In January 2014, news outlets reported that the usernames and passwords of 4.6
million Snapchat users had leaked, when intruders exploited critical security
holes in Snapchat's "non-public" back-end API. While such catastrophic
incidents are uncommon, security bugs that could allow critical data leaks are
regularly discovered in all kinds of web APIs. Most such bugs are simple to
fix (read: patch) once discovered, and many could have been discovered with
somewhat more rigorous security testing. In this project we will investigate
how to use *generative* testing techniques to find such bugs.
In generative testing, a tester does not explicitly write individual test
cases. Rather, the tester provides properties specifying how a software
component is supposed to behave, and then a software library generates and
executes random test cases asserting these properties. The best known
generative testing library is QuickCheck , which targets Haskell.
It is not clear how best to specialize the existing general-purpose generative
testing techniques to find security bugs in web APIs (that is what we are
going to figure out!), but some ideas for things to include into a specialized
- knowledge about typical security flaws seen in web APIs,
- knowledge about authorization and authentication protocols, and
- comprehension of formal languages used to describe custom data types used
on the web. (Most likely, we need to understand and be able to fuzz data
from JSON Schemas or XML Schemas.)
The bulk of the student's work will be to ponder about, experiment with, and
evaluate many such ideas for specializing generative testing techniques for
security testing of web APIs.
The project will have three supervisors, two external to NTNU. The two external supervisors are Bjarte M. Østvold, who is head of the Information security group at
the Norwegian Computation Center (NR) and Edvard K. Karlsen, who is a consultant
: Claessen and Hughes, "QuickCheck: a lightweight tool for random
testing of Haskell programs", ICFP 2000.