{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,23]],"date-time":"2026-04-23T06:38:48Z","timestamp":1776926328189,"version":"3.51.2"},"reference-count":69,"publisher":"Tech Science Press","issue":"3","license":[{"start":{"date-parts":[[2025,8,10]],"date-time":"2025-08-10T00:00:00Z","timestamp":1754784000000},"content-version":"vor","delay-in-days":221,"URL":"https:\/\/doi.org\/10.32604\/TSP-CROSSMARKPOLICY"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["CMC"],"published-print":{"date-parts":[[2025]]},"DOI":"10.32604\/cmc.2025.067536","type":"journal-article","created":{"date-parts":[[2025,7,10]],"date-time":"2025-07-10T09:14:33Z","timestamp":1752138873000},"page":"4223-4257","update-policy":"https:\/\/doi.org\/10.32604\/tsp-crossmarkpolicy","source":"Crossref","is-referenced-by-count":4,"title":["Towards Secure APIs: A Survey on RESTful API Vulnerability Detection"],"prefix":"10.32604","volume":"84","author":[{"given":"Fatima","family":"Tanveer","sequence":"first","affiliation":[]},{"given":"Faisal","family":"Iradat","sequence":"additional","affiliation":[]},{"given":"Waseem","family":"Iqbal","sequence":"additional","affiliation":[]},{"given":"Awais","family":"Ahmad","sequence":"additional","affiliation":[]}],"member":"17807","published-online":{"date-parts":[[2025]]},"reference":[{"key":"ref1","doi-asserted-by":"crossref","first-page":"032016","DOI":"10.1088\/1742-6596\/2094\/3\/032016","article-title":"Principles of securing RESTful API web services developed with python frameworks","volume":"2094","author":"Kornienko","year":"2021","journal-title":"J Phys Conf Ser"},{"key":"ref2","doi-asserted-by":"crossref","first-page":"012010","DOI":"10.1088\/1757-899X\/1228\/1\/012010","article-title":"Design and implementation of RESTFUL API based model for vulnerability detection and mitigation","volume":"1228","author":"Modi","year":"2022","journal-title":"IOP Conf Ser Mater Sci Eng"},{"key":"ref3","series-title":"33rd USENIX Security Symposium (USENIX Security \u201924); 2024 Aug 14\u201316","first-page":"739","article-title":"Vulnerability-oriented Testing for RESTful APIs","author":"Du"},{"key":"ref4","doi-asserted-by":"crossref","first-page":"74562","DOI":"10.1109\/ACCESS.2020.2988557","article-title":"Deep learning for software vulnerabilities detection using code metrics","volume":"8","author":"Zagane","year":"2020","journal-title":"IEEE Access"},{"key":"ref5","first-page":"557","article-title":"Using public vulnerabilities data to self-heal security issues in software systems","volume":"13","author":"ur Rehman","year":"2019","journal-title":"ICIC Exp Lett"},{"key":"ref6","unstructured":"Traceable AI. 2023 state of API security report. 2023 [Internet]. [cited 2025 Jun 23]. Available from: https:\/\/www.traceable.ai\/2023-state-of-api-security."},{"key":"ref7","unstructured":"Salt Security. API security trends 2024: the growing threat landscape. 2024 [Internet]. [cited 2025 Jun 23]. Available from: https:\/\/salt.security\/blog\/api-security-trends-2024."},{"key":"ref8","unstructured":"Open Web Application Security Project (OWASP). API security top 10\u20132023. 2023 [Internet]. [cited 2025 Jun 23]. Available from: https:\/\/owasp.org\/www-project-api-security."},{"key":"ref9","unstructured":"OWASP Foundation. OWASP API security top 10\u20132023. 2023 [Internet]. [cited 2025 Jun 23]. Available from: https:\/\/owasp.org\/API-Security\/editions\/2023\/en\/0x00-header\/."},{"key":"ref10","doi-asserted-by":"crossref","unstructured":"Golmohammadi A, Zhang M, Arcuri A. Testing RESTful APIs: a survey. arXiv:2212.14604. 