Yelp recently announced that it will open-source its fuzz-lightyear testing framework. Fuzz-lightyear specifically identifies Insecure Direct Object Reference (IDOR) vulnerabilities which present some of the most difficult vulnerabilities to systematically defend against.
"In the security industry, there are two main approaches to defending against threats," Aaron Loo, Yelp Engineering Manager, commented in a blog post announcement. "First, try to prevent them from happening. If this isn't possible, make sure you detect them for fast remediation. The problem with IDOR is that it's difficult to do either one."
fuzz-lightyear uses "fuzzing". More specifically, stateful Swagger fuzzing was introduced in a Microsoft research paper in 2019 as a method to detect common vulnerabilities in REST APIs. This includes IDOR vulnerabilities. Fuzzing uses a three-step strategy:
- User session executes a sequence of requests
- Attacker session executes the same sequence of requests to ensure user and attacker reach the same state
- In the last sequence request, attack session executes the user's request (if successful, the vulnerability is found)
Microsoft's paper was helpful, but difficult to achieve at scale. Yelp designed fuzz-lightyear as a framework to easily configure dynamic tests. It also integrates seamlessly with CI pipelines. Check out fuzz-lightyear on GitHub to learn more.