{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,30]],"date-time":"2026-01-30T04:03:19Z","timestamp":1769745799168,"version":"3.49.0"},"reference-count":49,"publisher":"Springer Science and Business Media LLC","issue":"2","license":[{"start":{"date-parts":[[2025,2,21]],"date-time":"2025-02-21T00:00:00Z","timestamp":1740096000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2025,2,21]],"date-time":"2025-02-21T00:00:00Z","timestamp":1740096000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100007041","name":"Universidad de Zaragoza","doi-asserted-by":"crossref","id":[{"id":"10.13039\/501100007041","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Int. J. Inf. Secur."],"published-print":{"date-parts":[[2025,4]]},"abstract":"<jats:title>Abstract<\/jats:title>\n          <jats:p>The representational state transfer architectural style (REST) specifies a set of rules for creating web services. In REST, data and functionality are considered resources, accessed, and manipulated using a uniform, well-defined set of rules. RESTful web services are web services that follow the REST architectural style and are exposed to the Internet using RESTful APIs. Most of them are described by OpenAPI, a standard language-independent interface for RESTful APIs. RESTful APIs are continuously available on the Internet and are therefore a common target for cyberattacks. To prevent vulnerabilities and reduce risks in web systems, there are several security guidelines available, such as those provided by the Open Web Application Security Project (OWASP) foundation. A common vulnerability in web services is broken object level authorization (BOLA), which allows an attacker to modify or delete data or perform actions intended only for authorized users. For example, an attacker can change an order status, delete a user account, or add unauthorized data to the server. In this paper, we propose a transformation from OpenAPI to Petri nets, which enables formal modeling and analysis of REST APIs using existing Petri net analysis techniques to detect potential security risks directly from the analysis of web server logs. In addition, we also provide a tool, named , which automatically performs model transformation (taking the OpenAPI specification as input) and BOLA attack detection by analyzing web server execution traces. We apply it to a case study of a vulnerable web application to demonstrate its applicability. Our results show that it is capable of detecting BOLA attacks with an accuracy greater than 95% in the proposed scenarios.\n<\/jats:p>","DOI":"10.1007\/s10207-024-00970-5","type":"journal-article","created":{"date-parts":[[2025,2,21]],"date-time":"2025-02-21T21:51:01Z","timestamp":1740174661000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":3,"title":["Automated broken object-level authorization attack detection in REST APIs through OpenAPI to colored petri nets transformation"],"prefix":"10.1007","volume":"24","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-5523-5347","authenticated-orcid":false,"given":"Ailton","family":"Santos Filho","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7982-0359","authenticated-orcid":false,"given":"Ricardo J.","family":"Rodr\u00edguez","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6401-3992","authenticated-orcid":false,"given":"Eduardo L.","family":"Feitosa","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2025,2,21]]},"reference":[{"key":"970_CR1","doi-asserted-by":"crossref","first-page":"111","DOI":"10.1007\/978-3-642-19394-1_12","volume-title":"Service-Oriented Computing","author":"R Alarcon","year":"2011","unstructured":"Alarcon, R., Wilde, E., Bellido, J.: Hypermedia-driven RESTful service composition. In: Maximilien, E.M., Rossi, G., Yuan, S.T., Ludwig, H., Fantinato, M. (eds.) Service-Oriented Computing, pp. 111\u2013120. Springer, Heidelberg (2011)"},{"key":"970_CR2","unstructured":"Alowisheq, A., Millard, D.E., Tiropanis, T.: Resource oriented modelling: describing restful Web Services using collaboration diagrams. In: Proceedings of the International Conference on e-Business, IEEE, pp 1\u20136 (2011)"},{"key":"970_CR3","doi-asserted-by":"crossref","unstructured":"Anumotu, S., Jha. K., Balhara, A., Chawla, P.: Security issues and vulnerabilities in web application. In: Kumar, R., Pattnaik, P.K., Tavares, J.M. (Eds.) Next Generation of Internet of Things, Springer Nature Singapore, Singapore, pp 103\u2013114 (2023)","DOI":"10.1007\/978-981-19-1412-6_9"},{"key":"970_CR4","doi-asserted-by":"publisher","unstructured":"Atlidakis, V., Godefroid, P., Polishchuk, M.: RESTler: Stateful REST API Fuzzing. In: 2019 IEEE\/ACM 41st International Conference on Software Engineering (ICSE), pp. 748\u2013758. https:\/\/doi.org\/10.1109\/ICSE.2019.00083 (2019)","DOI":"10.1109\/ICSE.2019.00083"},{"key":"970_CR5","unstructured":"Barabanov, A., Dergunov, D., Makrushin, D., Teplov, A.: Automatic detection of access control vulnerabilities via API specification processing. CoRR abs\/2201.10833, arXiv:2201.10833 (2022)"},{"key":"970_CR6","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-99414-7","volume-title":"Conformance Checking","author":"J Carmona","year":"2018","unstructured":"Carmona, J., van Dongen, B., Solti, A., Weidlich, M.: Conformance Checking. Springer International Publishing, Berlin (2018). https:\/\/doi.org\/10.1007\/978-3-319-99414-7"},{"key":"970_CR7","first-page":"435","volume-title":"Analysis of Images","author":"JC Carrasquel","year":"2021","unstructured":"Carrasquel, J.C., Mecheraoui, K., Lomazova, I.A.: Checking Conformance Between Colored Petri Nets and Event Logs. In: van der Aalst, W.M.P., Batagelj, V., Ignatov, D.I., Khachay, M., Koltsova, O., Kutuzov, A., Kuznetsov, S.O., Lomazova, I.A., Loukachevitch, N., Napoli, A., Panchenko, A., Pardalos, P.M., Pelillo, M., Savchenko, A.V., Tutubalina, E. (eds.) Analysis of Images, pp. 435\u2013452. Social Networks and Texts, Springer International Publishing, Cham (2021)"},{"key":"970_CR8","unstructured":"Clay, J.: Recent cyberattacks increasingly target open-source Web Servers. https:\/\/www.trendmicro.com\/en_ae\/research\/22\/b\/recent-cyberattacks-open-source-web-servers.html. Accessed on February 23, 2023 (2022)"},{"key":"970_CR9","doi-asserted-by":"crossref","unstructured":"Collado, E.S., Castillo, P.A., Merelo\u00a0Guerv\u00f3s, J.J.: Using evolutionary algorithms for server hardening via the moving target defense technique. In: Castillo, P.A., Jim\u00e9nez\u00a0Laredo, J.L., Fern\u00e1ndez\u00a0de Vega, F. (eds.) Applications of Evolutionary Computation. Springer International Publishing, Cham, pp 670\u2013685 (2020)","DOI":"10.1007\/978-3-030-43722-0_43"},{"key":"970_CR10","doi-asserted-by":"crossref","first-page":"73","DOI":"10.1007\/978-3-642-01364-5_5","volume-title":"Web Services and Formal Methods","author":"G Decker","year":"2009","unstructured":"Decker, G., L\u00fcders, A., Overdick, H., Schlichting, K., Weske, M.: RESTful Petri Net Execution. In: Bruni, R., Wolf, K. (eds.) Web Services and Formal Methods, pp. 73\u201387. Springer, Heidelberg (2009)"},{"key":"970_CR11","unstructured":"Deng, G., Zhang, Z., Li, Y., Liu, Y., Zhang, T., Liu, Y., Yu, G., Wang, D.: NAUTILUS: Automated RESTful API vulnerability detection. In: 32nd USENIX security symposium (USENIX Security 23), USENIX Association, Anaheim, CA, pp. 5593\u20135609. https:\/\/www.usenix.org\/conference\/usenixsecurity23\/presentation\/deng-gelei (2023)"},{"key":"970_CR12","unstructured":"Diogenes, Y., Ozkaya, E.: Cybersecurity \u2013 Attack and Defense Strategies, 2nd edn. Packt Publishing, Birmingham (2019)"},{"key":"970_CR13","unstructured":"Du, W., Li, J., Wang, Y., Chen, L., Zhao, R., Zhu, J., Han, Z., Wang, Y., Xue, Z.: Vulnerability-oriented