2022.","DOI":"10.1145\/3617175"},{"key":"ref11","series-title":"Proceedings of The 31st ACM SIGSOFT International Symposium on Software Testing and Analysis; 2022 Jul 18\u201322","first-page":"289","article-title":"Automated test generation for REST APIs: no time to rest yet","volume":"Online","author":"Kim"},{"key":"ref12","doi-asserted-by":"crossref","first-page":"49","DOI":"10.21681\/2311-3456-2022-1-49-65","article-title":"Automatic detection of access control vulnerabilities via API specification processing","volume":"1","author":"Barabanov","year":"2022","journal-title":"Voprosy Kiberbezopasnosti"},{"key":"ref13","series-title":"Proceedings of the 32nd USENIX Conference on Security Symposium; 2023 Aug 9\u201311","first-page":"5593","article-title":"NAUTILUS: automated RESTful API vulnerability detection","author":"Deng"},{"key":"ref14","first-page":"1797","article-title":"RESTlogic: detecting logic vulnerabilities in cloud REST APIs","volume":"78","author":"Wang","year":"2024","journal-title":"Comput Mater Contin"},{"key":"ref15","series-title":"2023 IEEE\/ACM 45th International Conference on Software Engineering (ICSE); 2023 May 14\u201320","first-page":"2553","article-title":"Automated black-box testing of mass assignment vulnerabilities in RESTful APIs","author":"Corradini"},{"key":"ref16","series-title":"Proceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering; 2024 Jun 18\u201321","first-page":"369","article-title":"Mining REST APIs for potential mass assignment vulnerabilities","author":"Mazidi"},{"key":"ref17","doi-asserted-by":"crossref","first-page":"40128","DOI":"10.1109\/ACCESS.2023.3266385","article-title":"Input validation vulnerabilities in web applications: systematic review, classification, and analysis of the current state-of-the-art","volume":"11","author":"Fadlalla","year":"2023","journal-title":"IEEE Access"},{"key":"ref18","series-title":"Proceedings of the 33rd International Conference on Software Engineering (ICSE); 2011 May 21\u201328","first-page":"251","article-title":"Patching vulnerabilities with sanitization synthesis","author":"Yu"},{"key":"ref19","doi-asserted-by":"crossref","unstructured":"Barlas E, Du X, Davis JC. Exploiting input sanitization for regex denial of service. arXiv:2303.01996. 2023.","DOI":"10.1145\/3510003.3510047"},{"key":"ref20","series-title":"Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC\/FSE)","first-page":"1101","article-title":"Leveraging hardware probes and optimizations for accelerating fuzz testing of heterogeneous applications","author":"Wang","year":"2023 Dec 3\u20139"},{"key":"ref21","series-title":"Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis; 2023 Jul 17\u201321","first-page":"1232","article-title":"Enhancing REST API Testing with NLP Techniques","author":"Kim"},{"key":"ref22","series-title":"CCS \u201924: Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security; 2024 Oct 14\u201318","first-page":"1626","article-title":"A first look at security and privacy risks in the RapidAPI ecosystem","author":"Liao"},{"key":"ref23","doi-asserted-by":"crossref","first-page":"10250","DOI":"10.1109\/JIOT.2020.2997651","article-title":"An in-depth analysis of IoT security requirements, challenges, and their countermeasures via software-defined security","volume":"7","author":"Iqbal","year":"2020","journal-title":"IEEE Internet Things J"},{"key":"ref24","doi-asserted-by":"crossref","unstructured":"Mousavi Z, Islam C, Babar MA, Abuadbba A, Moore K. Detecting misuse of security APIs: a systematic review. arXiv:2306.08869. 2024.","DOI":"10.1145\/3735968"},{"key":"ref25","unstructured":"Acunetix. API Security risks and challenges; Acunetix web security report . 2024 [Internet]. [cited 2025 Jun 23]. Available from: https:\/\/www.acunetix.com\/blog\/articles\/api-security-risks."},{"key":"ref26","unstructured":"Rsnake. XSS cheat sheet. 2008 [Internet]. [cited 2025 Jun 23]. Available from: http:\/\/ha.ckers.org\/xss.html."