Analyzing OpenAPI Specifications for Security Design Issues

Abstract

Modern web and mobile applications rely on an ever increasing set of services defined by their respective API (Application Programming Interface) specifications. The complexity of today’s APIs, in terms of scale and inter-dependency, poses a challenge for security analyses as it requires much manual effort to conduct a check for design flaws. In this work, we leverage the standardized OpenAPI specification as input and propose a semi-automatic approach to infer various key information about that API specification’s security issues. Our case study based on the OpenAPI specification of the Open Bank Project (consisting of 304 API calls and 402 data fields) shows that our approach can: 1) identify sensitive and insensitive data fields, 2) identify insecure or high-risk API calls that may leak sensitive data, and 3) calculate the exposure level of each data field and API call. In particular, we identified 31 sensitive data fields, 29 insufficiently protected API calls that access a subset of those sensitive data, and 34 high-risk API calls that may result in sensitive data exposure. Furthermore, our exposure level calculation shows that transactions-related fields generally have higher exposure level, hence requiring more scrutiny.