Volume 8, Issue 5, May 2023 International Journal of Innovative Science and Research Technology

ISSN No:-2456-2165

API Security Testing: The Challenges of Security

Testing for Restful APIs
Sattam J Alharbi1, Tarek Moulahi2
Department of Information Technology,
College of Computer, Qassim University, Saudi Arabia

Abstract:- Modern web applications and software A. Motivation

systems have shifted to relying on RESTful APIs, which Checking API security has become a crucial part of
are more susceptible to security threats such as injection developing applications. To find and fix these flaws and
attacks, authentication attacks, and data breaches. This guarantee compliance with applicable security standards and
article discusses the difficulties of performing security best practices, security testing for RESTful APIs is required.
testing on RESTful APIs, such as input validation, The difficulties of security testing for RESTful APIs, the
authentication, and authorisation. It has been identified many kinds of security testing, and typical flaws that can be
that vulnerabilities that affect security configuration fixed through efficient security testing are all covered in this
include insufficient logging, faulty object-level article.
authorisation, asset management, faulty function-level
authorisation, and mass assignment. It concludes by B. Contribution
summarising the findings and offering suggestions for The article explains the difficulties in performing
maintaining the security of RESTful APIs using previous security testing on RESTful APIs. starting by briefly
research studies. explaining RESTful APIs and their importance in the current
software development environment. And discuss the security
Keywords:- API security testing; RESTful APIs; Security issues that come up while testing RESTful APIs, like input
challenges; API security vulnerabilities; Security testing validation, authentication, and authorization.From the
techniques; API security practices. security testing and mitigation of RESTful APIs, it has been
identified that vulnerabilities that affect security
I. INTRODUCTION configuration include insufficient logging, faulty object-
level authorisation, asset management, faulty function-level
Security has emerged as a significant worry due to the authorisation, and mass assignment. It concludes by
extensive use of RESTful APIs in contemporary software summarising the findings and offering suggestions for
development. Many web and mobile apps depend on maintaining the security of RESTful APIs using previous
RESTful APIs to facilitate seamless data interchange and research studies.
communication between platforms (Carlos Rodrguez et al.,
2016). These APIs are, however, susceptible to several C. Paper organization
security risks, such as problems with authentication and This paper is organized as follows: after the introduction,
authorisation, injection attacks, and data leakage. As a section 2 Discuss RESTful API security testing aspects and
result, securing modern software applications now requires approaches. Section 3 cover the role of RESTful API in
vulnerabilities in RESTful APIs to be found and mitigated. modern software development. Section 4 discuss the
importance of security testing for RESTful APIs. Section 5
The goal is to provide a thorough overview of review the Different types of security testing for RESTful
RESTful API security testing, emphasising identifying and APIs. Section 6 show the challenges of security testing for
mitigating common vulnerabilities (Ehsan et al., 2022). The RESTful APIs. Section 7 discusses the common
main objective is to list the many vulnerabilities that vulnerabilities in RESTful APIs and with approaches,
RESTful APIs can experience and to analyse the tools and models and tools.Finally section 8 present the conclusion
methods that can be used to find and fix those issues. This and future directions.
article will also look at integrating security testing into the
software development lifecycle and the recommended II. RESTFUL API SECURITY TESTING
practices for protecting RESTful APIs.
Developing web-based applications, especially web
There is a growing need to maintain the security of services, has made Representational State Transfer (REST) a
RESTful APIs as they become more widely used in prominent architectural approach. RESTful APIs are widely
contemporary software development. Data breaches, system used to facilitate communication between different software
outages, and reputational harm can result from failing to applications(Costa et al., 2014). However, the increased use
identify and fix RESTful API vulnerabilities, which can of RESTful APIs has also made them an attractive target for
have serious repercussions. For any organisation that uses hackers. As a result, security testing has become a critical
RESTful APIs, it is crucial to comprehend the vulnerabilities aspect of the development process to ensure that RESTful
they are subject to and to establish efficient security testing APIs are secure and safe from vulnerabilities(Yahya et al.,
techniques (Sean B. Cleveland et al., 2020). 2014). This section provides an overview of RESTful API
security testing, its importance, and the different types of
security testing that can be used.

IJISRT23MAY1879 www.ijisrt.com 1485

Volume 8, Issue 5, May 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165

Fig. 1: Distribution of papers by model, approaches, and tools used for RESTful API security testing

Here are some key aspects to consider when testing the security flaws, SSL/TLS certificate validation problems, and
security of RESTful APIs: other concerns.

A. Authentication F. Error Handling

The authentication method used by the API, such as This entails putting the API's error handling system
username/password login, token-based authentication, or under test, which establishes how the API handles
OAuth 2.0 authentication, must be tested(Setiadi et al., exceptions and errors. Testers should check for sensitive
2019). Testers should attempt to get around the information-revealing error messages and other error-related
authentication process by accessing restricted sites without security problems (Garg & Dave, 2019).
authorisation. Additionally, testers must look for account
lockout mechanisms, brute-force assaults, and weak G. Session Management
passwords. This involves testing the API's session management
system, which controls how long user sessions last and
B. Authorisation handles them. (Ehsan et al., 2022). Testers should look for
This includes putting the API's authorisation system, vulnerabilities that could lead to session hijacking, session
which bases a user's access to resources on their role or fixation, and other security problems.
privilege level, to the test. Access control list (ACL)
vulnerabilities, privilege escalation vulnerabilities, and H. Third-Party Integrations
authorisation bypass vulnerabilities should all be looked for This entails putting to the test the API's integration with
by testers(Modi et al., 2022). outside services, which poses security issues. Testers should
check for security risks in third-party APIs and services,
C. Input Validation such as data leakage, access control flaws, and other security
This entails putting the input validation system of the hazards(Modi et al., 2022).
API to the test, which verifies the accuracy of data submitted
to the API. Common injection attacks that need to be tested I. Rate Limiting
for include SQL injection and cross-site scripting (XSS) It entails testing the API's rate-limiting mechanism,
(Hamza Ed-douibi et al., 2016). Additionally, testers should which establishes how many requests can be sent to the API
check for input-related security flaws and file upload in a specific amount of time, following (Malki et al., 2022).
vulnerabilities. Rate-limiting bypass vulnerabilities and other rate
limitation-related security problems should be tested for.
D. Output Validation
This involves putting the API's output validation system J. Logging and Monitoring
under test, which verifies the accuracy of the data the API Testing the API's logging and monitoring systems, which
returns. Cross-site request forgery (CSRF), Cross-site keep track of all API activity and notify administrators of
scripting (XSS), and other output-related vulnerabilities security events and abnormalities, is required. Testers should
should all be tested for by testers (Compagna et al., 2018). check for security concerns connected to logging and
monitoring, such as log manipulation, log injection, and
E. Secure Communication other hazards (Lee et al., 2014).
This entails testing the API's communication channel to
ensure it is safe and cannot be eavesdropped on (Garg &
Dave, 2019). Testers should look for communication-related

IJISRT23MAY1879 www.ijisrt.com 1486

Volume 8, Issue 5, May 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
Table 1: RESTful API Security Testing
Aspect of Security Testing Approach

Authentication Test for weak authentication mechanisms, such as weak passwords or lack of multi-factor
authentication.
Authorisation Test for improper access controls, such as privilege escalation attacks or inadequate role-
based access controls.
Input Validation Test for proper validation of user inputs to prevent injection attacks, such as SQL injection or
cross-site scripting (XSS).
Error Handling Test for proper error handling, such as ensuring error messages do not reveal sensitive
information or cause application crashes.
Session Management Tests for proper session management, such as preventing session fixation attacks or session
hijacking attacks.
API Rate Limiting Test for proper API rate limiting to prevent denial of service (DoS) attacks or brute force
attacks.
Integration Testing Test for security vulnerabilities in third-party APIs or services that the API interacts with.

