AI-Agent based method for hidden RESTful API discovery and vulnerability detection

doi:10.11772/j.issn.1001-9081.2025070909

Journal of Computer Applications ›› 2026, Vol. 46 ›› Issue (1): 135-143.DOI: 10.11772/j.issn.1001-9081.2025070909

• Cyber security • Previous Articles Next Articles

AI-Agent based method for hidden RESTful API discovery and vulnerability detection

Yi LIN¹, Bing XIA¹(), Yong WANG², Shunda MENG¹, Juchong LIU², Shuqin ZHANG³

^1.School of Cyberspace Security，Zhongyuan University of Technology，Zhengzhou Henan 450007，China
^2.Zhengzhou Aiwen Technology Company Limited，Zhengzhou Henan 450002，China
^3.School of Computer Science，Zhongyuan University of Technology，Zhengzhou Henan 450007，China

Received:2025-08-11 Revised:2025-09-11 Accepted:2025-09-12 Online:2026-01-10 Published:2026-01-10
Contact: Bing XIA
About author:LIN Yi， born in 2000， M. S. candidate. His research interests include network security.
WANG Yong， born in 1981， Ph. D. His research interests include Internet measurement and analysis， cybersecurity， machine learning.
MENG Shunda， born in 1995， M. S. candidate. His research interests include binary security.
LIU Juchong， born in 1987， M. S. His research interests include big data governance.
ZHANG Shuqin， born in 1978， Ph. D.， professor. His research interests include internet of things， data mining， network attack and defense， wireless networks.
Supported by:
Program of Hong Kong Theme-based Research Scheme(T41-603/20R);Henan Provincial Science and Technology Research Project(252102210217);Henan Provincial Key Research and Development Program(251111212000)

基于AI智能体的隐藏RESTful API识别与漏洞检测方法

林怡¹, 夏冰¹(), 王永², 孟顺达¹, 刘居宠², 张书钦³

^1.中原工学院网络空间安全学院，郑州 450007
^2.郑州埃文科技有限公司，郑州 450002
^3.中原工学院计算机学院，郑州 450007

通讯作者: 夏冰
作者简介:林怡（2000—），男，福建漳州人，硕士研究生，主要研究方向：网络安全
王永（1981—），男，河南商丘人，博士，主要研究方向：互联网测量与分析、网络安全、机器学习
孟顺达（1995—），男，河南商丘人，硕士研究生，主要研究方向：二进制安全
刘居宠（1987—），男，江西吉安人，硕士，主要研究方向：大数据治理
张书钦（1978—），男，河南禹州人，教授，博士，主要研究方向：物联网、数据挖掘、网络攻防、无线网络。
基金资助:
香港主题性研究计划项目(T41-603/20R);河南省科技攻关项目(252102210217);河南省重点研发专项(251111212000)

Abstract

Abstract:

The popularity of RESTful APIs within modern Web services makes API security a critical concern gradually. The mainstream tools for API discovery and vulnerability detection have effect limitations in discovering hidden or undocumented APIs due to relying on API documents or public paths for scanning， and have high false positive rates in complex or dynamic API environments. Addressing these challenges， A2A （Agent to API vulnerability detection）， an Agent system for hidden API discovery and vulnerability detection was proposed through agents communicating seamlessly via a Model Context Protocol （MCP）， so as to realize full-process automation from hidden API discovery to vulnerability detection. In A2A， adaptive enumeration and HTTP response analysis were employed to discover potential hidden API endpoints automatically， and a service-specific API fingerprint library was combined to confirm and discover hidden APIs， On API vulnerability detection， Large Language Model （LLM） and Retrieval-Augmented Generation （RAG） techniques were integrated by A2A， and high-quality test cases were generated automatically through a feedback iterative optimization mechanism， so as to verify whether the vulnerability exists. Experimental evaluation results indicate that A2A has the average API discovery rate of 91.9%， with an false discovery rate of 7.8%， and discover multiple hidden API vulnerabilities previously undetected by NAUTILUS and RESTler successfully.

