Embedded Files
General Information
This paper presents NAUTILUS, an automated RESTful API vulnerability detection solution.
CVEs for False-Negative
We list the details of the CVEs included in the false negative analysis in sheet 1 (False-Negative-CVE-Study) of the google sheet below. For the component column, the name of the plugin that contains the vulnerability is listed. "-" means that the vulnerability is in the native implementation of the service.
The annotation script is available at: https://drive.google.com/file/d/1OXJawCwA9KjBicrdwFhYSOZeVjULLzsg/view?usp=share_link. We will release more source codes and documentation on GitHub soon.
Complete List of Identified Vulnerabilities
Due to page limit, we only present selected vulnerabilities identified by NAUTILUS. Below we present the full list. For anonymity reasons, we hide the detailed CVE numbers. Please contact us for further justification/proofs of those vulnerabilities.
CWE Mapping List
For the CVEs studied in the paper, we analyze them based on their CWE items as specified by MITRE. Specifically, we study 609 vulnerabilities, 593 of which contain valid information. We further manually inspect 45 of them that have direct exploits on exploit-DB / Metasploit. Some of the vulnerabilities have different CWE numbers, but they share the same root causes. Below we present our grouping of CWEs to the listed type of vulnerabilities:
Page updated
Google Sites
Report abuse