What problem does this paper attempt to address?

The problem that this paper attempts to solve is the mass assignment vulnerability in REST APIs. Specifically, the author points out that although there are already available security testing tools, mass assignment vulnerabilities still prevail in REST APIs, which may lead to unauthorized data manipulation. Therefore, the author proposes a lightweight method to identify operations and properties vulnerable to mass assignment attacks by mining REST API specifications. ### Core Problems of the Paper 1. **Definition of Mass Assignment Vulnerability**: Mass assignment vulnerability occurs when a REST API allows unintentional modification of properties, resulting in unauthorized operations on sensitive data. This vulnerability is usually caused by improper configuration of widely - used REST API frameworks, which usually automatically bind input data fields to internal data representations (such as database columns). 2. **Limitations of Existing Tools**: Existing tools such as Akto and RestTestGen mainly detect running APIs and lack support for discovering mass assignment vulnerabilities in the early development stage. 3. **Solution**: The author proposes a tool named LightMass, which identifies potential mass assignment vulnerabilities by parsing API specification files. LightMass does not depend on running APIs and can be used once the API specification is determined, thus helping developers pay attention to potential security issues as early as possible. ### Specific Methods The workflow of LightMass is as follows: - **Parsing API Specifications**: Parse OpenAPI specification files and extract all endpoints, operations, and properties. - **Identifying Similar Operations**: Identify similar operations based on similar properties. Use the Porter stemming algorithm to standardize property names and the Jaccard coefficient to measure the similarity between operations. - **Detecting Read - Only Properties**: Compare the properties read by GET operations with those written by POST/PUT/PATCH operations. When the GET operation contains more properties, these additional properties are considered read - only and may be candidates for mass assignment vulnerabilities. ### Experimental Results The author conducted a preliminary study on 100 APIs and found 25 APIs that may have mass assignment vulnerabilities and confirmed 9 actual vulnerability operations in 6 APIs. ### Conclusions LightMass can help developers identify potential mass assignment vulnerabilities in the early stage of API development and reduce security risks. In addition, it can be combined with existing tools (such as Akto) to achieve more comprehensive automated testing. ### Formula Representation The formula involved in the paper is the Jaccard similarity coefficient, which is used to measure the similarity between two operations: \[ J_{\text{acc}}(OP, GET) = \frac{|OP.\text{REQ} \cap GET.\text{RES}|}{|OP.\text{REQ} \cup GET.\text{RES}|} \] where: - \( OP.\text{REQ} \) is the set of properties in the request body of POST, PUT, or PATCH operations. - \( GET.\text{RES} \) is the set of properties in the response body of GET operations. By calculating the similarity, LightMass can identify potential mass assignment vulnerabilities.