Key words: RESTful API, vulnerability detection, Large Language Model (LLM), Retrieval-Augmented Generation (RAG), AI-Agent

摘要：

伴随RESTful API在现代Web服务中的普及，安全问题日益凸显。而现有的主流API识别与漏洞检测工具依赖API文档或公开路径进行扫描，在识别隐藏API或无文档API时效果有限，在复杂或动态API环境下漏洞误报率高。针对这些挑战，基于上下文协议（MCP）无缝通信智能体，提出一种隐藏API发现和漏洞检测的智能体系统A2A （Agent to API vulnerability detection）来实现从API发现到漏洞检测的全流程自动化。A2A通过自适应枚举和HTTP响应分析自动识别潜在的隐藏API端点，并结合服务特定的API指纹库进行隐藏API的确认和发现。A2A在API漏洞检测上则是结合大语言模型（LLM）与检索增强生成（RAG）技术，并通过反馈迭代优化策略，自动生成高质量测试用例以验证漏洞是否存在。实验评估结果表明，A2A的平均API发现率为91.9%，假发现率为7.8%，并成功发现NAUTILUS和RESTler未能检测到的多个隐藏API漏洞。

关键词: RESTful API, 漏洞检测, 大语言模型, 检索增强生成, AI智能体

CLC Number:

TP301

Yi LIN, Bing XIA, Yong WANG, Shunda MENG, Juchong LIU, Shuqin ZHANG. AI-Agent based method for hidden RESTful API discovery and vulnerability detection[J]. Journal of Computer Applications, 2026, 46(1): 135-143.

林怡, 夏冰, 王永, 孟顺达, 刘居宠, 张书钦. 基于AI智能体的隐藏RESTful API识别与漏洞检测方法[J]. 《计算机应用》唯一官方网站, 2026, 46(1): 135-143.

