@techreport{atlidakis2019checking,
author = {Atlidakis, Vaggelis and Godefroid, Patrice and Polishchuk, Marina},
title = {Checking Security Properties of Cloud Services REST APIs},
institution = {Microsoft},
year = {2019},
month = {February},
abstract = {Most modern cloud and web services are programmatically accessed through REST APIs. This paper discusses how an attacker might compromise a service by exploiting vulnerabilities in its REST API. We introduce four security rules that capture desirable properties of REST APIs and services. We then show how a stateful REST API fuzzer can be extended with active property checkers that automatically test and detect violations of these rules. We discuss how to implement such checkers efficiently and in a modular way. Thanks to these checkers, we found new bugs in several deployed production Azure and Office-365 cloud services, and we discuss their security implications.
 },
url = {http://approjects.co.za/?big=en-us/research/publication/checking-security-properties-of-cloud-services-rest-apis/},
number = {MSR-TR-2019-1},
note = {Revised version published in ICST'2020, March 2020.},
}