Mobile REST Api Fuzz Testing Method

As the development pattern of worldwide mobile application gradually expands from Native App to Hybrid App,the complexity of App service system is constantly increasing.Today,most mobile App servers are accessed through REST API.Developers often implement API functions and server with normal logic,ignore the checking of abnormal input and logic.REST API and server vulnerabilities often lead to frequent online accidents,affecting user experience and even cause huge economic losses.Ensuring the robustness and security of App server is an important issue that developers and testers need to pay attention to.Fuzz testing is widely used in interface testing as a technique that affects the execution of internal programs through external abnormal input data.Although many fuzz testing tools and frameworks are proposed,most of them require a lot of manual predefined configurations or the provision of API specification documents,lack of real API parameter data support,have coarse-grained fuzz strategy.The efficiency and accuracy of these fuzz testing tools are not satisfying enough.This thesis introduces REST-Fuzzer,a trace-driven,fine-grained,scalable,and type-aware mobile REST API fuzz testing method.REST-Fuzzer can automatically obtain HTTP traffic data of App and filter the REST service APIs.The REST parameter predictive model based on lattice model can predict parameter types and generate parameter-level fuzz test case by analyzing multiple calls of target API,which can narrow fuzz testing range.The main contributions and innovations are as follows:· This thesis introduces a complete set of trace-driven,fine-grained,scalable,and type-aware mobile REST API fuzz testing processes without the need to manually provide API specification documents,which can be applied to Apps of different categories in App store,effectively detect vulnerabilities of App server.· REST API filtering method with deserialization mechanism for App network traffic data is proposed based on the real scenario.REST APIs with structured parameters that can better reflect the logical relationships between systems and are more likely to trigger server vulnerabilities can be obtained by the method.· A fine-grained REST parameter predictive model is designed based on lattice model of program analysis.Based on the REST parameter predictive model,a set of parameter mutation fuzz strategies are pro-vided.Using this model to predict the types of target API parameters,parameter-level test case can be generated and fuzz testing range is effectively pruned.To evaluate the effectiveness and performance of REST-Fuzzer,this thesis applies REST-Fuzzer to 25 real-world Apps of different categories,such as shopping,lifestyle and news,which are downloaded over one million times in the real App store.The evaluation results show that REST-Fuzzer has universal applicability to 25 Apps.Among them,5 App server vulnerabilities are effectively detected.A comparison experiment was performed on RESTFuzzer,Burp Suite,and Fuzzapi using three different types of REST API,and the experiment results proved that REST-Fuzzer can find the same or even more App server vulnerabilities with an average reduction of 85% of test cases and 80% of test time.