1. A Black Box Tool for Robustness Testing of REST Services
- Author
-
João Agnelo, Nuno Laranjeiro, and Jorge Bernardino
- Subjects
General Computer Science ,SOAP ,computer.internet_protocol ,Computer science ,media_common.quotation_subject ,0211 other engineering and technologies ,Vulnerability ,Robustness testing ,RESTful ,02 engineering and technology ,Computer security ,computer.software_genre ,Software ,Robustness (computer science) ,Server ,0202 electrical engineering, electronic engineering, information engineering ,General Materials Science ,robustness testing ,media_common ,Black box (phreaking) ,Service (business) ,web API ,Service system ,021103 operations research ,business.industry ,REST ,General Engineering ,020207 software engineering ,web services ,lcsh:Electrical engineering. Electronics. Nuclear engineering ,business ,computer ,lcsh:TK1-9971 ,Reputation - Abstract
REST services are nowadays being used to support many businesses, with most major companies exposing their services via REST interfaces (e.g., Google, Amazon, Instagram, and Slack). In this type of scenarios, heterogeneity is prevalent and software is sometimes exposed to unexpected conditions that may activate residual bugs, leading service operations to fail. Such failures may lead to financial or reputation losses (e.g., information disclosure). Although techniques and tools for assessing robustness have been thoroughly studied and applied to a large diversity of domains, REST services still lack practical approaches that specialize in robustness evaluation. In this paper, we present a tool (named bBOXRT) for performing robustness tests over REST services, solely based on minimal information expressed in their interface descriptions. We used bBOXRT to evaluate an heterogeneous set of 52 REST services that comprise 1,351 operations and fit in distinct categories (e.g., public, private, in-house). We were able to disclose several different types of robustness problems, including issues in services with strong reliability requirements and also a few security vulnerabilities. The results show that REST services are being deployed preserving software defects that harm service integration, and also carrying security vulnerabilities that can be exploited by malicious users.
- Published
- 2021