According to a study, data from online apps can leak III. RESTFUL API AND ITS ROLE IN MODERN
even when encryption is used (Chen et al., 2010). This is SOFTWARE DEVELOPMENT
done through routes known as "side channels." It was found
by Serme et al. (2012) that the security of RESTful services The use of HTTP requests to access and modify data in
is based either on transit layer security or ad hoc security web-based applications is known as a RESTful API.
techniques, both of which have security weaknesses. REST RESTful APIs have become integral to modern software
APIs can be examined for security issues using a collection development due to their flexibility, scalability, and ability
of automatic security evaluations; it has been found (Ovidiu to facilitate communication between different software
Baniaș et al., 2021). The risk that an attacker could take applications (Lablans et al., 2015). RESTful APIs give
advantage of a RESTful application programming interface programmers the ability to create web-based apps that are
weakness is alarmingly raised by these publications when simple to link with other software programs. RESTful APIs
taken as a whole. Although APIs can be exploited (Macy, use standard HTTP methods such as GET, POST, PUT, and
2018), the effects of a hacking attempt depend on the DELETE to access and manipulate data (Christensen, 2009).
situation and the type of data being transferred. RESTful APIs have become popular due to their ease of use,
low overhead, and ability to support different data formats.
They have become an essential part of modern software
development and are used in various domains, such as e-
commerce, finance, social media, and healthcare (Carneiro
et al., 2021).

Fig. 2: SOAP vs REST API, Source (Malik & Kim, 2017 )

IJISRT23MAY1879 www.ijisrt.com 1487

Volume 8, Issue 5, May 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
It is concerned with the following: IV. IMPORTANCE OF SECURITY TESTING FOR
RESTFUL APIS
A. Separation of Concerns
The separation of client-side and server-side concerns in A security breach in a RESTful API can result in
RESTful APIs makes it simpler for developers to create, unauthorised access to sensitive data, loss of user trust,
implement, and manage complex applications (Padmanaban financial loss, and legal consequences (Akhtar et al., 2021).
et al., 2022). Because of this division, developers can Security testing can help detect and fix vulnerabilities before
modify one application component without affecting the attackers exploit them. Security testing ensures that RESTful
others. APIs are secure, reliable, and can be trusted by their users
(Pourvahab & Ekbatanifard, 2019). Here are some reasons
B. Scalability why security testing is essential for RESTful APIs:
Scalability refers to an API's ability to effectively
manage a high volume of requests and responses(Le-Dang A. Protects Sensitive Sata
& Le-Ngoc, 2019). They are the best choice for use in large- RESTful APIs can handle sensitive data, including user
scale enterprise applications because of their scalability. passwords, financial data, and personal information.
Security audits can find any API flaws that might expose
C. Flexibility this data to unauthorised users (Rivera et al., 2019).
Since RESTful APIs are adaptable, they can be used to
send various data kinds, including text, photos, audio, and B. Mitigates the Risk of Attacks
video. Thanks to this flexibility, developers can create RESTful APIs are often used to communicate between
various apps and services (Hästbacka et al., 2019). different systems, making them vulnerable to
attacks(Rafique et al., 2019). Security testing can identify
D. Statelessness any weaknesses in the API that malicious actors could
RESTful APIs are stateless, which implies that every exploit.
request includes all the data required to fulfil it(Guha, 2020).
Performance is enhanced, and this statelessness facilitates C. Ensures Compliance
the scalability of applications. Many industries like finance and healthcare have strict
data privacy and security regulations. Security testing can
The fact that RESTful APIs work with any ensure that RESTful APIs comply with these
programming language that supports HTTP is one of their regulations(Tek Raj Chhetri et al., 2022).
main advantages (Belkhir et al., 2019). The development of
applications that can seamlessly connect is made more D. Maintains Brand Reputation
straightforward. RESTful APIs adhere to a standardised set If an API is compromised, it can damage the brand
of guidelines and restrictions, which helps to guarantee the reputation of the company that owns it(Buitelaar et al.,
API's effectiveness and scalability. Utilising RESTful APIs 2018). Security testing can identify and mitigate any
also allows developers to create simple applications for vulnerabilities before they can be exploited by attackers.
other developers to consume. As other programmers can
build on top of the API to produce new applications and RESTful APIs are exposed to various security threats
services, this can promote collaboration and such as injection attacks, authentication and authorisation
creativity(Marilenaa et al., 2022). issues, cross-site scripting (XSS), cross-site request forgery
(CSRF), and sensitive data exposure (MacDonald, 2013).
According to the study's authors (Schreibmann & These vulnerabilities can lead to data breaches, loss of
Braun, 2015), the development process would be enhanced confidential information, and damage to the organisation's
by a model-driven approach in which an API is modelled reputation. Therefore, performing security testing on
using a new formal language created expressly for this RESTful APIs is crucial to identify and mitigate these
application area at a higher level of abstraction. The source vulnerabilities before attackers exploit them.
code for the business logic and database layers, as well as
the API, can all be easily created from this model. The cost One of the primary reasons for the security testing of
of documenting this procedure is nonexistent, and RESTful APIs is to protect sensitive data. RESTful APIs
productivity increases along with a reduction in maintenance may handle sensitive data, such as personal, financial, or
expenses and an increase in quality. business-critical information. Without proper security
measures in place, this data could be compromised, resulting
in severe consequences for the organisation(Karlsson et al.,
2020). Security testing helps identify vulnerabilities in the
API that could be exploited to gain access to this data.
Another important reason for the security testing of RESTful
APIs is to prevent unauthorised access. Unauthorised users
can access unsecured APIs, potentially leading to data theft
or manipulation. Security testing helps identify and
remediate such vulnerabilities by checking access controls,
authentication mechanisms, and authorisation policies
(Kornienko et al., 2021).

IJISRT23MAY1879 www.ijisrt.com 1488

Volume 8, Issue 5, May 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
V. DIFFERENT TYPES OF SECURITY TESTING FOR RESTFUL APIS

Several types of security testing can be used to test the security of RESTful APIs.

Table 2: Types of security testing

Type of testing Title Reference and year
Authentication and authorisation testing Security evaluation of the OAuth 2.0 framework 2015
Input validation testing Deep Learning-Based Prediction of Test Input 2021
Validity for RESTful APIs
Parameter tempering testing Classification of Web-Service-Based Attacks and 2018
Mitigation Techniques
Session management testing Static analysis for web service security - Tools & 2015
techniques for a secure development life cycle
Penetration testing Checking Security Properties of Cloud Service 2020
REST APIs
Vulnerability scanning Automation of active reconnaissance phase: an 2021
automated API-based port and vulnerability scanner
Fuzz testing REST API Fuzzing by Coverage Level Guided 2021
Blackbox Testing