},{"key":"ref27","unstructured":"HTML5 Security Team. HTML5 security cheat sheet [Internet]. [cited 2025 Jun 23]. Available from: http:\/\/html5sec.org\/."},{"key":"ref28","unstructured":"PortSwigger Web Security Team. Cross-site scripting (XSS) cheat sheet [Internet]. [cited 2025 Jun 23]. Available from: https:\/\/portswigger.net\/web-security\/cross-site-scripting\/cheat-sheet."},{"key":"ref29","unstructured":"XssPayloads. XSS payloads on X (Twitter) [Internet]. [cited 2025 Jun 23]. Available from: https:\/\/twitter.com\/xsspayloads."},{"key":"ref30","doi-asserted-by":"crossref","unstructured":"Kim M, Sinha S, Orso A. Adaptive REST API testing with reinforcement learning. arXiv:2309.04583. 2023.","DOI":"10.1109\/ASE56229.2023.00218"},{"key":"ref31","series-title":"The 27th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2024); 2024 Sep 30\u2013Oct 2; Padua, Italy","article-title":"Beyond REST: introducing APIF for comprehensive API vulnerability fuzzing","author":"Wang"},{"key":"ref32","series-title":"Proceedings of the 44th IEEE\/ACM International Conference on Software Engineering (ICSE); 2022 May 25\u201327","first-page":"1406","article-title":"Morest: model-based RESTful API testing with execution feedback","author":"Liu"},{"key":"ref33","series-title":"Workshop on WEB 2.0 Security and Privacy (W2SP); 2013 May 23\u201324","article-title":"Cross-site scripting attacks in social network APIs","author":"Zhang"},{"key":"ref34","unstructured":"Project G. Stored cross-site scripting (XSS) vulnerability in REST resources API. 2024 [Internet]. [cited 2025 Jun 23]. Available from: https:\/\/github.com\/geoserver\/geoserver\/security\/advisories\/GHSA-fh7p-5f6g-vj2w."},{"key":"ref35","doi-asserted-by":"crossref","first-page":"8","DOI":"10.3390\/s23084117","article-title":"A critical cybersecurity analysis and future research directions for the internet of things: a comprehensive review","volume":"23","author":"Tariq","year":"2023","journal-title":"Sensors"},{"key":"ref36","series-title":"ICCDE \u201924: Proceedings of the 2024 10th International Conference on Computing and Data Engineering; 2024 Jan 15\u201317","first-page":"64","article-title":"Securing web apps: analysis to understand common vulnerabilities, attack scenarios, and protective measures","author":"Kumar"},{"key":"ref37","doi-asserted-by":"crossref","unstructured":"Dias T, Maia E, Pra\u00e7a I. FuzzTheREST: an intelligent automated black-box RESTful API fuzzer. arXiv:2407.14361. 2024.","DOI":"10.1007\/978-3-031-82073-1_16"},{"key":"ref38","article-title":"AI edition\u2014innovation and adoption challenges","year":"2024","journal-title":"API Impact Report 2024"},{"key":"ref39","first-page":"229","article-title":"The art of API design: best practices for modern software development","volume":"9","author":"Garimilla","year":"2024","journal-title":"Int J Eng Tech Res (IJETR)"},{"key":"ref40","first-page":"1","article-title":"Cost benefit analysis of incorporating security and evaluation of its effects on various phases of agile software development","volume":"2021","author":"Kumar","year":"2021","journal-title":"Math Probl Eng"},{"key":"ref41","first-page":"25","article-title":"Efficient deep features learning for vulnerability detection using character n-gram embedding","volume":"7","author":"Alenezi","year":"2021","journal-title":"Jordanian J Comput Inf Technol (JJCIT)"},{"key":"ref42","doi-asserted-by":"crossref","first-page":"122","DOI":"10.3390\/technologies12080122","article-title":"iKern: advanced intrusion detection and prevention at the kernel level using eBPF","volume":"12","author":"Hadi","year":"2024","journal-title":"Technologies"},{"key":"ref43","unstructured":"Vulnerability Lab. Technical attack sheet for cross-site penetration tests [Internet]. [cited 2025 Jun 23]. Available from: http:\/\/www.vulnerability-lab.com\/resources\/documents\/531.txt."