| With the continuous development of information technology,Internet and software products are increasingly developing to an open and shared mode.According to the world bnk statistic,mre than 100 countries and 250 governments,as well as international organizations such as the United Nations and the world bank,have implemented the Open Data Initiative plan.Getting information through application programming interface has become one of the most important ways to obtain data for consumers.Interface Fuzz is one of the main means of interface security testing.However,interface fuzz has some problems such as too large scale of use cases,low coverage effectiveness under the intended uses.Aiming at the problems,this paper proposes and implements a RESTful API interface Fuzz system combined with network manage system.The effectiveness of interface Fuzz test and the efficiency of Fuzz test are effectively improved by using the methods of automatic case generation and Fuzz attack point location.The major contents are as follows in general.Firstly,an automatic test case generation method based on interface definition description is proposed in this paper.By analyzing the key features of interface definition description file,this method constructs a set of mapping relations between interface definition description and RESTful API resource representation,and a set of implementations combined with OpenAPI specification is also given.Because this method is based on interface definition,it improves the integrity of use case coverage by comparing with traditional fuzz message reversal method.Secondly,a fast positioning Fuzz method based on pre-screening is proposed.This method obtains the definition domain and response set of interface parameters by analyzing the key fields of API interface definition description.Combining with vulnerability library guidelines,in the valid definition domain and near the definition boundary,the fragile fields are changed to generate abnormal use cases.This method greatly improves the effectiveness of malformed use cases.Then,a depth traversal method is proposed.Through joint analysis of a set of RESTful interface definitions,the state transition relationship of resource information described by the interface is obtained.And also,according to the state transition process of resource information,the test sequence needed for interface Fuzz test is generated.The test sequence generated by this method can deeply traverse the resource state transition of RESTful interface,and has high test coverage.Finally,by using RESTful API interface Fuzz test system,the interface fuzzy test of a developing software system is carried out.Compared with the traditional interface fuzz tool,the effectiveness of this tool is improved under the same use case scale,and multiple interface security problems are found at the same time. |
PDF Full Text Request