Paper accepted at IEEE DAPPS 2023
Automatic Detection of API Access Control Vulnerabilities in Decentralized Web3 Applications
Web3 is a blockchain-powered web evolution. In many situations, Web3 smart contracts require data from outside their applications (off-chain data) via APIs to function as designed. Existing APIs in Web3 facing the most common and critical risks originate through access control vulnerabilities (i.e., Broken Object Level Authorization, Broken Function Level Authorization, and Broken Authentication). Such vulnerabilities during runtime cannot be spotted during the development and testing phases of a Web3 application that integrates APIs. Continuous monitoring is the key to proactive hunting access control attacks, which are not attainable through manual monitoring. In this paper, we design a real-time automated security monitoring approach named the access behavior learning (ABL) model for early detection and prevention of access control attacks before they could cause any damage. In two steps, the ABL approach predicts an attacker's access behavior in response to environmental behavior. First, it verifies the API providers and oracle by defining authentication schemes using OpenAPI Specification (OAS) standard to identify the API endpoints to endorse authenticity. In addition, it validates the oracle-level authentication security schemes for approving authentication. Second, it scans metadata for the current access record and compares it with the previous access records, such as location, application id, and API key, to form a baseline that determines authentication. Using this baseline, ABL determines legitimate application access based on both factors for identifying its authentication. ABL approach retains API security by designing an efficient correlation to enable complex off-chain computation by predicting API access attacks. The ABL approach is evaluated against different Web3 applications with varying levels of access control vulnerabilities where applied for early attack detection and prevention. Compared to traditional manual detection processes, the ABL approach offers early automated detection and prevention of attacks during runtime, which results in enhanced security measures and reduces the risk of potential threats.