A. Black-box testing seem to be aware of or able to address those

RESTful APIs frequently undergo black-box testing, a successfully(Danezis, 2012).
sort of security testing (Martin-Lopez et al., 2020). In a
black-box test, the tester is unaware of how the system being  Parameter Tampering Testing:
evaluated operates from the inside. According to Alberto Testing for parameter tampering involves changing input
Martin-Lopez, black-box testing's objective is to find parameters to see if getting unauthorised access or
security flaws and vulnerabilities that a potential attacker tampering with data is possible (Musa et al., n.d.). Parameter
may exploit. A variety of techniques can be used during tampering testing, in the authors' opinion (Atashzar et al.,
black-box testing. These consist of the following: 2011), can aid in locating weaknesses such as insufficient
parameter encryption or weak parameter validation.
 Authentication and Authorisation Testing:
Authentication and authorisation are essential security  Session Management Testing:
features that prevent unauthorised access to RESTful APIs The RESTful API's secure administration of user
(Sánchez et al., 2017). The authors of the study, (Bhat sessions is ensured by session management testing
&Kansal, proposed that the open authorisation (OAuth) 2.0 (Chaleshtari et al., 2023). Session fixation, session
industry-standard protocol for authorisation enables users to hijacking, and short session timeout are examples of
grant a third-party website or application access to the user's vulnerabilities that can be found via session management
protected resources without the user having to reveal their testing, as shown by the studies (DEWI, 2022).
long-term credentials or even their identity.
 Boundary Testing:
As opposed to this, the researchers (Paoli&Zavattaro, This entails evaluating how the API responds to inputs
2012) showed how a single, centralised security service with that are outside the acceptable range—for instance, testing
a lightweight application programming interface might the API's ability to handle extremely big or minimal inputs
manage authentication and authorisation for dependable (Zhiwei & Zhongliang, 2020). Integer overflow
RESTful services. A person must trade their information for vulnerabilities or other forms of input mistakes can be found
a token to access limited resources. The services may check using this technique.
with the security provider to confirm the validity of a user's
code and any rights that have been granted to them. The  Penetration Testing:
system enables fine-grained control over which resources a Penetration testing is a technique for evaluating a
specific user has access to using the role-based access system's security by simulating an adversarial assault
control (RBAC) paradigm. (Sandhya et al., 2017). By spotting flaws and vulnerabilities
that an attacker could take advantage of, penetration testing
 Input Validation Testing: can be performed to assess the security of RESTful APIs.
According to Rodriguez et al. (2020), input validation Penetration testing is possible using either human or
testing ensures that data submitted to RESTful APIs is automated techniques (Patel, 2019).
validated to prevent malicious input, such as SQL injection
or cross-site scripting attacks. Input Validation is a semi-  Vulnerability Scanning:
automated device created to improve upon the current state The authors claim that it entails employing automated
of insufficient and inappropriate input validation claims tools to scan the program for known vulnerabilities (Shah &
study (Miller et al., 2008). Although many of the difficulties Mehtre, 2015). The tools generate a report for the tester after
on the web are still relatively simple, developers do not locating vulnerabilities in the application.

IJISRT23MAY1879 www.ijisrt.com 1489

Volume 8, Issue 5, May 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
 Protocol Testing: a static analysis tool that examines the source code of
Since HTTP is the foundation of RESTful APIs, it is RESTful APIs and finds security vulnerabilities using a
critical to test how the API responds to various HTTP combination of machine learning and natural language
methods (GET, POST, PUT, DELETE, etc.) and HTTP processing approaches. The authors had success using a real-
status codes. This can assist in locating vulnerabilities world API to test their solution.
brought on by incorrect HTTP requests and response
handling (Xiong et al., 2021). In manual testing, human testers carefully examine the
APIs to find any security flaws. This method is frequently
 Fuzz Testing: used in conjunction with dynamic testing to find
Fuzz testing, also known as "fuzzing," is a technique for vulnerabilities that might not be found otherwise. As an
testing software by providing unexpected or invalid input to illustration, (Martin-Lopez et al., 2020) suggested a manual
the system to see how it responds (IEEE Conference testing strategy for RESTful APIs that entails developing
Publication, 2023). A novel utility called SAGE (Scalable, test cases based on security requirements and manually
Automated, Guided Execution) uses x86 instruction-level executing them. The authors successfully tested their
tracing and emulation to perform whitebox fuzzing of strategy on a real-world API and got positive results.
random file-reading Windows apps, as found by (Atlidakis
et al., 2019). This indicates that RESTful APIs can be tested Despite these security testing methods' success, testing
with fuzz to discover bugs. It has been discovered by (Fertig RESTful APIs still presents several difficulties. The
& Braun, 2015) that test cases for RESTful APIs can be complexity of RESTful APIs, which can involve several
generated automatically by a software creator. This indicates levels and dependencies, is one of the significant difficulties.
that taint testing can be utilised when evaluating RESTful It is challenging to guarantee that all API components are
APIs. However, as discovered by (Klees et al., 2018), appropriately tested due to their complexity (Laranjeiro et
experimental reviews of fuzz testing methods can be flawed, al., 2021). Additionally, RESTful APIs frequently interact
resulting in inaccurate or misleading verdicts. with other APIs and services, increasing the complexity of
testing, according to the research (Ehsan et al., 2022). The
There are several methods for security testing RESTful dynamic nature of APIs, which can lead to endpoints and
APIs, including dynamic testing, static testing, and manual behaviours that are continually changing, presents another
testing. To find any security flaws, dynamic testing entails difficulty. Therefore, it is crucial to maintain the testing
executing the APIs and examining the results (Atlidakis et procedure to guarantee that all potential vulnerabilities are
al., 2019). This method entails making different kinds of found and fixed.
queries to the APIs and checking the replies to make that
they adhere to the necessary security criteria. For instance, a VI. THE CHALLENGES OF SECURITY TESTING
dynamic security testing framework for RESTful APIs was FOR RESTFUL APIS
presented by Corradini et al. in 2022. The framework
comprises several processes, such as creating a testing RESTful APIs have become a popular means of
environment, creating test cases, running tests, and communication between applications and systems. They
producing reports. The authors tested their framework on provide internet-based exposure to web services, allowing
several RESTful APIs and saw encouraging results. for system interoperability. However, the problem of
protecting the security of the APIs comes with this ease of
On the other hand, static testing entails studying the communication. RESTful APIs must be subject to security
API's source code without actually running it. This method testing to ensure the confidentiality, integrity, and
is frequently used to find vulnerabilities that dynamic testing availability of data as well as the overall security of the
could miss. Code review is a typical static testing technique system. Vulnerabilities must be found and mitigated.
in which a group of developers or security specialists
examine the code to find any security flaws (Khayer et al., Security testing for RESTful APIs is not without its
2020). The study's authors Talukder et al. (2019) developed challenges. Some of the challenges include the following:

