Authentication for Web-based Applications

The use of passwords and the need to protect passwords are not going awa...

Taking snapshots from a stream

This work is devoted to a certain class of probabilistic snapshots for e...

A Prototype for a Controlled and Valid RDF Data Production Using SHACL

The paper introduces a tool prototype that combines SHACL's capabilities...

Robin: A Web Security Tool

Thanks to the advance of technology, all kinds of applications are becom...

Accessibility Metatesting: Comparing Nine Testing Tools

Automated web accessibility testing tools have been found complementary....

Please sign up or login with your details

Forgot password? Click here to reset