Generate parameter dependencies by calling other operations to create them

Problem

API Security consumes API specifications that define operations and parameters to the operation. Many times an operation (operation A) will require an identifier or value that is generated by another operation (operation B). In order to properly test operation A, API Security should call operation B first and use the created value with operation A. Doing this will greatly improve the quality and findings of the scan.

Microsoft has implemented a similar system with the restler fuzzer

• Download paper
• Github project

Proposal

• Create a graph of operations, parameters, and dependencies between them
• When testing an operation A, identify all dependent operations that must be called first
• Solution needs to work with OpenAPI, GraphQL Schemas, etc.