Fig. 3: The Challenges of API Testing

IJISRT23MAY1879 www.ijisrt.com 1490

Volume 8, Issue 5, May 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
A. API Complexity: One of the main challenges in security testing for
According to the author D V Kornienko (2021), RESTful RESTful APIs is the complexity of the interactions between
APIs can be complex, making it difficult to identify different system components, as observed from the studies
potential vulnerabilities. APIs can constantly be evolving, of (Karlsson et al., 2020). Since RESTful APIs rely on
making it challenging to keep up with changes. HTTP and are stateless, they require complex interactions
between different components of the system to function
B. Specialised Knowledge: correctly. This complexity can make it challenging to
As observed from the study Peng et al. (2022), Security identify vulnerabilities and test the security of the system
testing for RESTful APIs requires specialised knowledge (Ozdemir, 2020).
and skills. Developers and security testers must be familiar
with the REST architectural style, HTTP protocols, and API Another challenge observed from the studies of
security best practices. (Keping Yu et al., 2021) is the use of third-party libraries
and components. RESTful APIs often rely on third-party
C. Secure Transmission: libraries and components to perform various tasks, such as
RESTful APIs transmit data over the internet, which authentication, encryption, and validation. However, these
means that data can be intercepted and viewed by components may have their vulnerabilities or be
unauthorised parties. Testing for secure transmission misconfigured, leading to vulnerabilities in the overall
involves ensuring that data is encrypted in transit using system. Additionally, these components may be updated or
HTTPS and that the encryption is implemented correctly (A changed without notice, leading to unexpected
framework for measuring organisational information vulnerabilities (Qingyang Zeng et al., 2023).
security vulnerability, 2023).
Furthermore, as observed from the studies of (Mai et
D. Rate Limiting: al., 2020), RESTful APIs are often used in distributed
RESTful APIs can be vulnerable to denial-of-service systems, which can make it challenging to test the security
attacks where an attacker overwhelms the system by sending of the entire system. Since RESTful APIs are stateless, they
many requests. Testing for rate limiting involves verifying do not maintain information about previous requests or
that the API can handle high volumes of requests and that responses, making it challenging to test the system's overall
rate limits are appropriately enforced (Barabanov et al., security. Additionally, distributed systems often have
2022). multiple points of entry, making it challenging to identify all
potential vulnerabilities (Setiadi et al., 2019).
E. API Abuse:
RESTful APIs can be abused by attackers who use the Finally, as highlighted from the studies of (Krishnan et
API to scrape data or perform actions that are not intended. al., 2023), the increasing use of cloud computing and
Testing for API abuse involves identifying and mitigating virtualisation technologies can introduce additional security
such attacks (Christensen, 2009). challenges for RESTful APIs. Cloud providers may have
their security policies and procedures that must be followed,
F. Tool Limitations: and virtualisation technologies may introduce additional
As observed from the studies (Nuno Realista et al ., abstraction layers that can make identifying vulnerabilities
2022), Automated tools such as vulnerability scanners may challenging (Almutairy & Al-Shqeerat, 2019).
not be able to identify all vulnerabilities in RESTful APIs
(Lamothe et al., 2021) argues that automated tools may also VII. COMMON VULNERABILITIES IN RESTFUL
generate false positives or false negatives, making it APIS
challenging to determine the actual state of the APIs.
RESTful APIs have become a popular choice for
G. Lack of Standardisation: developers due to their simplicity, flexibility, and ability to
There is a lack of standardisation in RESTful API integrate with other systems. However, the authors of the
development, making it challenging to create a standardised study (A framework for measuring organisational
testing methodology (Gill et al., 2022). information security vulnerability, 2023) show that this ease
of use also creates various security challenges. RESTful
H. Lack of Expertise: APIs are vulnerable to various attacks, which can have
The study's authors revealed that (Aljedaani & Babar, severe consequences, such as data breaches, financial losses,
2021)there is a shortage of experts with the required and reputational damage. This chapter focuses on the most
knowledge and skills to perform security testing on RESTful common vulnerabilities found in RESTful APIs and their
APIs. impact on the security of the system.

IJISRT23MAY1879 www.ijisrt.com 1491

Volume 8, Issue 5, May 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
Table 3: Research on vulnerabilities
SR. Vulnerabilities Reference Approach Model Tools
NO.
1 Broken Authentication 2021 No Yes Yes
2 Broken authentication and session management 2018 Yes No No
3 Broken Authentication 2021 Yes No No
4 Excessive Data Exposure 2023 Yes No Yes
5 2023 Yes Yes No
6 Lack of Resources & Rate Limiting 2019 Yes No No
7 Broken Function Level Authorisation 2021; 2022 No Yes Yes
8 Mass assignment 2023; 2020 Yes No Yes
9 Security misconfiguration 2015 Yes No yes
10 Improper asset management 2023 Yes Yes No
11 Insufficient Logging & Monitoring 2019 Yes No No
12 Injection Yes No No

A. Broken Object Level Authorisation significant loss of trust and financial damage for Equifax
The broken object-level authorisation is a vulnerability (Dennis et al., 2020).
that occurs when an API does not restrict access to objects
based on the user's privileges, and this means that a user can C. Excessive Data Exposure
access and modify any object within the API, even if they do The authors of the study Pan et al. (2023) showed that
not have the required permissions (Haddad & Malki, 2022). Excessive data exposure is a vulnerability that occurs when
Attackers can exploit this vulnerability to gain access to an API exposes more data than necessary, such as sensitive
sensitive data and perform unauthorised actions, as observed data or user credentials; attackers can exploit this
in the study of (Taya et al., 2022). vulnerability to gain access to sensitive data or perform
unauthorised actions.
The causes of this vulnerability include the lack of
proper access control mechanisms and insufficient testing of The causes of this vulnerability include the lack of
access controls. Attackers can exploit this vulnerability by proper data sanitisation and validation, the failure to
modifying requests to access unauthorised objects (Votipka implement proper access controls, and the use of insecure
et al., 2020). An attacker could manipulate a request to data storage; attackers can exploit this vulnerability by
access another user's data or escalate their privileges to sending specially crafted requests to access sensitive data
perform actions beyond their permissions. (Khan et al., 2021).

A real-world example of this vulnerability is the D. Lack of Resources & Rate Limiting
Facebook Cambridge Analytica scandal, where a third-party Lack of resources and rate limiting is a vulnerability that
app exploited the vulnerability in Facebook's API to access occurs when an API does not appropriately limit the number
and harvest user data without consent. This resulted in a of requests that can be made, allowing attackers to
massive data breach and significantly damaged Facebook's overwhelm the system with requests and cause denial-of-
reputation (Jeune, 2021). service attacks (Sharieh & Ferworn, Securing APIs and
Chaos Engineering, 2021).
B. Broken Authentication
As observed from the study Bach-Nutman (2020), The causes of this vulnerability include the failure to
Broken authentication is a vulnerability that occurs when an implement rate limiting, the use of weak or easily guessable
API does not properly authenticate users, allowing attackers API keys, and the lack of monitoring for unusual traffic
to access the system without proper credentials. This patterns; attackers can exploit this vulnerability by sending a
vulnerability can be exploited through various techniques, large number of requests to the API, causing the system to
such as brute force attacks, session hijacking, and credential become overloaded and unresponsive (Azad et al., 2020).
stuffing.
One real-world example of this vulnerability is the
The causes of this vulnerability include the use of Twitter API outage, where a group of attackers overloaded
weak or easily guessable passwords, the lack of multi-factor the API with requests, causing it to become unavailable for
authentication, and the failure to implement secure session several hours (A, 2023).
management; the study (Kabir & Elmedany, 2022) shows
that attackers can exploit this vulnerability by stealing user E. Broken Function Level Authorisation:
credentials and using them to access the system. As observed from the studies (Haddad & Malki, 2022),
Broken function level authorisation is a vulnerability that
One real-world example of this vulnerability is the occurs when an API does not restrict access to specific
Equifax data breach, where attackers exploited a functions or operations based on user roles or permissions,
vulnerability in Equifax's API to gain access to sensitive the authors (Fredj et al., 2021) showed that this vulnerability
customer data. This breach compromised the personal could allow attackers to perform unauthorised actions on the
information of over 143 million individuals and resulted in a system, such as deleting or modifying sensitive data, the

IJISRT23MAY1879 www.ijisrt.com 1492

Volume 8, Issue 5, May 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
vulnerability is typically caused by poor implementation of vulnerabilities ever discovered in the framework (Park et al.,
access control mechanisms, such as failing to check user 2021).
permissions before allowing them to act.
G. Security Misconfiguration:
Several studies have proposed diverse techniques to Security misconfiguration is a vulnerability that occurs
detect and mitigate broken function-level authorisation when an API is configured with insecure settings, such as
vulnerabilities in RESTful APIs. For example, a study by default passwords or unnecessary features enabled. This
(Barabanov et al., 2022) proposed an access control testing vulnerability can allow attackers to gain unauthorised access
approach that uses a combination of static and dynamic to the system or perform other malicious actions (Aljabri,
analysis techniques to identify vulnerabilities in APIs. The Aldossary, Al-Homeed, Alhetelah, & Althubian, 2022). The
approach involves analysing the source code of the API to vulnerability is typically caused by poor configuration
identify potential vulnerabilities and then using dynamic management practices, such as failing to disable
analysis techniques to test the API's behaviour under unnecessary features or using default passwords (Loureiro,
different scenarios. 2021).