testing for RESTful APIs. In: 33rd USENIX Security Symposium (USENIX Security 24), USENIX Association, Philadelphia, PA, pp. 739\u2013755, https:\/\/www.usenix.org\/conference\/usenixsecurity24\/presentation\/du (2024)"},{"key":"970_CR14","doi-asserted-by":"publisher","unstructured":"Ed-douibi, H., C\u00e1novas\u00a0Izquierdo, J.L., Bordeleau, F., Cabot, J.: WAPIml: towards a modeling infrastructure for Web APIs. In: 2019 ACM\/IEEE 22nd International Conference on Model Driven Engineering Languages and Systems Companion (MODELS-C), pp. 748\u2013752. https:\/\/doi.org\/10.1109\/MODELS-C.2019.00116 (2019)","DOI":"10.1109\/MODELS-C.2019.00116"},{"key":"970_CR15","unstructured":"Emmons, T., McReynolds, S., Lauro, T., Kimhy, E.: Akamai web application and API threat report. https:\/\/www.akamai.com\/resources\/research-paper\/akamai-web-application-and-api-threat-report. Accessed on 23 Feb 2023 (2022)"},{"key":"970_CR16","doi-asserted-by":"crossref","unstructured":"Fielding, R., Reschke, J.: Hypertext Transfer Protocol (HTTP\/1.1): Semantics and Content. [Online; https:\/\/www.rfc-editor.org\/rfc\/rfc7231]. Accessed 23 Feb 2023 (2014)","DOI":"10.17487\/rfc7231"},{"key":"970_CR17","unstructured":"Fielding, R.T.: Architectural styles and the design of network-based software architectures. PhD thesis, University of California, Irvine (2000)"},{"key":"970_CR18","volume-title":"Design Patterns: Elements of Reusable Object-Oriented Software","author":"E Gamma","year":"1994","unstructured":"Gamma, E., Helm, R., Johnson, R., Vlissides, J.: Design Patterns: Elements of Reusable Object-Oriented Software. Addison-Wesley Professional, Boston (1994)"},{"issue":"5","key":"970_CR19","doi-asserted-by":"publisher","first-page":"2973","DOI":"10.1007\/s10270-019-00716-1","volume":"18","author":"A G\u00f3mez","year":"2019","unstructured":"G\u00f3mez, A., Rodr\u00edguez, R.J., Cambronero, M.E., Valero, V.: Profiling the publish\/subscribe paradigm for automated analysis using colored petri nets. Softw. Syst. Model. 18(5), 2973\u20133003 (2019). https:\/\/doi.org\/10.1007\/s10270-019-00716-1","journal-title":"Softw. Syst. Model."},{"key":"970_CR20","unstructured":"Haddad, R., Malki, R.E.: OpenAPI specification extended security scheme: A method to reduce the prevalence of Broken Object Level Authorization. https:\/\/arxiv.org\/abs\/2212.06606. Accessed on Oct 19 2023 (2022). arXiv:2212.06606"},{"key":"970_CR21","unstructured":"huntr: IDOR to archive victims memo vulnerability found in memos. https:\/\/huntr.dev\/bounties\/e65b3458-c2e2-4c0b-9029-e3c9ee015ae4\/, Accessed on 19 Oct 2023 (2022)"},{"key":"970_CR22","unstructured":"Ivanchikj, A.: RESTalk: a visual and textual DSL for modelling RESTful conversations. phdthesis, Universit\u00e0 della Svizzera italiana (2021)"},{"key":"970_CR23","doi-asserted-by":"crossref","DOI":"10.1007\/b95112","volume-title":"Coloured Petri Nets: Modelling and Validation of Concurrent Systems","author":"K Jensen","year":"2009","unstructured":"Jensen, K., Kristensen, L.M.: Coloured Petri Nets: Modelling and Validation of Concurrent Systems, 1st edn. Springer, Berlin (2009)","edition":"1"},{"key":"970_CR24","unstructured":"Jin, B., Sahni, S., Shevat, A.: Designing Web APIs: Building APIs That Developers Love, 1st edn. O\u2019Reilly Media, Inc (2018)"},{"key":"970_CR25","doi-asserted-by":"crossref","unstructured":"Kallab, L., Mrissa, M., Chbeir, R., Bourreau, P.: Using colored petri nets for verifying restful service composition. In: Panetto, H., Debruyne, C., Gaaloul, W., Papazoglou, M., Paschke, A., Ardagna, C.A., Meersman, R. (eds.) On the Move to Meaningful Internet Systems. OTM 2017 Conferences, Springer International Publishing, Cham, pp. 505\u2013523 (2017)","DOI":"10.1007\/978-3-319-69462-7_32"},{"key":"970_CR26","doi-asserted-by":"publisher","unstructured":"Kim, M., Stennett, T., Shah, D., Sinha, S, Orso, A.: