Día y hora: martes 19 de octubre, 12.00 a 13.00- Lugar: Seminario del DIIS, EINA
- Title: Detection of Business Logical Vulnerabilities Attacks against REST APIs using Colored Petri Nets
- Speaker: Ailton dos Santos
- Abstract: Web APIs are becoming ubiquitous in applications that require some kind of communication between the client and the server. This increase in popularity and the complexity of the applications that use them have brought new security challenges, such as the appearance of specific attacks against web APIs and the increase of attack surfaces for business logic vulnerabilities. The detection of logical vulnerabilities poses a challenge for security professionals because they are inherent to the application, requiring context of the purpose of the system and business rules (functionalities and execution flows, for example), making it difficult to use automated methods, such as vulnerability scanners. An example of this type of vulnerability is the top leader in the OWASP API Security Top 10, known as Broken Object Level Authorization. This work aims to provide an approach to detect attempts to exploit parameter manipulation and workflow vulnerabilities in REST APIs, based on the modeling the expected behavior of the application (extracted from the API specifications in the OpenAPI standard), the analysis of the data flow and control flow at execution time of requests and responses, and the identification of deviations between observed and expected behavior.
- Short bio: Ailton dos Santos is a Ph.D. student in Computer Science at the Federal University of Amazonas and holds an M.Sc. degree in Computer Science at the same institution. Currently, his research addresses the detection of malicious behaviors in Web APIs, mainly related to authorization flaws. Additionally, he acts as a senior cybersecurity engineer to a few Brazilian companies.