Research on REST API Design Security Testing

doi:10.3969/j.issn.1671-1122.2025.08.011

Abstract

Abstract:

In the process of REST API design and development, adhering to REST principles, best practices, and other specifications is paramount to ensure the consistency, usability, and security of REST API services. Addressing the issue of inadequate security measures and semantic-level detection mechanisms in REST API design detection, this article introduced the RADSD framework. RADSD was specifically designed to detect security flaws in API designs across various structural levels. Initially, a comprehensive multi-level REST API security design specification library was established by amassing and organizing relevant REST API guidance specifications, augmented by empirical research. Subsequently, tailored detection algorithms were devised for each specification requirement within this library. The integration of large language models into REST API design detection enabled diverse detection methods for both API design syntax and semantics. Experimental results demonstrate that the RADSD framework effectively conducts multi-level detection of real-world REST APIs, pinpointing design security issues, and generating detailed detection reports with an average accuracy rate of 97.1%.

Key words: REST API security, design specification, pattern matching, large language model

CLC Number:

TP309

ZHANG Yanyi, RUAN Shuhua, ZHENG Tao. Research on REST API Design Security Testing[J]. Netinfo Security, 2025, 25(8): 1313-1325.

Figures/Tables 15

References 34

[1]	FIELDING R T. Architectural Styles and the Design of Network-Based Software Architectures[M]. Irvine: University of California, 2000.
[2]	HIGGINBOTHAM J. Principles of Web API Design: Delivering Value with APIs and Microservices[M]. Boston: Addison-Wesley Professional, 2021.
[3]	ZHOU Xinyu, CHEN Wei, WU Guoquan, et al. REST API Design Analysis and Empirical Study[J]. Journal of Software, 2022, 33(9): 3271-3296.
	周芯宇, 陈伟, 吴国全, 等. REST API 设计分析及实证研究[J]. 软件学报, 2022, 33(9): 3271-3296.
[4]	RAUTENSTRAUCH J, STOCK B. Who's Breaking the Rules? Studying Conformance to the HTTP Specifications and its Security Impact[C]// ASIA-CCS. Proceedings of the 19th ACM Asia Conference on Computer and Communications Security. New York: ACM, 2024: 843-855.
[5]	BOGNER J, KOTSTEIN S, PFAFF T. Do RESTful API Design Rules Have an Impact on the Understandability of Web APIs?[J]. Empirical Software Engineering, 2023, 28(6): 132-167.
[6]	OpenAPI Initiative. OpenAPI Specification[EB/OL]. (2021-02-15)[2024-10-14]. https://www.openapis.org.
[7]	GORSKI P L, MÖLLER S, WIEFLING S, et al. “I Just Looked for the Solution!” On Integrating Security-Relevant Information in Non-Security API Documentation to Support Secure Coding Practices[J]. IEEE Transactions on Software Engineering, 2021, 48(9): 3467-3484.
[8]	EHSAN A, ABUHALIQA M A M E, CATAL C, et al. RESTful API Testing Methodologies: Rationale, Challenges, and Solution Directions[J]. Applied Sciences, 2022, 12(9): 4369-4385.
[9]	GOLMOHAMMADI A, ZHANG Man, ARCURI A. Testing Restful APIs: A Survey[J]. ACM Transactions on Software Engineering and Methodology, 2023, 33(1): 1-41.
[10]	PATNAIK N, DWYER A, HALLETT J, et al. SLR: From Saltzer and Schroeder to 2021… 47 Years of Research on the Development and Validation of Security API Recommendations[J]. ACM Transactions on Software Engineering and Methodology, 2023, 32(3): 1-31.
[11]	ZHANG Man, ARCURI A. Open Problems in Fuzzing Restful APIs: A Comparison of Tools[J]. ACM Transactions on Software Engineering and Methodology, 2023, 32(6): 1-45.