Leveraging large language models to improve REST API testing. In: Proceedings of the 2024 ACM\/IEEE 44th International Conference on Software Engineering: New Ideas and Emerging Results, Association for Computing Machinery, New York, NY, USA, ICSE-NIER\u201924, p 37-41, https:\/\/doi.org\/10.1145\/3639476.3639769 (2024)","DOI":"10.1145\/3639476.3639769"},{"key":"970_CR27","unstructured":"Kus, D.A., Koren, I., Klamma, R.: A link generator for increasing the utility of openapi-to-graphql translations. CoRR abs\/2005.08708. arXiv:2005.08708 (2020)"},{"key":"970_CR28","doi-asserted-by":"crossref","unstructured":"Li, L., Chou, W.: Designing large scale REST APIs based on REST chart. In: 2015 IEEE International Conference on Web Services, IEEE, pp. 631\u2013638 (2015)","DOI":"10.1109\/ICWS.2015.89"},{"key":"970_CR29","doi-asserted-by":"crossref","unstructured":"Li, L., Chou, W. Design and describe REST API without violating REST: A Petri net based approach. In: 2011 IEEE International Conference on Web Services, IEEE, pp. 508\u2013515 (2011)","DOI":"10.1109\/ICWS.2011.54"},{"key":"970_CR30","unstructured":"Madden, N. (2020) API security in action. Manning Publications"},{"key":"970_CR31","doi-asserted-by":"publisher","unstructured":"Marashdeh, Z., Suwais, K., Alia, M.: A Survey on SQL Injection attack: detection and challenges. In: 2021 International Conference on Information Technology (ICIT), pp 957\u2013962, https:\/\/doi.org\/10.1109\/ICIT52682.2021.9491117 (2021)","DOI":"10.1109\/ICIT52682.2021.9491117"},{"key":"970_CR32","unstructured":"Miller, D., Harmon, J., Whitlock, J., Hahn, K., Gardiner, M., Ralphso, M., Dolin, R., Ratovsky, R., Tam, T.: OpenAPI Specification v3.1.0. https:\/\/spec.openapis.org\/oas\/v3.1.0. Accessed on 09 Oct 2024 (2021)"},{"key":"970_CR33","doi-asserted-by":"crossref","first-page":"541","DOI":"10.1109\/5.24143","volume":"77","author":"T Murata","year":"1989","unstructured":"Murata, T.: Petri Nets: properties, analysis and applications. Proc. IEEE 77, 541\u2013580 (1989)","journal-title":"Proc. IEEE"},{"key":"970_CR34","unstructured":"OMG: Unified Modelling Language: Superstructure. Object Management Group, version 2.4, formal\/11-08-05 (2011)"},{"key":"970_CR35","unstructured":"OpenAPI Initiative: Best Practices. https:\/\/learn.openapis.org\/best-practices.html. Accessed 01 Oct 2024 (2023)"},{"key":"970_CR36","unstructured":"OpenAPI Initiative: Code Generators. https:\/\/tools.openapis.org\/categories\/code-generators.html. Accessed on 01 Oct 2024 (2024)"},{"key":"970_CR37","doi-asserted-by":"crossref","unstructured":"Pommereau, F.: SNAKES: A flexible high-level petri nets library (tool paper). In: Application and Theory of Petri Nets and Concurrency: 36th International Conference, PETRI NETS 2015, Brussels, Belgium, June 21\u201326, 2015, Proceedings 36, Springer, pp. 254\u2013265 (2015)","DOI":"10.1007\/978-3-319-19488-2_13"},{"key":"970_CR38","unstructured":"Postman (2024) 2023 State of the API report. https:\/\/www.postman.com\/state-of-api\/api-global-growth, Accessed 01 Oct 2024"},{"key":"970_CR39","doi-asserted-by":"crossref","unstructured":"Ratzer, A.V., Wells, L., Lassen, H.M., Laursen, M., Qvortrup, J.F., Stissing, M.S., Westergaard, M., Christensen, S., Jensen, K.: CPN tools for editing, simulating, and analysing coloured Petri nets. In: Proceedings of the 24th International Conference on Applications and Theory of Petri Nets, Springer, pp. 450\u2013462 (2003)","DOI":"10.1007\/3-540-44919-1_28"},{"key":"970_CR40","unstructured":"Rauf, I.: Design and validation of stateful composite RESTful web services. PhD thesis, Turku Centre for Computer Science (2014)"},{"key":"970_CR41","volume-title":"RESTful Web Services","author":"L Richardson","year":"2007","unstructured":"Richardson, L., Ruby, S.: RESTful Web Services, 1st edn. O\u2019Reilly Media Inc, Sebastopol (2007)","edition":"1"},{"issue":"2","key":"970_CR42","doi-asserted-by":"publisher","first-page":"131","DOI":"10.1007\/s10664-008-9102-8","volume":"14","author":"P Runeson","year":"2009","unstructured":"Runeson, P., H\u00f6st, M.: Guidelines for conducting and reporting case study research in software engineering. Empir. Softw. Eng. 14(2), 131\u2013164 (2009). https:\/\/doi.org\/10.1007\/s10664-008-9102-8","journal-title":"Empir. Softw. Eng."