},{"key":"ref44","unstructured":"Yerushalmi S. GraphQL vulnerabilities and common attacks: what you need to know; imperva blog [Internet]. 2023 [cited 2025 Jun 23]. Available from: https:\/\/www.imperva.com\/blog\/graphql-vulnerabilities-common-attacks\/."},{"key":"ref45","unstructured":"Amareen S, Soto Dector O, Dado A, Bosu A. GraphQL adoption and challenges: community-driven insights from stackoverflow discussions. arXiv:2408.08363. 2024."},{"key":"ref46","doi-asserted-by":"crossref","first-page":"103749","DOI":"10.1016\/j.cose.2024.103749","article-title":"Few-shot graph classification on cross-site scripting attacks detection","volume":"140","author":"Pan","year":"2024","journal-title":"Comput Secur"},{"key":"ref47","doi-asserted-by":"crossref","unstructured":"Kim M, Sinha S, Orso A. LlamaRestTest: effective REST API testing with small language models. arXiv:2501.08598. 2025.","DOI":"10.1145\/3715737"},{"key":"ref48","series-title":"ICMLC \u201924: Proceedings of the 2024 16th International Conference on Machine Learning and Computing; 2024 Feb 2\u20135","first-page":"211","article-title":"Unlocking deeper understanding: leveraging explainable AI for API anomaly detection insights","author":"Jones"},{"key":"#cr-split#-ref49.1","unstructured":"Technologies A. API security impact study 2025: the costs of API attacks in 4 APAC Countries"},{"key":"#cr-split#-ref49.2","unstructured":"akamai technologies [Internet]. 2025 [cited 2025 Jun 23]. Available from: https:\/\/www.akamai.com."},{"key":"ref50","doi-asserted-by":"crossref","first-page":"132","DOI":"10.1007\/s10664-023-10367-y","article-title":"Do RESTful API design rules have an impact on the understandability of web APIs?","volume":"28","author":"Bogner","year":"2023","journal-title":"Empir Softw Eng"},{"key":"ref51","series-title":"Proceedings of the 2024 ACM\/IEEE 44th International Conference on Software Engineering: New Ideas and Emerging Results; 2024 April 14\u201320","first-page":"37","article-title":"Leveraging large language models to improve REST API testing","author":"Kim"},{"key":"ref52","series-title":"2024 IEEE Security & Privacy Workshops (SPW); 2024 May 23","first-page":"68","article-title":"WENDIGO: deep reinforcement learning for denial-of-service query discovery in GraphQL","author":"McFadden"},{"key":"ref53","doi-asserted-by":"crossref","first-page":"83","DOI":"10.1007\/s10207-024-00970-5","article-title":"Automated broken object-level authorization attack detection in REST APIs through OpenAPI to colored petri nets transformation","volume":"24","author":"Santos Filho","year":"2025","journal-title":"Int J Inf Secur"},{"key":"ref54","doi-asserted-by":"crossref","unstructured":"Wolf T, Debut L, Sanh V, Chaumond J, Delangue C, Moi A, et al. HuggingFace\u2019s transformers: state-of-the-art natural language processing. arXiv:191003771. 2019.","DOI":"10.18653\/v1\/2020.emnlp-demos.6"},{"key":"ref55","series-title":"Proceedings of the 52nd Annual Meeting of the Association for Computational Linguistics: System Demonstrations; 2014 Jun 22\u201327","first-page":"55","article-title":"The stanford CoreNLP natural language processing toolkit","author":"Manning"},{"key":"ref56","series-title":"2017 IEEE International Conference on Software Quality, Reliability and Security (QRS); 2017 Jul 25\u201329","first-page":"9","article-title":"RESTful API automated test case generation","author":"Arcuri"},{"key":"ref57","series-title":"Proceedings of the 41st International Conference on Software Engineering (ICSE); 2019 May 27","first-page":"748","article-title":"RESTler: stateful REST API fuzzing","author":"Atlidakis"},{"key":"ref58","series-title":"2022 Second International Conference on Computer Science, Engineering and Applications (ICCSEA); 2022 Sep 8","first-page":"1","article-title":"Windows malware detection using machine learning and TF-IDF enriched API calls information","author":"Sharma"},{"key":"ref59","unstructured":"Dezfouli MP. Automated real-time machine learning for IoT for manufacturing a cloud architecture and API; 2020. [cited 2025 Jun 23]. Available from: https:\/\/hdl.handle.net\/1853\/62335."