Graph-Driven LLM-Augmented Stateful API Fuzzing for OWASP API Top 10

RESEARCH CREW
22:24 06/07/2026

Security testing of REST APIs remains difficult because real-world OpenAPI specifications are often incomplete, many security flaws are inherently stateful, and prevailing stateful fuzzers still optimize primarily for structural exploration rather than OWASP-aligned risk categories. Based on this gap, this paper presents APIGFUZZ, a graph-driven, OWASP-aware black-box REST API fuzzing framework that builds an operation-level parameter-flow graph from OpenAPI specifications and lightweight semantic field classification. The graph recovers producer-consumer dependencies between operations, including low-confidence create-then-access relations when response schemas are weak, and supports deterministic generation of short stateful request sequences. On top of this graph, the framework applies OWASP-aligned test templates and strategy-specific payload pools, while a multi-oracle panel evaluates executions using status-code anomalies, authorization and sequence invariants, schema deviations, idempotency drift, and dedicated checks for categories that are invisible to 5xx-only baselines, such as rate limiting and some injection behaviors. Large language models are used only outside the hot fuzzing loop: first, for offline rule inference from natural-language descriptions, and second, as an optional fallback classifier for ambiguous parameters. This design preserves determinism, cost control, and reproducibility while still benefiting from limited semantic guidance. Experiments on two OpenAPI-documented API security benchmarks, vAPI 1.3 and c{api}tal, show that APIGFUZZ finds 33 unique bugs on vAPI under a 30-minute budget, including 21 oracle-only findings beyond standard 5xx detection, covers 8 of 10 OWASP API Top-10 categories, and surfaces a rate-limiting flaw on the hardened c{api}tal backend that the compared baselines do not detect.

TIN LIÊN QUAN
Despite the dominance of Transformer-based models in software vulnerability detection, the extent to which their learned security logic generalizes across different programming languages remains a critical open question. To address this, we propose a comprehensive evaluation framework organized into three phases spanning five distinct experimental scenarios, aiming to rigorously dissect...
Network Intrusion Detection Systems (NIDS) based on machine learning must evolve after deployment to detect emerging threats very soon with a few labeled samples, while without catastrophic forgetting or degrading due to concept drift. Existing methods address these issues in isolation, lacking a unified pipeline for tabular network traffic. This...