},{"key":"970_CR43","unstructured":"Salt Security (2022) State of API Security Report Q3 2022. https:\/\/content.salt.security\/state-api-report.html. Accessed on 23 Feb 2023"},{"key":"970_CR44","unstructured":"Santos Filho A (2023) Links2CPN - OpenAPI Links to CPNs. https:\/\/github.com\/ailton07\/openapi-links-to-CPNs. Accessed on 27 Feb 2023"},{"key":"970_CR45","unstructured":"Schoenborn, J.M., Althoff, K.D. (2021) Detecting SQL-injection and cross-site scripting attacks using case-based reasoning and SEASALT. In: LWDA, pp. 66\u201377"},{"key":"970_CR46","unstructured":"Swagger-PHP (2024) Link. https:\/\/zircote.github.io\/swagger-php\/reference\/attributes.html#link. Accessed on 01 Oct 2024"},{"key":"970_CR47","doi-asserted-by":"publisher","unstructured":"van der Aalst, W.: Process Mining: Data Science in Action. Springer, Berlin (2016). https:\/\/doi.org\/10.1007\/978-3-662-49851-4_1","DOI":"10.1007\/978-3-662-49851-4_1"},{"key":"970_CR48","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/978-3-031-55642-5_4","volume-title":"Refactoring, Requirements Elicitation, and Software Design","author":"J White","year":"2024","unstructured":"White, J., Hays, S., Fu, Q., Spencer-Smith, J., Schmidt, D.C.: ChatGPT Prompt patterns for improving code quality. In: Refactoring, Requirements Elicitation, and Software Design, pp. 1\u2013108. Springer, Cham (2024). https:\/\/doi.org\/10.1007\/978-3-031-55642-5_4"},{"key":"970_CR49","doi-asserted-by":"crossref","first-page":"346","DOI":"10.1007\/978-3-642-22233-7_24","volume-title":"Web Engineering","author":"I Zuzak","year":"2011","unstructured":"Zuzak, I., Budiselic, I., Delac, G.: Formal modeling of RESTful systems using finite-state machines. In: Auer, S., D\u00edaz, O., Papadopoulos, G.A. (eds.) Web Engineering, pp. 346\u2013360. Springer, Heidelberg (2011)"}],"container-title":["International Journal of Information Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-024-00970-5.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10207-024-00970-5\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-024-00970-5.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,3,30]],"date-time":"2025-03-30T07:59:26Z","timestamp":1743321566000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10207-024-00970-5"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,2,21]]},"references-count":49,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2025,4]]}},"alternative-id":["970"],"URL":"https:\/\/doi.org\/10.1007\/s10207-024-00970-5","relation":{},"ISSN":["1615-5262","1615-5270"],"issn-type":[{"value":"1615-5262","type":"print"},{"value":"1615-5270","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,2,21]]},"assertion":[{"value":"21 February 2025","order":1,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that they have no Conflict of interest.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of interest"}},{"value":"All procedures performed in studies involving human participants were in accordance with the ethical standards of the institutional research committee and with the 1964 Helsinki declaration and its later amendments or comparable ethical standards.","order":3,"name":"Ethics","group":{"name":"EthicsHeading","label":"Ethical approval"}},{"value":"Informed consent was obtained from all individual participants included in the study.","order":4,"name":"Ethics","group":{"name":"EthicsHeading","label":"Informed consent"}}],"article-number":"83"}}