Scribd
Upload
2 views

cloudApi

The document discusses the security properties of cloud service REST APIs, highlighting the rapid growth of cloud platforms and the importance of REST APIs for accessing services. It introduces four security rules for REST APIs and describes a stateful REST API fuzzer that detects violations of these rules, revealing bugs in Azure and Office365 services. The conclusion emphasizes the effectiveness of the fuzzing approach in identifying and fixing security issues, with future scope suggesting the use of AI for automated vulnerability detection and threat modeling.

Uploaded by

ravithreniabraboina22
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
2 views

cloudApi

The document discusses the security properties of cloud service REST APIs, highlighting the rapid growth of cloud platforms and the importance of REST APIs for accessing services. It introduces four security rules for REST APIs and describes a stateful REST API fuzzer that detects violations of these rules, revealing bugs in Azure and Office365 services. The conclusion emphasizes the effectiveness of the fuzzing approach in identifying and fixing security issues, with future scope suggesting the use of AI for automated vulnerability detection and threat modeling.

Uploaded by

ravithreniabraboina22
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 19

TITLE :-

Checking security properties of cloud service REST APIs

PRESENTED BY:
B.Pavani : 22BT1A0524
E.Sharika :22BT1A0532
B.Vijay kumar: 22BT1A0526
Ch.Masthan : 22BT1A0527
Introduction :-

Cloud Computing & REST APIs


• Rapid growth: Cloud platforms like AWS and Azure have rapidly expanded, offering
thousands of services.
• API-based access: Most cloud services are accessed via REST APIs over HTTP/S.
• Standard operations: REST APIs use standard methods: PUT/POST (create/manage),
GET (monitor), DELETE (remove).
• API documentation: OpenAPI (formerly Swagger) is widely used to describe REST APIs
and auto-generate client code.
Contents :-
▪ Abstract
▪ Existing
▪ Proposed
▪ Software requirements
▪ Hardward requirements
▪ Modules
▪ Diagrams
▪ Coding of any module of one slide
▪ Execution slides
▪ Conclusion
▪ Future scope
Abstract :-

▪ Most modern cloud and web services are programmatically accessed through REST APIs.

▪ We introduce four security rules that capture desirable properties of REST APIs and services.

▪ We then show how a stateful REST API fuzzer can be extended with active property checkers that

automatically test and detect violations of these rules.

▪ Using these checkers, we found new bugs in several deployed production Azure and Office365

cloud services, and we discussed their security implications.


Existing :-

1. Swagger-Based REST API Scanning (Qualys WAS):

▪ Qualys WAS supports scanning REST APIs using Swagger specs.

▪ Swagger version 2.0 (JSON format) file must be accessible to the scanning service.

2. Enhanced API Scanning with Postman Support:

▪ Postman is a popular tool for functional testing of REST APIs.

▪ Postman Collections group related API endpoints and can be shared/exported in


JSON format.
Proposed :-

•REST APIs are built on top of the HTTP/S protocol.


They provide a standard way to:
▪ Monitor resources using GET.
▪ Create resources using PUT/POST.
▪ Manage resources using PUT/POST/PATCH.
▪ Delete resources using DELETE.
Software Requirements :-

▪ Operating system : Windows 7.


▪ Coding Language : Python
▪ Tool : PyCharm, Visual Studio Code
▪ Database : MYSQL
Hardware Requirements :-

▪ System : Pentium Dual Core.


▪ Hard Disk : 500 GB.
▪ Monitor : 15’’ LED
▪ Input Devices : Keyboard, Mouse
▪ Ram : 1GB.
Modules:
User Authorization in Cloud:-
▪ Defines access rights of cloud users to system resources.
▪ A volume can be created if:
▪ The user is authorized.
▪ The user hasn't exceeded their volume quota
Cloud Monitors and Development:-
▪ Cloud monitors use contracts to automatically verify system implementation.
▪ Cloud developer uses IaaS to build a private cloud for internal users.
REST API Principles :-
▪ REST = REpresentational State Transfer (an architectural style).
▪ Separates UI from data storage for better scalability and portability.
▪ Stateless: Each request must contain all required info.
Diagram :-
Flowchart :-
Algorithm :-
Steps:
Parse API_Spec to extract all endpoints, methods, and parameters.
2. For each endpoint E and operation O in the API:
a. Test Authentication:
i. Call E without Auth_Credentials → Expect 401 Unauthorized.
ii. Call E with invalid credentials → Expect 401 Unauthorized.
b. Test Authorization (User-Namespace Rule):
i. User A creates a resource R via E.
ii. User B attempts access to R via E → Expect 403 Forbidden or 404 Not Found
c. Test Use-After-Free:
i. User A creates and deletes resource R.
ii. Access R again → Expect 404 Not Found.
3. Record any responses that violate expected behavior as potential security issues.
4. Report violations categorized by rule (e.g., Use-After-Free, Namespace Leak).
Module code :-
from Django.shortcuts import render,HttpResponse
from user.models import CloudUsersModel
from django.contrib import messages
def adminlogin(request):
return render(request,'adminlogin.html’)
def adminlogincheck(request):
if request.method == "POST":
usid = request.POST.get('name’)
pswd = request.POST.get('password')
print("User ID is = ", usid)
if usid == 'admin' and pswd == 'admin':
request.session['role'] = 'admin'
return render(request, 'admin/adminhome.html')
def adminactivateusers(request):
dict = CloudUsersModel.objects.all()
return render(request,'admin/activateuser.html',{'objects':dict})
Login page :-
Conclusion :-

▪ Introduced four security rules for REST APIs and services.

▪ Extended a stateful REST API fuzzer with active property checkers to detect rule violations

automatically.

▪ All bugs were reported and fixed by the service owners.

▪ Bugs are treated seriously due to their potential security impact.

▪ The fuzzing approach achieved a near 100% bug “fixed/found” ratio.


Future Scope :-

▪ Automated Vulnerability Detection:


AI analyzes API traffic to detect patterns and anomalies indicating security
issues (devcom.com).

▪ Threat Modeling:
AI simulates attacks to assess potential impact of vulnerabilities
(devcom.com).

▪ AI-Driven Fuzz Testing:


AI generates targeted inputs to uncover hidden vulnerabilities
(jespublication.com).

You might also like