Automatic website pentesting with domain knowledge

Abstract

Representational State Transfer(RESTful) API is one of the most popular specifications used by most systems nowadays. With the help of such regulation, back end systems can be easily regarded as individual services, rather than a whole heavyset of software solutions. To improve security of RESTful web services, API fuzzers then appear. API fuzzing tools are black box testing tools that can automatically analyze the APIs of the system and check for potential bugs and even vulnerabilities. To solve the problem that most API fuzzing tools need OpenAPI specification documentations as input and there are usually no such documentation provided by some systems, Passive Proxy API Processor(PPAP) is developed to automatically generate OpenAPI specification documentations based on user interaction with target systems. However, this paper only proposed a demo version of PPAP. There are also several improvement points on different content negotiation types support and also active proxy functions support.