Figures/Tables 11

References 28

[1]	CLARK M J， RAJABION L. A strategic approach to IoT security by working towards a secure IoT future ［J］. International Journal of Hyperconnectivity and the Internet of Things， 2023， 7（1）： 1-18.
[2]	张毅.基于约束的RESTful API模糊测试框架研究［D］.成都：电子科技大学， 2024.
	ZHANG Y. Constraint-based RESTful API fuzz testing framework research ［D］. Chengdu： University of Electronic Science and Technology of China， 2024.
[3]	FU Y， LIANG P， TAHIR A， et al. Security weaknesses of Copilot-generated code in GitHub projects： an empirical study ［J］. ACM Transactions on Software Engineering and Methodology， 2025， 34（8）： No.218.
[4]	BASAK S K， PARDESHI T， REAVES B， et al. RiskHarvester： a risk-based tool to prioritize secret removal efforts in software artifacts ［EB/OL］. ［2025-03-20］. .
[5]	刘涛. RESTful与GraphQL API模糊测试技术研究［D］.杭州：杭州电子科技大学， 2024.
	LIU T. Research on RESTful and GraphQL API fuzz testing technology ［D］. Hangzhou： Hangzhou Dianzi University， 2024.
[6]	FOLEY M， MAFFEIS S. APIRL： deep reinforcement learning for REST API fuzzing ［C］// Proceedings of the 39th AAAI Conference on Artificial Intelligence. Palo Alto： AAAI Press， 2025： 191-199.
[7]	KIM M， SINHA S， ORSO A. LlamaRestTest： effective REST API testing with small language models ［J］. Proceedings of the ACM on Software Engineering， 2025， 2（FSE）： 465-488.
[8]	DENG G， ZHANG Z， LI Y， et al. NAUTILUS： automated RESTful API vulnerability detection ［C］// Proceedings of the 32nd USENIX Conference on Security Symposium. Berkeley： USENIX Association， 2023： 5594-5609.
[9]	DU W， LI J， WANG Y， et al. Vulnerability-oriented testing for RESTful APIs ［C］// Proceedings of the 33rd USENIX Security Symposium. Berkeley： USENIX Association， 2024： 739-755.
[10]	NOOYENS R， BARDAKCI T， BEYAZIT M， et al. Test amplification for REST APIs via single and multi-agent LLM systems ［EB/OL］. ［2025-06-05］. .
[11]	WEYSSOW M， YANG C， CHEN J， et al. R2 Vul： learning to reason about software vulnerabilities with reinforcement learning and structured reasoning distillation ［EB/OL］. ［2025-04-28］. .
[12]	ROBRE， NOBLE N， BASULI S. ScriptHunter： tool to find JavaScript files on websites ［EB/OL］. ［2025-03-10］. .
[13]	COSGROVE J， ZEJNILOVIC S. Introducing Cloudflare's 2024 API security and management report ［EB/OL］. ［2025-03-05］. .
[14]	ATLIDAKIS V， GODEFROID P， POLISHCHUK M. RESTler： stateful REST API fuzzing ［C］// Proceedings of the IEEE/ACM 41st International Conference on Software Engineering. Piscataway： IEEE， 2019： 748-758.
[15]	CHAROENWET W， THONGTANUNAM P， PHAM V T， et al. An empirical study of static analysis tools for secure code review ［C］// Proceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis. New York： ACM， 2016： 691-703.
[16]	ZHANG M， ARCURI A. Open problems in fuzzing RESTful APIs： a comparison of tools ［J］. ACM Transactions on Software Engineering and Methodology， 2023， 32（6）： No.144.
[17]	ARCURI A. RESTful API automated test case generation with EvoMaster ［J］. ACM Transactions on Software Engineering and Methodology， 2019， 28（1）： No.3.
[18]	DHARMAADI I P A， ATHANASOPOULOS E， TURKMEN F. Fuzzing frameworks for server-side web applications： a survey ［J］. International Journal of Information Security， 2025， 24： No.73.
[19]	YANG R， LAU W C， CHEN J， et al. Vetting single sign-on SDK implementations via symbolic reasoning ［C］// Proceedings of the 27th USENIX Security Symposium. Berkeley： USENIX Association， 2018： 1459-1474.
[20]	REN X， YE X， XING Z， et al. API-misuse detection driven by fine-grained API-constraint knowledge graph ［C］// Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering. New York： ACM， 2020： 461-472.
[21]	PEARCE H， TAN B， AHMAD B， et al. Examining zero-shot vulnerability repair with large language models ［C］// Proceedings of the 2023 IEEE Symposium on Security and Privacy. Piscataway： IEEE， 2023： 2339-2356.
[22]	MA X， LUO L， ZENG Q. From one thousand pages of specification to unveiling hidden bugs： large language model assisted fuzzing of Matter IoT devices ［C］// Proceedings of the 33rd USENIX Security Symposium. Berkeley： USENIX Association， 2024： 4783-4800.
[23]	LEWIS P， PEREZ E， PIKTUS A， et al. Retrieval-augmented generation for knowledge-intensive NLP tasks ［C］// Proceedings of the 34th International Conference on Neural Information Processing Systems. Red Hook： Curran Associates Inc.， 2020： 9459-9474.
[24]	RAHMAN M， PIRYANI K O， SANCHEZ A M， et al. Retrieval augmented generation for robust cyber defense： PNNL-36792 ［R/OL］. ［2025-03-05］. .
[25]	HUANG L， YU W， MA W， et al. A survey on hallucination in large language models： principles， taxonomy， challenges， and open questions ［J］. ACM Transactions on Information Systems， 2025， 43（3）： No.42.
[26]	SIDDIQ M L， SILVA SANTOS J C DA， TANVIR R H， et al. Using large language models to generate JUnit tests： an empirical study ［C］// Proceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering. New York： ACM， 2024： 313-322.
[27]	SOLTANI M， KHAJAVI K， SIAVOSHANI M J， et al. A multi-agent adaptive deep learning framework for online intrusion detection ［J］. Cybersecurity， 2024， 7： No.9.
[28]	REN S， JIN J， NIU G， et al. ARCS： adaptive reinforcement learning framework for automated cybersecurity incident response strategy optimization ［J］. Applied Sciences， 2025， 15（2）： No.951.

