AI-Assisted Hybrid Vulnerability Analytics for RESTful APIs: Static Rule Matching, Dynamic Fuzzing, and Exploitability Validation

Article sidebar

Open Access PDF
Published 2023-12-30

Main article

Karthik Raghavan
Department of Computer Science and Engineering, SASTRA Deemed University, Thanjavur 613401, Tamil Nadu, India
Nivetha Padmanabhan
School of Information Technology and Engineering, Vellore Institute of Technology, Vellore 632014, Tamil Nadu, India
Arjun Venkatesh*
Department of Computer Science and Engineering, Thapar Institute of Engineering and Technology, Patiala 147004, Punjab, India
arjun.venkatesh@thapar.edu

DOI: https://doi.org/10.63646/jaiaa.2023.010402

Abstract

Mass Assignment Vulnerability (MAV) remains a stubbornly recurring weakness in RESTful web services because permissive request-to-object binding is enabled by default in most modern web frameworks and because vulnerable code is syntactically indistinguishable from safe code. We propose a hybrid vulnerability analytics framework that combines lightweight static rule matching with schema-aware dynamic fuzzing and an AI-assisted exploitability validation layer that learns to discriminate confirmed exploits from architecturally fragile but currently non-exploitable findings. The static engine builds an Abstract Syntax Tree (AST) over Java source files and evaluates it against a curated library of seven detection rules spanning controller, model, service, and configuration layers. The dynamic engine consumes the static candidate set and constructs OpenAPI-conformant injection payloads that are dispatched to a live test instance. A response state divergence metric quantifies the impact of injected sensitive fields, and a logistic classifier trained on this metric and seven structural features assigns a four-level severity grade to each finding. We evaluated the framework on three benchmark Spring Boot codebases: a deliberately vulnerable application, a tutorial-style standard application, and a hardened reference application. The hybrid pipeline detected all nineteen planted vulnerabilities (zero false negatives) in the vulnerable benchmark, cleared the hardened reference (zero false positives), and reduced the actionable HIGH-severity finding set from eight to three across the eight dynamically tested endpoints, a 62.5 percent reduction in operational false positives. Static scans complete in under two seconds on a 24-file project and dynamic verification averages 2.3 seconds per endpoint, making the framework practical as a Continuous Integration gate. The paper contributes a publicly described rule library, an AI-assisted severity grading function, and an empirical assessment of where source-code and runtime evidence are jointly necessary

Keywords: RESTful API security; mass assignment vulnerability; static program analysis; api fuzzing; ai-assisted vulnerability detection; devsecops; spring boot; OpenAPI

Article details

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.

How to Cite

Raghavan, K. ., Padmanabhan, N. ., & Venkatesh, A. (2023). AI-Assisted Hybrid Vulnerability Analytics for RESTful APIs: Static Rule Matching, Dynamic Fuzzing, and Exploitability Validation. Journal of AI Analytics and Applications, 1(4), 20-35. https://doi.org/10.63646/jaiaa.2023.010402