[12]	ALONSO J C, MARTIN-LOPEZ A, SEGURA S, et al. ARTE: Automated Generation of Realistic Test Inputs for Web APIs[J]. IEEE Transactions on Software Engineering, 2022, 49(1): 348-363.
[13]	SWAGGER. API Development for Everyone[EB/OL]. [2024-10-14]. http://swagger.io/.
[14]	MANNING C D. Human Language Understanding & Reasoning[J]. Daedalus, 2022, 151(2): 127-138.
[15]	ZHAO Wayne Xin, ZHOU Kun, LI Junyi, et al. A Survey of Large Language Models[EB/OL]. (2023-12-24) [2024-10-14]. https://arxiv.org/abs/2303.18223.
[16]	LIU Yiheng, HAN Tianle, MA Siyuan, et al. Summary of Chatgpt-Related Research and Perspective towards the Future of Large Language Models[EB/OL]. (2023-08-18)[2024-10-14]. https://doi.org/10.1016/j.metrad.2023.100017.
[17]	OpenAI. ChatGPT[EB/OL]. [2024-10-14]. https://openai.com.
[18]	WEI J, WANG Xuezhi, SCHUURMANS D, et al. Chain-of-Thought Prompting Elicits Reasoning in Large Language Models[J]. Advances in Neural Information Processing Systems, 2022, 35: 24824-24837.
[19]	BROWN T, MANN B, RYDER N, et al. Language Models Are Few-Shot Learners[J]. Advances in Neural Information Processing Systems, 2020, 33: 1877-1901.
[20]	OWASP. OWASP Cheat Sheet Series[EB/OL]. [2024-10-14]. https://cheatsheetseries.owasp.org.
[21]	KOTSTEIN S, BOGNER J. Which Restful API Design Rules are Important and How Do they Improve Software Quality? A Delphi Study with Industry Experts[C]// Springer. Service-Oriented Computing:15th Symposium and Summer School. Heidelberg: Springer, 2021: 154-173.
[22]	MASSE M. REST API Design Rulebook[M]. Sebastopol: O'Reilly Media, Inc., 2011.
[23]	PALMA F, GONZALEZ-HUERTA J, MOHA N, et al. Are Restful APIs Well-Designed? Detection of Their Linguistic (Anti) Patterns[C]// Springer. Service-Oriented Computing:13th International Conference. Heidelberg: Springer, 2015: 171-187.
[24]	PETRILLO F, MERLE P, MOHA N, et al. Are REST APIs for Cloud Computing Well-Designed? An Exploratory Study[C]// Springer. Service-Oriented Computing:14th International Conference. Heidelberg: Springer, 2016: 157-170.
[25]	PALMA F, OLSSON T, WINGKVIST A, et al. Assessing the Linguistic Quality of REST APIs for IoT Applications[J]. Journal of Systems and Software, 2022, 191: 111369.
[26]	SUBRAMANIAN H, RAJ P. Hands-On RESTful API Design Patterns and Best Practices: Design, Develop, and Deploy Highly Adaptable, Scalable, and Secure RESTful Web APIs[M]. Birmingham: Packt Publishing Ltd., 2019.
[27]	GREEN M, SMITH M. Developers are not the Enemy: The Need for Usable Security APIs[J]. IEEE Security & Privacy, 2016, 14(5): 40-46.
[28]	BRABRA H, MTIBAA A, PETRILLO F, et al. On Semantic Detection of Cloud API (Anti) Patterns[J]. Information and Software Technology, 2019, 107: 65-82.
[29]	NSFocus. REST API Security Design Guide[EB/OL]. (2020-06-22)[2024-10-14]. https://www.infoq.cn/article/eyj8icgmp3j3pm9uf4y4.
	绿盟科技. REST API安全设计指南[EB/OL]. (2020-06-22)[2024-10-14]. https://www.infoq.cn/article/eyj8icgmp3j3pm9uf4y4.
[30]	OpenAI. OpenAPI Spec Validator[EB/OL]. (2023-10-13)[2024-10-14]. https://github.com/python-openapi/openapi-spec-validator/.
[31]	OpenAI. Completion-OpenAI API[EB/OL]. (2023-08-12)[2024-10-14]. https://beta.openai.com/docs/guides/completion/prompt-design.
[32]	KARAVISILEIOU A, MAINAS N, BOURAIMIS F, et al. Automated Ontology Instantiation of OpenAPI REST Service Descriptions[C]// SAI Conferences. Advances in Information and Communication:Proceedings of the 2021 Future of Information and Communication Conference (FICC). Heidelberg: Springer, 2021: 945-962.
[33]	GONCHAROV I. APIs.guru[EB/OL]. (2016-05-28)[2024-10-14]. https://apis.guru/.
[34]	FIELDING R, GETTYS J, MOGUL J, et al. Hypertext Transfer Protocol--HTTP/1.1[R]. Fremont: Internet Engineering Task Force (IETF), RFC 2616, 1999.