应用	总端点数	公开文档端点数	API 版本	主要功能领域
GitHub	358	320	v3	代码管理、问题跟踪、用户管理
GitLab	486	412	v4	项目管理、CI/CD、仓库操作
Appwrite	245	231	v1	用户认证、数据库、存储、函数
OWASP	173	125	—	安全测试、漏洞演示

应用	总端点数	公开文档端点数	API 版本	主要功能领域
GitHub	358	320	v3	代码管理、问题跟踪、用户管理
GitLab	486	412	v4	项目管理、CI/CD、仓库操作
Appwrite	245	231	v1	用户认证、数据库、存储、函数
OWASP	173	125	—	安全测试、漏洞演示

工具	GitHub	GitLab	Appwrite	OWASP	平均值
A2A	93.5	89.7	91.8	92.5	91.9
ZAP	78.2	72.1	79.8	76.3	76.6
Burp Suite Professional	84.1	79.5	83.6	83.7	82.7

工具	GitHub	GitLab	Appwrite	OWASP	平均值
A2A	93.5	89.7	91.8	92.5	91.9
ZAP	78.2	72.1	79.8	76.3	76.6
Burp Suite Professional	84.1	79.5	83.6	83.7	82.7

应用	漏洞类型	多端点	A2A	A2A （无RAG）	VOAPI	MoREST	Restler	ZAP
Github	单端点SQL注入	×	√	√	√	√	√	√
	多端点SQL注入	√	√	×	√	×	×	×
	反射型XSS	√	√	√	√	×	×	×
	目录遍历	×	√	√	√	×	×	×
	SSRF	×	√	√	√	√	×	×
Gitlab	SSRF	√	√	√	√	×	×	√
	多端点SQL注入	√	√	√	×	×	×	√
	单端点SQL注入	×	√	×	√	√	√	√
Appwrite	目录遍历	×	√	√	√	×	×	×
	越权访问	×	√	√	√	√	√	√
	远程命令执行	√	√	√	×	×	×	×
	单端点SQL注入	×	√	√	√	√	√	√
OWASP	目录遍历	×	√	√	√	×	×	√
	文件上传	√	√	√	√	×	×	×
	单端点SQL注入	×	√	√	√	√	√	√
	远程命令执行	√	√	√	√	√	×	×
Kubernetes	越权访问	×	√	√	×	×	×	×
Kubernetes	远程命令执行	√	√	×	×	×	×	×

AI-Agent based method for hidden RESTful API discovery and vulnerability detection

基于AI智能体的隐藏RESTful API识别与漏洞检测方法

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 11

References 28

Related Articles 15

Recommended Articles

Metrics

工具	总告警数	真阳性	假阳性	假发现率/%	精确率/%	召回率/%	F1分数/%
A2A （带RAG）	283	261	22	7.8	92.2（261/283）	86.1 （261/303）	89.0
A2A （无RAG）	305	236	69	22.6	77.4（236/305）	77.9 （236/303）	77.6
RESTler	346	207	139	40.2	59.8（207/346）	68.3 （207/303）	63.8
MoREST	325	215	110	33.8	66.2（215/325）	71.0 （215/303）	68.5
VOAPI	352	218	134	38.1	61.9（218/352）	71.9 （218/303）	66.5
ZAP	374	212	162	43.3	56.7（212/374）	69.9 （212/303）	62.6

