Filho, Ailton Santos; Rodríguez, Ricardo J.; Feitosa, Eduardo L.
Automated broken object-level authorization attack detection in REST APIs through OpenAPI to colored petri nets transformation Journal Article
In: International Journal of Information Security, vol. 24, no. 2, pp. 83, 2025, ISSN: 1615-5270.
Abstract | Links | BibTeX | Tags: Broken access control, Colored Petri nets, OpenAPI, RESTful web services, Security analysis, vulnerabilities, Web application security
@article{SantosFilhoRF-IJIS-25,
title = {Automated broken object-level authorization attack detection in REST APIs through OpenAPI to colored petri nets transformation},
author = {Ailton Santos Filho and Ricardo J. Rodríguez and Eduardo L. Feitosa},
url = {https://webdiis.unizar.es/~ricardo/files/papers/SantosFilhoRF-IJIS-25.pdf},
doi = {10.1007/s10207-024-00970-5},
issn = {1615-5270},
year = {2025},
date = {2025-02-01},
journal = {International Journal of Information Security},
volume = {24},
number = {2},
pages = {83},
abstract = {The representational state transfer architectural style (REST) specifies a set of rules for creating web services. In REST, data and functionality are considered resources, accessed, and manipulated using a uniform, well-defined set of rules. RESTful web services are web services that follow the REST architectural style and are exposed to the Internet using RESTful APIs. Most of them are described by OpenAPI, a standard language-independent interface for RESTful APIs. RESTful APIs are continuously available on the Internet and are therefore a common target for cyberattacks. To prevent vulnerabilities and reduce risks in web systems, there are several security guidelines available, such as those provided by the Open Web Application Security Project (OWASP) foundation. A common vulnerability in web services is broken object level authorization (BOLA), which allows an attacker to modify or delete data or perform actions intended only for authorized users. For example, an attacker can change an order status, delete a user account, or add unauthorized data to the server. In this paper, we propose a transformation from OpenAPI to Petri nets, which enables formal modeling and analysis of REST APIs using existing Petri net analysis techniques to detect potential security risks directly from the analysis of web server logs. In addition, we also provide a tool, named Links2CPN, which automatically performs model transformation (taking the OpenAPI specification as input) and BOLA attack detection by analyzing web server execution traces. We apply it to a case study of a vulnerable web application to demonstrate its applicability. Our results show that it is capable of detecting BOLA attacks with an accuracy greater than 95% in the proposed scenarios.},
keywords = {Broken access control, Colored Petri nets, OpenAPI, RESTful web services, Security analysis, vulnerabilities, Web application security},
pubstate = {published},
tppubtype = {article}
}
The representational state transfer architectural style (REST) specifies a set of rules for creating web services. In REST, data and functionality are considered resources, accessed, and manipulated using a uniform, well-defined set of rules. RESTful web services are web services that follow the REST architectural style and are exposed to the Internet using RESTful APIs. Most of them are described by OpenAPI, a standard language-independent interface for RESTful APIs. RESTful APIs are continuously available on the Internet and are therefore a common target for cyberattacks. To prevent vulnerabilities and reduce risks in web systems, there are several security guidelines available, such as those provided by the Open Web Application Security Project (OWASP) foundation. A common vulnerability in web services is broken object level authorization (BOLA), which allows an attacker to modify or delete data or perform actions intended only for authorized users. For example, an attacker can change an order status, delete a user account, or add unauthorized data to the server. In this paper, we propose a transformation from OpenAPI to Petri nets, which enables formal modeling and analysis of REST APIs using existing Petri net analysis techniques to detect potential security risks directly from the analysis of web server logs. In addition, we also provide a tool, named Links2CPN, which automatically performs model transformation (taking the OpenAPI specification as input) and BOLA attack detection by analyzing web server execution traces. We apply it to a case study of a vulnerable web application to demonstrate its applicability. Our results show that it is capable of detecting BOLA attacks with an accuracy greater than 95% in the proposed scenarios.
Hernández-Bejarano, Miguel; Rodríguez, Ricardo J; Merseguer, José
A Vision for Improving Business Continuity through Cyber-resilience Mechanisms and Frameworks Proceedings Article
In: Proceedings of the 16th Iberian Conference on Information Systems and Technologies (CISTI), pp. 1–5, 2021.
Abstract | Links | BibTeX | Tags: cyber-attacks, cybersecurity, menaces, resilience, vulnerabilities
@inproceedings{HRM-CISTI-21,
title = {A Vision for Improving Business Continuity through Cyber-resilience Mechanisms and Frameworks},
author = {Miguel Hernández-Bejarano and Ricardo J Rodríguez and José Merseguer},
url = {http://webdiis.unizar.es/~ricardo/files/papers/HRM-CISTI-21.pdf},
doi = {10.23919/CISTI52073.2021.9476324},
year = {2021},
date = {2021-01-01},
booktitle = {Proceedings of the 16th Iberian Conference on Information Systems and Technologies (CISTI)},
pages = {1--5},
abstract = {Nowadays, business organizations support daily operations using Information and Communication Technologies. They serve as a basis to have a con- trolled management of resources, services and business goals, aligned with the mission of the organization. In this paper, we review standards and frameworks for achieving cyber-resilience in organizations, such as the NIST framework, ENISA, or international standards as the ISO/IEC 27032. We then envision the need of a new cyber-resilience framework that leveraging machine learning techniques contributes to improve business continuity.},
keywords = {cyber-attacks, cybersecurity, menaces, resilience, vulnerabilities},
pubstate = {published},
tppubtype = {inproceedings}
}
Nowadays, business organizations support daily operations using Information and Communication Technologies. They serve as a basis to have a con- trolled management of resources, services and business goals, aligned with the mission of the organization. In this paper, we review standards and frameworks for achieving cyber-resilience in organizations, such as the NIST framework, ENISA, or international standards as the ISO/IEC 27032. We then envision the need of a new cyber-resilience framework that leveraging machine learning techniques contributes to improve business continuity.