000151286 001__ 151286
000151286 005__ 20251017144611.0
000151286 0247_ $$2doi$$a10.1007/s10207-024-00970-5
000151286 0248_ $$2sideral$$a143132
000151286 037__ $$aART-2025-143132
000151286 041__ $$aeng
000151286 100__ $$aSantos Filho, Ailton
000151286 245__ $$aAutomated broken object-level authorization attack detection in REST APIs through OpenAPI to colored petri nets transformation
000151286 260__ $$c2025
000151286 5060_ $$aAccess copy available to the general public$$fUnrestricted
000151286 5203_ $$aAbstract
The representational state transfer architectural style (REST) specifies a set of rules for creating web services. In REST, data and functionality are considered resources, accessed, and manipulated using a uniform, well-defined set of rules. RESTful web services are web services that follow the REST architectural style and are exposed to the Internet using RESTful APIs. Most of them are described by OpenAPI, a standard language-independent interface for RESTful APIs. RESTful APIs are continuously available on the Internet and are therefore a common target for cyberattacks. To prevent vulnerabilities and reduce risks in web systems, there are several security guidelines available, such as those provided by the Open Web Application Security Project (OWASP) foundation. A common vulnerability in web services is broken object level authorization (BOLA), which allows an attacker to modify or delete data or perform actions intended only for authorized users. For example, an attacker can change an order status, delete a user account, or add unauthorized data to the server. In this paper, we propose a transformation from OpenAPI to Petri nets, which enables formal modeling and analysis of REST APIs using existing Petri net analysis techniques to detect potential security risks directly from the analysis of web server logs. In addition, we also provide a tool, named , which automatically performs model transformation (taking the OpenAPI specification as input) and BOLA attack detection by analyzing web server execution traces. We apply it to a case study of a vulnerable web application to demonstrate its applicability. Our results show that it is capable of detecting BOLA attacks with an accuracy greater than 95% in the proposed scenarios.
000151286 536__ $$9info:eu-repo/grantAgreement/ES/DGA/T21-23R$$9info:eu-repo/grantAgreement/EUR/MICINN/TED2021-131115A-I00
000151286 540__ $$9info:eu-repo/semantics/openAccess$$aby$$uhttps://creativecommons.org/licenses/by/4.0/deed.es
000151286 655_4 $$ainfo:eu-repo/semantics/article$$vinfo:eu-repo/semantics/publishedVersion
000151286 700__ $$0(orcid)0000-0001-7982-0359$$aRodríguez, Ricardo J.$$uUniversidad de Zaragoza
000151286 700__ $$aFeitosa, Eduardo L.
000151286 7102_ $$15007$$2570$$aUniversidad de Zaragoza$$bDpto. Informát.Ingenie.Sistms.$$cÁrea Lenguajes y Sistemas Inf.
000151286 773__ $$g24, 83 (2025), [19 pp.]$$pInternational Journal of Information Security$$tInternational Journal of Information Security$$x1615-5262
000151286 8564_ $$s1105040$$uhttps://zaguan.unizar.es/record/151286/files/texto_completo.pdf$$yVersión publicada
000151286 8564_ $$s2459982$$uhttps://zaguan.unizar.es/record/151286/files/texto_completo.jpg?subformat=icon$$xicon$$yVersión publicada
000151286 909CO $$ooai:zaguan.unizar.es:151286$$particulos$$pdriver
000151286 951__ $$a2025-10-17-14:17:29
000151286 980__ $$aARTICLE