},{"key":"ref60","doi-asserted-by":"crossref","unstructured":"Vinzenz N, Oka DK. Processing fuzz testing results into an evidence report. Warrendale, PA, USA: SAE; 2023. Paper #2023-01\u20130039. doi:10.4271\/2023-01-0039.","DOI":"10.4271\/2023-01-0039"},{"key":"ref61","doi-asserted-by":"crossref","first-page":"29175","DOI":"10.1109\/ACCESS.2024.3369613","article-title":"Formal-Guided fuzz testing: targeting security assurance from specification to implementation for 5G and beyond","volume":"12","author":"Yang","year":"2024","journal-title":"IEEE Access"},{"key":"ref62","doi-asserted-by":"crossref","first-page":"877","DOI":"10.1007\/s11227-025-07371-y","article-title":"Systematic exploration of fuzzing in IoT: techniques, vulnerabilities, and open challenges","volume":"81","author":"Touqir","year":"2025","journal-title":"J Supercomput"},{"key":"ref63","series-title":"32nd USENIX Security Symposium (USENIX Security\u201923); 2023 Aug 9\u201311","first-page":"4517","article-title":"MINER: a hybrid data-driven approach for rEST API fuzzing","author":"Lyu"},{"key":"ref64","series-title":"Proceedings of the IEEE\/ACM 46th International Conference on Software Engineering; 2024 Apr 14\u201320","article-title":"EDEFuzz: A web API fuzzer for excessive data exposures","author":"Pan"},{"key":"ref65","first-page":"1595","article-title":"KubeFuzzer: automating RESTful API vulnerability detection in kubernetes","volume":"81","author":"Zheng","year":"2024","journal-title":"Comput Mater Contin"},{"key":"ref66","doi-asserted-by":"crossref","first-page":"211","DOI":"10.1002\/stvr.1593","article-title":"Behavior abstraction adequacy criteria for API call protocol testing","volume":"26","author":"Czemerinski","year":"2016","journal-title":"Softw Testing Verification Reliab"},{"key":"ref67","series-title":"Proceedings of the 55th Annual Meeting of the Association for Computational Linguistics; 2017 Jul 30\u2013Aug 4","first-page":"146","article-title":"Neural AMR: sequence-to-sequence models for parsing and generation","author":"Konstas"},{"key":"ref68","series-title":"Proceedings of the Annual Meeting of the Association for Computational Linguistics; 2019 Jul 28\u2013Aug 2","first-page":"7871","article-title":"BART: denoising sequence-to-sequence pre-training for natural language generation, translation, and comprehension","author":"Lewis"}],"container-title":["Computers, Materials & Continua"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/cdn.techscience.cn\/files\/cmc\/2025\/TSP_CMC-84-3\/TSP_CMC_67536\/TSP_CMC_67536.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,4,23]],"date-time":"2026-04-23T05:45:20Z","timestamp":1776923120000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.techscience.com\/cmc\/v84n3\/63208"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025]]},"references-count":69,"journal-issue":{"issue":"3","published-online":{"date-parts":[[2025]]},"published-print":{"date-parts":[[2025]]}},"URL":"https:\/\/doi.org\/10.32604\/cmc.2025.067536","relation":{},"ISSN":["1546-2226"],"issn-type":[{"value":"1546-2226","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025]]},"assertion":[{"value":"2025-05-06","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-06-24","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-07-30","order":2,"name":"published","label":"Published Online","group":{"name":"publication_history","label":"Publication History"}}]}}