Abstract

This publication discloses a computer-implemented method and system that scans a running HTTP/REST service for authentication and role-based access-control (RBAC) conformance defects without any machine-readable API specification. Conventional API security scanners (Schemathesis, RESTler, 42Crunch, StackHawk, and comparable tools) require an OpenAPI/Swagger document or a recorded traffic corpus to know both what endpoints exist and what each endpoint's correct behavior is. The disclosed mechanism removes that dependency by treating the service's router source code as the single source of truth: a lightweight parser enumerates route registrations, and — the central novelty — the auth-middleware tokens present on each route's own physical source line are read as an oracle for that route's intended authentication posture. A differential probe matrix then exercises each route with a set of principals (no token, valid token, invalid token, admin token, standard-user token) and flags any observed behavior that contradicts the source-derived oracle, most importantly a source-declared-protected route that answers an unauthenticated request with a 2xx status ("200-without-auth"). A mutation-safety allowlist prevents state-changing verbs from being exercised blindly. A second, independent pass submits the router source to a large language model (LLM) that synthesizes executable test scenarios annotated with expected statuses; those scenarios are executed against the live service and scored. Finally, every failing finding — from either pass — is emitted as a structured ticket into an autonomous bug-to-repair pipeline that attempts a code patch, closing the loop from detection to remediation. The complete detection→synthesis→repair loop, driven purely from source with no spec, is disclosed here to bar exclusive appropriation.

Creative Commons License

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.

Share

COinS