F. Mass Assignment: As observed from the studies of Rahman et al. (2023),

The author of the study D V Kornienko (2021)discussed Security Misconfiguration occurs when the API allows
that mass assignment is a vulnerability that occurs when an unrestricted access to specific resources or functionality.
API allows users to modify multiple attributes of an object This can happen when developers do not properly configure
in a single request. Attackers can exploit this vulnerability to access controls or when they do not properly configure the
modify sensitive data or gain unauthorised access to the API's authentication mechanisms. An attacker can exploit
system. The vulnerability is typically caused by poor this vulnerability by accessing sensitive data or by
validation of user input or a lack of proper access control performing actions on behalf of another user.
mechanisms (Sidra & Michael, 2023).
One real-world example of Security Misconfiguration
To mitigate mass assignment vulnerabilities, several occurred in 2017 when an unprotected Amazon Web
researchers have proposed different techniques. For Services (AWS) S3 bucket was discovered. The bucket
example, a study by Gantikow et al. (2020) proposed a rule- contained sensitive data belonging to the US Army and was
based approach to detect and prevent mass assignment accessible to anyone who had the URL. This vulnerability
vulnerabilities in RESTful APIs. The approach involves was caused by the misconfiguration of the S3 bucket and
defining rules that specify which attributes of an object can highlighted the importance of proper configuration of cloud-
be modified by different user roles or permissions. When a based services (Jäger, 2021).
request is received, the system checks the user's permissions
and applies the relevant rules to determine which attributes H. Injection:
can be modified. As observed from the studies of Hasan & Rahman
(2023), Injection vulnerabilities occur when an attacker can
An attacker can exploit Mass Assignment vulnerability inject malicious code into an API, such as SQL or code
by sending specially crafted requests that include additional injection. This vulnerability can allow attackers to execute
parameters or by modifying the values of existing arbitrary code on the system or access sensitive data. The
parameters. As shown from the studies (Al-Jody, 2021), an vulnerability is typically caused by poor input validation or a
attacker could modify a user's account information by lack of proper access control mechanisms.
sending a request that includes the "isAdmin" field set to
"true". The attacker could gain administrative privileges if To mitigate injection vulnerabilities, several
the API does not correctly validate this parameter. researchers have proposed different techniques. For
example, a study by Erik Trickel et al. (2022) proposed a
One real-world example of a mass Assignment technique that uses a combination of static and dynamic
vulnerability was discovered in 2011 in the Ruby on Rails analysis to detect injection vulnerabilities in RESTful APIs.
framework. This vulnerability allowed attackers to modify The approach involves analysing the source code of the API
any database record by sending specially crafted requests. to identify potential injection points and then using dynamic
The vulnerability affected thousands of websites and analysis techniques to test the API's behaviour under
applications and was considered one of the most severe different scenarios.

IJISRT23MAY1879 www.ijisrt.com 1493

Volume 8, Issue 5, May 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165

Fig. 4: Usage of tools, frameworks, and approaches for vulnerabilities testing

I. Improper Assets Management: detect potential authorisation issues. Their approach

Improper assets management is a vulnerability that involves analysing the relationships between different
occurs when an API does not properly manage its assets, entities in the authorisation process, such as resource
such as files or resources. This vulnerability can allow servers, clients, and authorisation servers, to identify
attackers to access or modify sensitive data or resources potential authorisation conflicts or inconsistencies. The
(Idris, Syarif, & Winarno, Web Application Security authors also propose an automated tool that implements their
Education Platform Based on OWASP API Security Project, approach and can be integrated into the API testing
2022). Poor access control mechanisms or improper asset workflow.
management practices typically cause vulnerability.
Using machine learning techniques to automatically
The Capital One breach in 2019, where a hacker find and fix authorisation flaws in RESTful APIs is another
gained unauthorised access to the personal data of over 100 strategy suggested by Sharieh and Ferworn (Securing APIs
million customers. The vulnerability was caused by a and Chaos Engineering, 2021). Their strategy is looking
misconfigured firewall, which allowed the hacker to exploit through API request logs to find patterns of unusual
a broken authentication and session management behaviour that might point to authorisation problems. To
vulnerability (Khan et al., 2022). Attackers can exploit find these patterns and send out notifications when possible
insufficient authorisation to access sensitive data, perform vulnerabilities are found, the authors combine supervised
unauthorised actions, or manipulate the behaviour of the and unsupervised learning approaches. Additionally, they
system. This can lead to severe consequences, such as data suggest a mitigation technique that can be applied to deny
breaches, financial losses, or reputational damage. The requests coming from malicious users or IP addresses
consequences of not detecting and mitigating vulnerabilities automatically.
in RESTful APIs can be severe. They can result in the loss
of sensitive data, financial losses, and damage to the In addition to insufficient authorisation vulnerabilities,
reputation of the organisation. For example, the Equifax other common vulnerabilities in RESTful APIs include
breach resulted in a settlement of $700 million, and the injection attacks, broken authentication and session
Capital One breach resulted in a settlement of $80 million. management, and insecure data storage. Injection attacks,
In addition to financial losses, organisations may also face such as SQL injection and cross-site scripting (XSS), can be
legal penalties and damage to their reputation (Okafor, particularly damaging and are often used by attackers to gain
2021). access to sensitive data or take control of the system (Idris,
Syarif, & Winarno, Development of Vulnerable Web
Several researchers have proposed different techniques Application Based on OWASP API Security Risks, 2021),
to detect and mitigate insufficient authorisation whereas observed from the studies of (Gill et al., 2022)
vulnerabilities in RESTful APIs. (Padma & Srinivasan, Broken authentication and session management
2023) proposed a novel method that analyses access control vulnerabilities, on the other hand, can allow unauthorised
policies specified in OAuth 2.0 and OpenID Connect to users to access protected resources or perform actions on

