TY - GEN
T1 - Mockingbird
T2 - 2025 40th IEEE/ACM International Conference on Automated Software Engineering, ASE 2025
AU - Xia, Chenxiao
AU - Sun, Jiazheng
AU - Zheng, Jun
AU - Tan, Yu An
AU - Su, Hongyi
N1 - Publisher Copyright:
© 2025 IEEE.
PY - 2025
Y1 - 2025
N2 - Excessive Data Exposure (EDE), where an API returns redundant data to the client beyond what is required for its functionality, has become a pervasive and severe security threat. However, automated detection techniques for such vulnerabilities remain underdeveloped, and existing methods, particularly black-box fuzzing, face significant bottlenecks in terms of accuracy and efficiency. To address these challenges, we propose Mockingbird, an automated detection tool based on a statically-assisted dynamic analysis approach. The tool leverages the JavaScript Proxy mechanism for efficient dynamic taint tracking to precisely identify the dangling data that is transmitted from an API response to the client but never consumed by any expected functionality, such as UI rendering or state management. Furthermore, to tackle the lack of a standardized benchmark in this domain, we have constructed and open-sourced EDEBench, the first persistent benchmark for EDE evaluation, comprising 8 popular open-source web projects built on diverse modern technology stacks. Experimental evaluation on EDEBench shows that, compared to the state-of-the-art, Mockingbird achieves an average F1-score improvement of 24.1% (Precision +15.8%, Recall +32.8%), enhances detection speed by nearly 20 times, and demonstrates broad applicability across all tested frameworks. These results provide a clear illustration of our tool's accuracy, applicability, and efficiency. The source code is available at https://github.com/NeoSunJZ/Mockingbird-JS.
AB - Excessive Data Exposure (EDE), where an API returns redundant data to the client beyond what is required for its functionality, has become a pervasive and severe security threat. However, automated detection techniques for such vulnerabilities remain underdeveloped, and existing methods, particularly black-box fuzzing, face significant bottlenecks in terms of accuracy and efficiency. To address these challenges, we propose Mockingbird, an automated detection tool based on a statically-assisted dynamic analysis approach. The tool leverages the JavaScript Proxy mechanism for efficient dynamic taint tracking to precisely identify the dangling data that is transmitted from an API response to the client but never consumed by any expected functionality, such as UI rendering or state management. Furthermore, to tackle the lack of a standardized benchmark in this domain, we have constructed and open-sourced EDEBench, the first persistent benchmark for EDE evaluation, comprising 8 popular open-source web projects built on diverse modern technology stacks. Experimental evaluation on EDEBench shows that, compared to the state-of-the-art, Mockingbird achieves an average F1-score improvement of 24.1% (Precision +15.8%, Recall +32.8%), enhances detection speed by nearly 20 times, and demonstrates broad applicability across all tested frameworks. These results provide a clear illustration of our tool's accuracy, applicability, and efficiency. The source code is available at https://github.com/NeoSunJZ/Mockingbird-JS.
KW - API Security
KW - Dynamic Code Instrumentation
KW - Excessive Data Exposure
KW - Gray-box Testing
UR - https://www.scopus.com/pages/publications/105034698454
U2 - 10.1109/ASE63991.2025.00247
DO - 10.1109/ASE63991.2025.00247
M3 - Conference contribution
AN - SCOPUS:105034698454
T3 - Proceedings - 2025 40th IEEE/ACM International Conference on Automated Software Engineering, ASE 2025
SP - 3009
EP - 3020
BT - Proceedings - 2025 40th IEEE/ACM International Conference on Automated Software Engineering, ASE 2025
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 16 November 2025 through 20 November 2025
ER -