151286 20251017144611.0 doi 10.1007/s10207-024-00970-5 sideral 143132 ART-2025-143132 eng Santos Filho, Ailton Automated broken object-level authorization attack detection in REST APIs through OpenAPI to colored petri nets transformation 2025 Access copy available to the general public Unrestricted Abstract The representational state transfer architectural style (REST) specifies a set of rules for creating web services. In REST, data and functionality are considered resources, accessed, and manipulated using a uniform, well-defined set of rules. RESTful web services are web services that follow the REST architectural style and are exposed to the Internet using RESTful APIs. Most of them are described by OpenAPI, a standard language-independent interface for RESTful APIs. RESTful APIs are continuously available on the Internet and are therefore a common target for cyberattacks. To prevent vulnerabilities and reduce risks in web systems, there are several security guidelines available, such as those provided by the Open Web Application Security Project (OWASP) foundation. A common vulnerability in web services is broken object level authorization (BOLA), which allows an attacker to modify or delete data or perform actions intended only for authorized users. For example, an attacker can change an order status, delete a user account, or add unauthorized data to the server. In this paper, we propose a transformation from OpenAPI to Petri nets, which enables formal modeling and analysis of REST APIs using existing Petri net analysis techniques to detect potential security risks directly from the analysis of web server logs. In addition, we also provide a tool, named , which automatically performs model transformation (taking the OpenAPI specification as input) and BOLA attack detection by analyzing web server execution traces. We apply it to a case study of a vulnerable web application to demonstrate its applicability. Our results show that it is capable of detecting BOLA attacks with an accuracy greater than 95% in the proposed scenarios. info:eu-repo/grantAgreement/ES/DGA/T21-23R info:eu-repo/grantAgreement/EUR/MICINN/TED2021-131115A-I00 info:eu-repo/semantics/openAccess by https://creativecommons.org/licenses/by/4.0/deed.es info:eu-repo/semantics/article info:eu-repo/semantics/publishedVersion Rodríguez, Ricardo J. Universidad de Zaragoza (orcid)0000-0001-7982-0359 Feitosa, Eduardo L. 5007 570 Universidad de Zaragoza Dpto. Informát.Ingenie.Sistms. Área Lenguajes y Sistemas Inf. 24, 83 (2025), [19 pp.] International Journal of Information Security International Journal of Information Security 1615-5262 1105040 http://zaguan.unizar.es/record/151286/files/texto_completo.pdf Versión publicada 2459982 http://zaguan.unizar.es/record/151286/files/texto_completo.jpg?subformat=icon icon Versión publicada oai:zaguan.unizar.es:151286 articulos driver 2025-10-17-14:17:29 ARTICLE