IJISRT23MAY1879 www.ijisrt.com 1494

Volume 8, Issue 5, May 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
behalf of legitimate users. Insecure data storage REFERENCES
vulnerabilities can result in sensitive data being exposed or
stolen, which can have severe consequences for both users [1.] (2023, March 17). Retrieved from A framework for
and the organisation. measuring organisational information security
vulnerability:
Researchers have suggested several strategies to http://dspace.library.uvic.ca/handle/1828/11300
identify and address these vulnerabilities, including static [2.] A, H. (2023, March 17). Twitter suffers large outages
and dynamic analysis techniques, vulnerability scanning on the web and mobile. Retrieved from
tools, and secure coding practices. For instance, Cao et https://www.theguardian.com/technology/2016/jan/19
al.(2020) proposed a dynamic analysis method that takes /twitter-down-over-web-and-mobile
advantage of symbolic execution to create test cases for [3.] Akhtar, D. N., Kerim, B., Perwej, D. Y., Tiwari, A.,
RESTful APIs and find injection vulnerabilities. Their & Praveen, D. S. (2021). A Comprehensive Overview
strategy entails modelling the API as a finite state machine of Privacy and Data Security for Cloud Storage.
and producing constraints that accurately represent the API's International Journal of Scientific Research in
behaviour. The authors also suggest a mitigating method that Science Engineering and Technology.
makes use of runtime monitors to find and deny requests [4.] Aljabri, M., Aldossary, M., Al-Homeed, N.,
that go against the restrictions. Alhetelah, B., & Althubian, M. (2022). Testing and
Exploiting Tools to Improve OWASP Top Ten
The use of vulnerability scanning tools to Security Vulnerabilities Detection. 14th International
automatically identify and prioritise vulnerabilities in Conference on Computational Intelligence and
RESTful APIs is another strategy suggested by (Jorge Reyes Communication Networks (CICN), 797-803.
et al., 2022). To find potential vulnerabilities, they use [5.] Aljedaani, B., & Babar, M. A. (2021). Challenges
analysis of the API documentation and source code, grading With Developing Secure Mobile Health Applications:
them according to impact and severity. To increase the Systematic Review. JMIR mHealth and uHealth,
precision of the detection process, the authors also suggest a 15654.
feedback mechanism that enables developers to offer more [6.] Al-Jody, T. (2021). Barricade: A Novel High-
information or context about particular vulnerabilities. Performance Computing User and Security
Management System Augmented with Machine
VIII. CONCLUSION AND FUTURE DIRECTIONS Learning Technology.
In conclusion, common RESTful API vulnerabilities [7.] Almutairy, N. M., & Al-Shqeerat, K. H. (2019). A
and their potential effects on system security have been Survey on Security Challenges of Virtualization
found through security testing and mitigation of RESTful Technology in Cloud Computing. International
APIs. These flaws include faulty authentication, faulty Journal of Computer Science & Information
object-level authorisation, excessive data exposure, Technology (IJCSIT).
insufficient resources and rate limiting, faulty function-level [8.] Atashzar, H., Torkaman, A., Bahrololum, M., &
authorisation, mass assignment, faulty security Tadayon, M. H. (2011). A survey on web application
configuration, injection, faulty asset management, and vulnerabilities and countermeasures. 6th International
insufficient logging and monitoring. Along with instances of Conference on Computer Sciences and Convergence
actual attacks that make use of these vulnerabilities, each Information Technology (ICCIT), 647-652.
vulnerability's causes and techniques of exploitation have [9.] Atlidakis, V., Godefroid, P., & Polishchuk, M.
also been covered. (2019). RESTler: Stateful REST API Fuzzing.
IEEE/ACM 41st International Conference on
This article's discussion on RESTful API security Software Engineering (ICSE), pp. 748–758.
testing and mitigation also highlights the need for [10.] Azad, B. A., Starov, O., Laperdrix, P., & Nikiforakis,
appropriate testing and mitigation procedures to prevent N. (2020). Web Runner 2049: Evaluating Third-Party
security breaches. Finally, the article has outlined future Anti-bot Services. Detection of Intrusions and
directions for further study in this area, including applying Malware, and Vulnerability Assessment: 17th
machine learning algorithms for vulnerability detection and International Conference, DIMVA 2020, Lisbon,
creating automated security testing tools. There have also Portugal, June 24–26, 2020, Proceedings 17, 135-
been discussions of open research issues like the lack of 159.
standardisation in RESTful API security testing and the [11.] Bach-Nutman, M. (2020). Understanding The Top 10
complexity of finding complicated vulnerabilities. OWASP Vulnerabilities. arXiv preprint arXiv,
2012.09960.
This article's conclusion emphasises the significance of [12.] Barabanov, A., Dergunov, D., Makrushin, D., &
thorough testing and mitigation strategies for securing Teplov, A. (2022). Automatic detection of access
RESTful APIs. It highlights prospective topics for more control vulnerabilities via API specification
research and offers insightful information on the state of this processing. arXiv preprint arXiv, 2201.10833.
field's research at the moment. [13.] Belkhir, A., Abdellatif, M., Tighilt, R., Moha, N., &
Guéhén, Y.-G. (2019). An Observational Study on the
State of REST API Uses in Android Mobile
Applications. IEEE/ACM 6th International

IJISRT23MAY1879 www.ijisrt.com 1495

Volume 8, Issue 5, May 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
Conference on Mobile Software Engineering and Payment Applications: A Case Study. Transportation
Systems (MOBILESoft), 66-75. Research Record, pp. 616–624.
[14.] Bhat, P. K., & Kansal, R. (n.d.). Development of [28.] DEWI, B. T. (2022). Web Security Compliance To
RESTful Web API using Token-based OAuth 2.0 Owasp And Sans Standard.
Authorisation. International Journal of Engineering [29.] Ehsan, A., Abuhaliqa, M. A., Catal, C., & Mishra, D.
Research. (2022). RESTful API Testing Methodologies:
[15.] Buitelaar, P., Wood, I. D., Negi, S., Arcan, M., & Rationale, Challenges, and Solution Directions.
McCrae, J. P. (2018). MixedEmotions: An Open- Applied Sciences, 12(9), 4369.
Source Toolbox for Multimodal Emotion Analysis. [30.] Fertig, T., & Braun, P. (2015). Model-driven Testing
IEEE Transactions on Multimedia, 2454-2465. of RESTful APIs. Proceedings of the 24th
[16.] Cao, C., Guan, L., Ming, J., & Liu, P. (2020). Device- International Conference on World Wide Web, 1497-
agnostic Firmware Execution is Possible: A Concolic 1502.
Execution Approach for Peripheral Emulation. [31.] Fredj, O. B., Cheikhrouhou, O., Krichen, M., Hamam,
Annual Computer Security Applications Conference, H., & Derhab, A. (2021). An OWASP Top Ten
746-759. Driven Survey on Web Application Protection
[17.] Carlos Rodríguez et al. (2016). REST APIs: A Large- Methods. Risks and Security of Internet and Systems:
Scale Analysis of Compliance with Principles and 15th International Conference, CRiSIS 2020, Paris,
Best Practices. Web Engineering: 16th International France, November 4–6, 2020, Revised Selected
Conference, ICWE 2016, Lugano, Switzerland, June Papers 15, 235-252.
6-9, 2016. Proceedings 16, 21-39. [32.] Gantikow, H., Reich, C., Knahl, M., & Clarke, N.
[18.] Carneiro, G., Toniolo, A., Ncenta, M. A., & Quigley, (2020). Rule-Based Security Monitoring of
A. J. (2021). Text vs Graphs in Argument Analysis. Containerized Environments. Cloud Computing and
IEEE Symposium on visual languages and human- Services Science: 9th International Conference,
centric computing (VL/HCC), 1-9. CLOSER 2019, Heraklion, Crete, Greece, 66-86.
[19.] Chaleshtari, N. B., Pastore, F., Goknil, A., & Briand, [33.] Garg, H., & Dave, M. (2019). Securing IoT Devices
L. C. (2023). Metamorphic Testing for Web System and SecurelyConnecting the Dots Using REST API
Security. IEEE Transactions on Software and Middleware. 4th International Conference on
Engineering. Internet of Things: Smart Innovation and Usages, pp.
[20.] Chen, S., Wang, R., Wang, X., & Zhang, K. (2010). 1–6.
Side-Channel Leaks in Web Applications: A Reality [34.] Gill, S. S., Sharma, B., Bansal, V., Sharma, K., &
Today, a Challenge Tomorrow. IEEE Symposium on Goyal, A. (2022). Vulnerability Exploiter for Web
Security and Privacy, 191-206. Applications. 2nd International Conference on
[21.] Christensen, J. H. (2009). Using RESTful web Innovative Practices in Technology and Management
services and cloud computing to create next- (ICIPTM), pp. 292–299.
generation mobile applications. Proceedings of the [35.] Guha, S. (2020). A Comparative Study Between
24th ACM SIGPLAN conference companion on Graph-QL & Restful Services in API Management of
Object-oriented programming systems languages and Stateless Architectures. International Journal on Web
applications, 627-634. Service Computing (IJWSC), 11(2).
[22.] Compagna, L., Guilleminot, P., & Brucker, A. D. [36.] Haddad, R., & Malki, R. E. (2022). OpenAPI
(2018). Business Process Compliance via Security Specification Extended Security Scheme: A method
Validation as a Service. IEEE sixth international to reduce the prevalence of Broken Object Level
conference on software testing, Verification, and Authorization. arXiv preprint arXiv, 2212.06606.
Validation, 455-462. [37.] Hamza Ed-douibi et al. (2016). EMF-REST:
[23.] Corradini, D., Zampieri, A., Pasqua, M., Viglianisi, generation of RESTful APIs from models.
E., Dallago, M., & Ceccato, M. (2022). Automated Proceedings of the 31st Annual ACM Symposium on
black-box testing of nominal and error scenarios in Applied Computing, 1446-1453.
RESTful APIs. Software Testing, Verification and [38.] Hasan, M. A., & Rahman, M. M. (2023). Minimise
Reliability, 1808. Web Applications vulnerabilities through the early
[24.] Costa, B., Pires, P. F., Delicato, F. C., & Merson, P. Detection of CRLF Injection. arXiv preprint arXiv,
(2014). Evaluating a Representational State Transfer 2303.02567.
(REST) Architecture: What is the Impact of REST in [39.] Hästbacka, D., Halme, J., Larrañaga, M., More, R., &
My Architecture? IEEE/IFIP Conference on Software Mesiä, H. (2019). Dynamic and Flexible Data
Architecture, 105-114. Acquisition and Data Analytics System Software
[25.] D V Kornienko, S. V. (2021). The Single Page Architecture. IEEE SENSORS, 1-4.
Application architecture when developing secure [40.] Idris, M., Syarif, I., & Winarno, I. (2021).
Web services. Journal of Physics: Conference Series, Development of Vulnerable Web Application Based
012065. on OWASP API Security Risks. International
[26.] Danezis, G. (2012). Financial Cryptography and Data Electronics Symposium (IES), 190-194.
Security. Springer Berlin Heidelberg. [41.] Idris, M., Syarif, I., & Winarno, I. (2022). Web
[27.] Dennis, K., Alibayev, M., & Ligatti, J. (2020). Application, Security Education Platform, Based on
Cybersecurity Vulnerabilities in Mobile Fare OWASP API Security Project. EMITTER

