RESTLess: Enhancing State-of-the-Art REST API Fuzzing With LLMs in Cloud Service Computing

REST API Fuzzing is an emerging approach for automated vulnerability detection in cloud services. However, existing SOTA fuzzers face challenges in generating lengthy sequences comprising high-semantic requests, so that they may hardly trigger hard-to-reach states within a cloud service. To overcome this problem, we propose RESTLess, a flexible and efficient approach with hybrid optimization strategies for REST API fuzzing enhancement. Specifically, to pass the cloud gateway syntax semantic checking, we construct a dataset of valid parameters of REST API with Large Language Model named RTSet, then utilize it to develop an efficient REST API specification semantic enhancement approach. To detect vulnerability hidden under complex API operations, we design a flexible parameter rendering order optimization algorithm to increase the length and type of request sequences. Evaluation results highlight that RESTLess manifests noteworthy enhancements in the semantic quality of generated sequences in comparison to existing tools, thereby augmenting their capabilities in detecting vulnerabilities effectively. We also apply RESTLess to nine real-world cloud service such as Microsoft Azure, Amazon Web Services, Google Cloud, etc., and detecte 38 vulnerabilities, of which 16 have been confirmed and fixed by the relevant vendors.