编号	规范描述	类别
U-1	URI中必须使用分隔符/表示层次关系^[21-24]	URI 安全
U-2	URI中不能包含尾随的斜杠(/)^[21-24]
U-3	URI中应该使用“-”而不是“_”作为连接符^[21-24]
U-4	URI路径应该使用小写字母^[21-24]
U-5	URI中不能包含文件扩展名^[21-24]
U-6	URI中不能出现CRUD方法名^[21-25]
P-1	查询参数中避免出现版本号^[21,23,25]	参数安全
P-2	查询参数中避免出现CRUD方法名^[21,23]
P-3	同一参数的类型定义不能发生冲突^[26]
P-4	敏感参数不能在URL上传播^[20,26]
P-5	参数默认值应该安全配置^[20,27]
H-1	对资源的操作必须遵循HTTP协议定义的标准方法^{[21,22,24,28]}	HTTP交互安全
H-2	自定义HTTP头不能用来改变HTTP方法的行为^[21,22]
H-3	GET和POST方法不能用于隧道其他请求方法^[21-24]
H-4	响应必须遵循HTTP协议定义的标准响应码及状态描述^{[21,22,24,28]}
H-5	401 (“Unauthorized”)响应在需要验证身份认证时必须使用^[21,22]
R-1	请求/响应消息头中必须包含“Content-Type”^[21,22,24]	HTTP消息安全
R-2	请求/响应消息表示应该支持JSON格式^[21,22,24]	HTTP消息安全
S-1	API应该正确配置身份认证/授权机制^{[20-22,24,26,29]}	安全方案
S-2	API应该正确配置安全传输协议^{[20-22,24,26,29]}
S-3	API应该正确配置HTTP安全头^{[20-22,24,26,29]}
L-1	自链接应该使用一致且正确的表单来表示	自链接安全
I-1	同一服务的API应该使用一致的子域名^[21,22]	服务管理安全
I-2	API信息中应该具有版本声明^[21,22]	服务管理安全

类别	示例
身份信息	姓名、身份证号码、护照号码、宗教等
操作信息	密码、密钥、令牌（token）、登录账号、登录密码等
位置信息	家庭住址、行踪轨迹、出行记录等
通信信息	电话号码、邮箱、社交账号、通信记录、消息历史、信息内容等
金融信息	银行、证券、基金、保险、公积金等账户的账号、收入明细等
健康信息	病症、体检报告等健康状况信息、医疗意见、住院日志等医疗就诊纪录等

API端点	方法	位置	参数名	参数类型	违反 S-1, S-2, S-3
/runPagespeed	all	query	oauth_token	Operation Information	T, T, F
/accounts/{account_id}/apps	get, post	path	account_id	Finance Information	F, T, F
/dealers/car	get	query	latitude longitude	Location Information	F, T, F

规范编号	准确率	召回率	规范编号	准确率	召回率	规范编号	准确率	召回率	规范编号	准确率	召回率
U-1	100%	100%	P-1	100%	100%	H-2	100%	100%	S-1	100%	100%
U-2	100%	100%	P-2	95%	96%	H-3	86%	84%	S-2	93%	92%
U-3	100%	100%	P-3	94%	82%	H-4	92%	93%	S-3	100%	100%
U-4	100%	100%	P-4	97%	98%	H-5	95%	98%	L-1	96%	97%
U-5	97%	98%	P-5	96%	96%	R-1	97%	88%	I-1	100%	100%
U-6	94%	97%	H-1	100%	100%	R-2	98%	92%	I-2	100%	100%

实验对象/API文档	RADSD		RADSD-NOGPT
实验对象/API文档	准确率	召回率	准确率	召回率
Gitea	98%	98%	64%	72%
Rubrik	96%	93%	69%	83%
Biolink	96%	97%	58%	79%
平均	96.7%	96.0%	63.7%	78.0%