IJISRT23MAY1879 www.ijisrt.com 1496

Volume 8, Issue 5, May 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
International Journal of Engineering Technology, [56.] Lamothe, M., Li, H., & Shang, W. (2021). Assisting
246-261. Example-Based API Misuse Detection via
[42.] IEEE Conference Publication. (2023, March 17). Complementary Artificial Examples. IEEE
Retrieved from Web application fuzz testing: Transactions on Software Engineering, pp. 3410–
https://ieeexplore.ieee.org/abstract/document/828589 3422.
3?casa_token=x2Oe_U- [57.] Laranjeiro, N., Agnelo, J., & Bernardino, J. (2021). A
Y0DkAAAAA:Pd1zA1IRCO5LKa1iugF_V4iCwPrT Black Box Tool for Robustness Testing of REST
bnoCnoDhkD0WoFm5TMKHtLjKsiHD9SSxHsFkCz Services. IEEE Access, 24738-24754.
sKeKcjYhIbvBI [58.] Le-Dang, Q., & Le-Ngoc, T. (2019). Scalable
[43.] Jäger, A. (2021). Finding and evaluating the effects of Blockchain-based Architecture for Massive IoT
improper access control in the Cloud. Reconfiguration. IEEE Canadian Conference of
[44.] Jeune, M. L. (2021). Facebook and the Cambridge Electrical and computer engineering (CCECE), 1-4.
Analytica Scandal: Privacy and Personal Data [59.] Lee, S., Jo, J.-Y., & Kim, Y. (2014).
Protection in Canada. Curve. Carleton. ENVIRONMENTAL SENSOR MONITORING
[45.] Jorge Reyes et al. (2022). An Environment-Specific WITH SECURE RESTFUL WEB SERVICE.
Prioritisation Model for Information-Security International Journal of Services Computing, 30-42.
Vulnerabilities Based on Risk Factor Analysis. [60.] Loureiro, S. (2021). Security misconfigurations and
Electronics, 1334. how to prevent them. Network Security, pp. 13–16.
[46.] Kabir, M. A., & Elmedany, W. (2022). An Overview [61.] MacDonald, N. (2013). Time lags in biological
of the Present and Future of User Authentication. 4th models. Springer Science & Business Media.
IEEE Middle East and North Africa [62.] Macy, J. (2018). API security: Whose job is it
COMMunications Conference (MENACOMM), 10- anyway? Network Security, pp. 6–9.
17. [63.] Mai, P. X., Pastore, F., Goknil, A., & Briand, L.
[47.] Karlsson, S., Čaušević, A., & Sundmark, D. (2020). (2020). Metamorphic Security Testing for Web
QuickREST: Property-based Test Generation of Systems. IEEE 13th International Conference on
OpenAPI-Described RESTful APIs. IEEE 13th Software Testing, Validation, and Verification (ICST),
International Conference on Software Testing, pp. 186–197.
Validation and Verification (ICST), 131-141. [64.] Malik, S., & Kim, D.-H. (2017 ). A comparison of
[48.] Keping Yu et al. (2021). Blockchain-Enhanced Data RESTful vs SOAP web services in actuator networks.
Sharing With Traceable and Direct Revocation in 2017 ninth international conference on Ubiquitous
IIoT. IEEE Transactions on industrial informatics, and future networks (ICUFN), 753-755.
7669-7678. [65.] Malki, A. E., Zdun, U., & Pautasso, C. (2022). Impact
[49.] Khan, F., Kim, J. H., Mathiassen, L., & Moore, R. of API Rate Limit on Reliability of Microservices-
(2021). DATA BREACH MANAGEMENT: AN Based Architectures. IEEE International Conference
INTEGRATED RISK MODEL. Information & on Service-Oriented System Engineering (SOSE), 19-
Management, 103392. 28.
[50.] Khan, S., Kabanov, I., Hua, Y., & Madnick, S. [66.] Marilenaa, D., Ivana, H., Silvioa, P., & Davida, S.
(2022). A Systematic Analysis of the Capital One (2022). Creating RESTful APIs over SPARQL
Data Breach: Critical Lessons Learned. ACM endpoints using RAMOSE. Semantic Web, 195-213.
Transactions on Privacy and Security, 1-29. [67.] Martin-Lopez, A., Segura, S., & Ruiz-Cortés, A.
[51.] Khayer, A. A., Almomani, I., & Elkawlak, K. (2020). (2020). RESTest: Black-Box Constraint-Based
ASAF: Android Static Analysis Framework. First Testing of RESTful Web APIs. Service-Oriented
International Conference of Smart Systems and Computing: 18th International Conference, ICSOC
Emerging Technologies, 197-202. 2020, Dubai, United Arab Emirates, December 14–
[52.] Klees, G., Ruef, A., Cooper, B., Wei, S., & Hicks, M. 17, 2020, Proceedings 18, 459-475.
(2018). Evaluating Fuzz Testing. Proceedings of the [68.] Miller, J., Zhang, L., Ofuonye, E., & Smith, M.
2018 ACM SIGSAC conference on computer and (2008). The Theory and Implementation of
communications security, 2123-2138. InputValidator: A Semi-Automated Value-Level
[53.] Kornienko, D. V., Mishina, S. V., Shcherbatykh, S. Bypass Testing Tool. International Journal of
V., & Melnikov, M. O. (2021). Principles of securing Information Technology and Web Engineering
RESTful API web services developed with Python (IJITWE), pp. 28–45.
frameworks. Journal of Physics: Conference Series, [69.] Modi, B., Chourasia, U., & Pandey, R. (2022).
032016. Design and implementation of RESTFUL API-based
[54.] Krishnan, P., Jain, K., Aldweesh, A., Prabu, P., & model for vulnerability detection and mitigation. IOP
Buyya, R. (2023). OpenStackDP: a scalable network Conference Series: Materials Science and
security framework for SDN-based OpenStack cloud Engineering, 012010.
infrastructure. Journal of Cloud Computing, p. 26. [70.] Musa, A., Empakeris, M., Chan, V., & Chan, &. Y.
[55.] Lablans, M., Borg, A., & Ückert, F. (2015). A (n.d.). Security Assessment of istline Market Web
RESTful interface to pseudonymisation services in Application.
modern web applications. BMC medical informatics [71.] Nuno Realista et al . (2022). Improving Android
and decision making, 1-10. Application Quality Through Extendable, Automated