工具	API文档语种					平均
工具	中文	日文	阿拉伯文	俄文	希伯来文	平均
A2A	92.3	88.7	87.5	90.2	85.4	88.8
RESTler	52.8	48.3	45.2	50.7	42.1	47.8
MoREST	58.4	53.7	49.5	55.8	47.3	52.9
VOAPI	61.2	57.5	52.8	58.3	51.7	56.3
ZAP	57.9	54.2	48.6	53.5	46.8	52.2

[1]	Xinran XIE, Zhe CUI, Rui CHEN, Tailai PENG, Dekun LIN. Zero-shot re-ranking method by large language model with hierarchical filtering and label semantic extension [J]. Journal of Computer Applications, 2026, 46(1): 60-68.
[2]	Binbin ZHANG, Yongbin QIN, Ruizhang HUANG, Yanping CHEN. Judgment document summarization method combining large language model and dynamic prompts [J]. Journal of Computer Applications, 2025, 45(9): 2783-2789.
[3]	Tao FENG, Chen LIU. Dual-stage prompt tuning method for automated preference alignment [J]. Journal of Computer Applications, 2025, 45(8): 2442-2447.
[4]	Chen LIANG, Yisen WANG, Qiang WEI, Jiang DU. Source code vulnerability detection method based on Transformer-GCN [J]. Journal of Computer Applications, 2025, 45(7): 2296-2303.
[5]	Yiheng SUN, Maofu LIU. Tender information extraction method based on prompt tuning of knowledge [J]. Journal of Computer Applications, 2025, 45(4): 1169-1176.
[6]	Jing HE, Yang SHEN, Runfeng XIE. Recognition and optimization of hallucination phenomena in large language models [J]. Journal of Computer Applications, 2025, 45(3): 709-714.
[7]	Peng CAO, Guangqi WEN, Jinzhu YANG, Gang CHEN, Xinyi LIU, Xuechun JI. Efficient fine-tuning method of large language models for test case generation [J]. Journal of Computer Applications, 2025, 45(3): 725-731.
[8]	Yanping ZHANG, Meifang CHEN, Changhai TIAN, Zibo YI, Wenpeng HU, Wei LUO, Zhunchen LUO. Multi-strategy retrieval-augmented generation method for military domain knowledge question answering systems [J]. Journal of Computer Applications, 2025, 45(3): 746-754.
[9]	Xiaolin QIN, Xu GU, Dicheng LI, Haiwen XU. Survey and prospect of large language models [J]. Journal of Computer Applications, 2025, 45(3): 685-696.
[10]	Chengzhe YUAN, Guohua CHEN, Dingding LI, Yuan ZHU, Ronghua LIN, Hao ZHONG, Yong TANG. ScholatGPT： a large language model for academic social networks and its intelligent applications [J]. Journal of Computer Applications, 2025, 45(3): 755-764.
[11]	Yuemei XU, Yuqi YE, Xueyi HE. Bias challenges of large language models： identification， evaluation， and mitigation [J]. Journal of Computer Applications, 2025, 45(3): 697-708.
[12]	Yan YANG, Feng YE, Dong XU, Xuejie ZHANG, Jin XU. Construction of digital twin water conservancy knowledge graph integrating large language model and prompt learning [J]. Journal of Computer Applications, 2025, 45(3): 785-793.
[13]	Xuefei ZHANG, Liping ZHANG, Sheng YAN, Min HOU, Yubo ZHAO. Personalized learning recommendation in collaboration of knowledge graph and large language model [J]. Journal of Computer Applications, 2025, 45(3): 773-784.
[14]	Chenwei SUN, Junli HOU, Xianggen LIU, Jiancheng LYU. Large language model prompt generation method for engineering drawing understanding [J]. Journal of Computer Applications, 2025, 45(3): 801-807.
[15]	Yanmin DONG, Jiajia LIN, Zheng ZHANG, Cheng CHENG, Jinze WU, Shijin WANG, Zhenya HUANG, Qi LIU, Enhong CHEN. Design and practice of intelligent tutoring algorithm based on personalized student capability perception [J]. Journal of Computer Applications, 2025, 45(3): 765-772.