Automated Testing of Broken Authentication Vulnerabilities in Web APIs with AuthREST

• URL: http://arxiv.org/abs/2509.10320v1
• Date: Fri, 12 Sep 2025 15:00:58 GMT
• Title: Automated Testing of Broken Authentication Vulnerabilities in Web APIs with AuthREST
• Authors: Davide Corradini, Mariano Ceccato, Mohammad Ghafari,
• Abstract summary: We present AuthREST, an open-source security testing tool targeting broken authentication.<n>AuthREST automatically tests web APIs for credential stuffing, password brute forcing, and unchecked token authenticity.
• Score: 4.709101341936703
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: We present AuthREST, an open-source security testing tool targeting broken authentication, one of the most prevalent API security risks in the wild. AuthREST automatically tests web APIs for credential stuffing, password brute forcing, and unchecked token authenticity. Empirical results show that AuthREST is effective in improving web API security. Notably, it uncovered previously unknown authentication vulnerabilitiesin in four public APIs.

Related papers

• State of Passkey Authentication in the Wild: A Census of the Top 100K sites [1.5822425915135876]
  Passkeys are discoverable WebAuthn credentials synchronised across devices.<n>Major vendors have integrated passkeys into operating systems and browsers.<n>Yet the true extent of adoption across the broader web remains unknown.
  arXiv  Detail & Related papers  (2026-02-16T19:28:55Z)
• Rethinking Broken Object Level Authorization Attacks Under Zero Trust Principle [24.549812554065475]
  Broken Object Level Authorization (BOLA) is the top vulnerability in the API Security Top 10.<n>We propose BOLAZ, a defense framework grounded in zero trust principles.<n>We validate BOLAZ through empirical research on 10 GitHub projects.
  arXiv  Detail & Related papers  (2025-07-03T04:40:14Z)
• LlamaRestTest: Effective REST API Testing with Small Language Models [50.058600784556816]
  We present LlamaRestTest, a novel approach that employs two custom Large Language Models (LLMs) to generate realistic test inputs.<n>We evaluate it against several state-of-the-art REST API testing tools, including RESTGPT, a GPT-powered specification-enhancement tool.<n>Our study shows that small language models can perform as well as, or better than, large language models in REST API testing.
  arXiv  Detail & Related papers  (2025-01-15T05:51:20Z)
• A Multi-Agent Approach for REST API Testing with Semantic Graphs and LLM-Driven Inputs [46.65963514391019]
  We present AutoRestTest, the first black-box tool to adopt a dependency-embedded multi-agent approach for REST API testing.<n>Our approach treats REST API testing as a separable problem, where four agents collaborate to optimize API exploration.<n>Our evaluation of AutoRestTest on 12 real-world REST services shows that it outperforms the four leading black-box REST API testing tools.
  arXiv  Detail & Related papers  (2024-11-11T16:20:27Z)
• FATH: Authentication-based Test-time Defense against Indirect Prompt Injection Attacks [45.65210717380502]
  Large language models (LLMs) have been widely deployed as the backbone with additional tools and text information for real-world applications. prompt injection attacks are particularly threatening, where malicious instructions injected in the external text information can exploit LLMs to generate answers as the attackers desire. This paper introduces a novel test-time defense strategy, named AuThentication with Hash-based tags (FATH)
  arXiv  Detail & Related papers  (2024-10-28T20:02:47Z)
• DeepREST: Automated Test Case Generation for REST APIs Exploiting Deep Reinforcement Learning [5.756036843502232]
  This paper introduces DeepREST, a novel black-box approach for automatically testing REST APIs. It leverages deep reinforcement learning to uncover implicit API constraints, that is, constraints hidden from API documentation. Our empirical validation suggests that the proposed approach is very effective in achieving high test coverage and fault detection.
  arXiv  Detail & Related papers  (2024-08-16T08:03:55Z)
• Stealing Trust: Unraveling Blind Message Attacks in Web3 Authentication [6.338839764436795]
  This paper investigates the vulnerabilities in the Web3 authentication process and proposes a new type of attack, dubbed blind message attacks. In blind message attacks, attackers trick users into blindly signing messages from target applications by exploiting users' inability to verify the source of messages. We have developed Web3AuthChecker, a dynamic detection tool that interacts with Web3 authentication-related APIs to identify vulnerabilities.
  arXiv  Detail & Related papers  (2024-06-01T18:19:47Z)
• Mining REST APIs for Potential Mass Assignment Vulnerabilities [1.0377683220196872]
  We propose a lightweight approach to mine the REST API specifications and identify operations and attributes that are prone to mass assignment. We conducted a preliminary study on 100 APIs and found 25 prone to this vulnerability. We confirmed nine real vulnerable operations in six APIs.
  arXiv  Detail & Related papers  (2024-05-02T09:19:32Z)
• A Novel Protocol Using Captive Portals for FIDO2 Network Authentication [45.84205238554709]
  We introduce FIDO2CAP: FIDO2 Captive-portal Authentication Protocol. We develop a prototype of FIDO2CAP authentication in a mock scenario. This work makes the first systematic approach for adapting network authentication to the new authentication paradigm relying on FIDO2 authentication.
  arXiv  Detail & Related papers  (2024-02-20T09:55:20Z)
• Leveraging Large Language Models to Improve REST API Testing [51.284096009803406]
  RESTGPT takes as input an API specification, extracts machine-interpretable rules, and generates example parameter values from natural-language descriptions in the specification. Our evaluations indicate that RESTGPT outperforms existing techniques in both rule extraction and value generation.
  arXiv  Detail & Related papers  (2023-12-01T19:53:23Z)
• Simple Transparent Adversarial Examples [65.65977217108659]
  We introduce secret embedding and transparent adversarial examples as a simpler way to evaluate robustness. As a result, they pose a serious threat where APIs are used for high-stakes applications.
  arXiv  Detail & Related papers  (2021-05-20T11:54:26Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.