IJISRT23MAY1879 www.ijisrt.com 1497

Volume 8, Issue 5, May 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
Security Testing. Emerging Trends in Cybersecurity [85.] Rahman, A., Shamim, S. I., & Bose, D. B. (2023).
Applications, 251-274. Security Misconfigurations in Open Source
[72.] Okafor, R. (2021). Cybersecurity Due Diligence in Kubernetes Manifests: An Empirical Study. ACM
Mergers & Acquisitions Transactions. Available at Transactions on Software Engineering and
SSRN, 3915861. Methodology.
[73.] Ovidiu Baniaș et al. (2021). Automated Specification- [86.] Rivera, D., García, A., Martín-Ruiz, M. L., &
Based Testing of REST APIs. Sensors, 5375. Alarcos, B. (2019). Secure Communications and
[74.] Ozdemir, E. (2020). A General Overview of RESTful Protected Data for an Internet of Things Smart Toy
Web Services. Applications and approaches to Platform. IEEE Internet of Things Journal, 3785-
object-oriented software design: emerging research 3795.
and opportunities, pp. 133–165. [87.] Rodríguez, G. E., Torres, J. G., Flores, P., &
[75.] Padma, P., & Srinivasan, S. (2023). DAuth— Benavides, D. E. (2020). Cross-site scripting (XSS)
Delegated Authorization Framework for Secured attacks and mitigation: A survey. Computer
Serverless Cloud Computing. Wireless Personal Networks, 106960.
Communications, pp. 1–21. [88.] Sánchez, Y. K., Demurjian, S. A., & Baihan, M. S.
[76.] Padmanaban, R., Thirumaran, M., Anitha, P., & (2017). Achieving RBAC on RESTful APIs for
Moshika, A. (2022). Computability evaluation of Mobile Apps Using FHIR. 2017 5th IEEE
RESTful API using Primitive Recursive Function. International Conference on Mobile Cloud
Journal of King Saud University-Computer and Computing, Services, and Engineering
Information Sciences, pp. 457–467. (MobileCloud), 139-144.
[77.] Pan, L., Cohney, S., Murray, T., & Pham, V.-T. [89.] Sandhya, S., Purkayastha, S., Joshua, E., & Deep, A.
(2023). Detecting Excessive Data Exposures in Web (2017). Assessment of website security by penetration
Server Responses with Metamorphic Fuzzing. arXiv testing using Wireshark. 4th International Conference
preprint arXiv, 2301.09258. on Advanced Computing and Communication Systems
[78.] Paoli, D., F., P. E., & Zavattaro, G. (2012). Service- (ICACCS), 1-4.
oriented and Cloud Computing: First European [90.] Schreibmann, V., & Braun, P. (2015). Model-driven
Conference, ESOCC 2012, Bertinoro, Italy, development of RESTful APIs. International
September 19-21, 2012, Proceedings (Vol. 7592). Conference on Web Information Systems and
Springer. Technologies, 5-14.
[79.] Park, D. B., Li, X., Shahhosseini, A. M., & Tsay, L.- [91.] Sean B. Cleveland et al. (2020). Tapis API
S. (2021). A static code analysis-based mathematical Development with Python: Best Practices In
model-driven vulnerability risk assessment Scientific REST API Implementation: Experience
framework for health information applications in the implementing a distributed Stream API. Practice and
Cloud. International Journal of Forensic Engineering Experience in Advanced Research Computing, pp.
and Management, 179-208. 181–187.
[80.] Patel, K. (2019). A Survey on Vulnerability [92.] Serme, G., Oliveira, A. S., Massiera, J., & Roudier,
Assessment & Penetration Testing for Secure Y. (2012). Enabling Message Security for RESTful
Communication. 3rd International Conference on Services. IEEE 19th International Conference on
Trends in Electronics and Informatics (ICOEI), pp. Web Services, 114-121.
320–325. [93.] Setiadi, D. R., Najib, A. F., Rachmawanto, E. H., &
[81.] Peng, C., Gao, Y., & Yang, P. (2022). Automated Sari, C. A. (2019). A Comparative Study MD5 and
Server Testing: An Industrial Experience Report. SHA1 Algorithms to Encrypt REST API
IEEE International Conference on Software Authentication on Mobile-based Application.
Maintenance and Evolution (ICSME), 519-522. International Conference on Information and
[82.] Pourvahab, M., & Ekbatanifard, G. (2019). Digital Communications Technology (ICOIACT), 206-211.
Forensics Architecture for Evidence Collection and [94.] Shah, S., & Mehtre, B. M. (2015). An overview of
Provenance Preservation in IaaS Cloud Environment vulnerability assessment and penetration testing
Using SDN and Blockchain Technology. IEEE techniques. Journal of Computer Virology and
Access, 153349-153364. Hacking Techniques, 27-49.
[83.] Qingyang Zeng et al. (2023). Full-stack vulnerability [95.] Sharieh, S., & Ferworn, A. (2021). Securing APIs and
analysis of the cloud-native platform. Computers & Chaos Engineering. IEEE Conference on
Security, 103173. Communications and Network Security (CNS), 290-
[84.] Rafique, W., He, X., Liu, Z., Sun, Y., & Dou, W. 294.
(2019). CFADefense: A Security Solution to Detect [96.] Sharieh, S., & Ferworn, A. (2021). Securing APIs and
and Mitigate Crossfire Attacks in Software-Defined Chaos Engineering. IEEE Conference on
IoT-Edge Infrastructure. IEEE 21st International Communications and Network Security (CNS), 290-
Conference on High-Performance Computing and 294.
Communications; IEEE 17th International [97.] Sidra, A., & Michael, M. (2023). A framework for
Conference on Smart City; IEEE 5th International privacy-aware and secure decentralised data storage.
Conference on Data Science and Systems Computer Science and Information Systems.
(HPCC/SmartCity/DSS), 500-509. [98.] Talukder, M. A., Shahriar, H., Qian, K., Rahman, M.,
& Ahamed, S. I. (2019). DroidPatrol: A Static

IJISRT23MAY1879 www.ijisrt.com 1498

Volume 8, Issue 5, May 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
Analysis Plugin For Secure Mobile Software
Development. IEEE 43rd annual computer software
and applications conference (COMPSAC), pp. 565–
569.
[99.] Taya, T., Hanada, M., Murakami, Y., Waseda, A.,
Ishida, Y., & M, T. (2022). An Automated
Vulnerability Assessment Approach for WebAPI that
Considers Requests and Responses. 24th
International Conference on Advanced
Communication Technology (ICACT), 423-430.
[100.] Tek Raj Chhetri et al. (2022). Data Protection by
Design Tool for Automated GDPR Compliance
Verification Based on Semantically Modeled
Informed Consent. Sensors, 2763.
[101.] Votipka, D., Fulton, K. R., Parker, J., Hou, M.,
Mazurek, M. L., & Hicks, M. (2020). Understanding
security mistakes, developers make Qualitative
analysis from Build It, Break It, Fix It. USENIX
Security Symposium (USENIX Security 20), pp. 109–
126.
[102.] Xiong, H., Jin, C., Alazab, M., Yeh, K.-H., & Wang,
H. (2021). On the Design of Blockchain-Based
ECDSA With Fault-Tolerant Batch Verification
Protocol for Blockchain-Enabled IoMT. IEEE
Journal of Biomedical and health informatics, 1977-
1986.
[103.] Yahya, F., Chang, V., Walters, R., & Wills, G.
(2014). Security Challenges in Cloud Storages. IEEE
6th International Conference on Cloud Computing
Technology and Science, pp. 1051–1056.
[104.] Zhiwei, L., & Zhongliang, P. (2020). The Realisation
of Integrity Test of Boundary-Scan Structure. IEEE
International Conference on Artificial Intelligence
and Computer Applications (ICAICA), pp. 722–724.

IJISRT23MAY1879 www.ijisrt.com 1499