๐
19 February 2026
DOI: 10.35671/telematika.v19i1.3149
Performance Analysis of the Fuzzing Method in Detecting API Vulnerabilities in Mobile Healthcare Application X Based on OWASP API Security Top 10
Telematika
Universitas Amikom Purwokerto
๐ Abstract
Traditional perimeter security measures, such as Web Application Firewalls (WAFs) and static analysis, often fail to detect logic-based vulnerabilities in healthcare Application Programming Interfaces (APIs), creating significant risks for patient data confidentiality. Addressing the scarcity of empirical performance evaluations in this domain, this study employs a grey-box controlled experimental design to assess the effectiveness of automated HTTP fuzzing against a production-grade mobile health application ("Application X"). Using the FFUF tool configured with sequential identifier injection, status-code filtering, and hidden-field probing, the experiment tested 33 endpoints against the OWASP API Security Top 10 2023 benchmarks. To ensure data reliability, a rigorous multi-step validation protocol including replay testing and environmental noise elimination was applied to filter false positives. The results identified 88 distinct vulnerabilities distributed across six categories, with a critical dominance of Security Misconfiguration (API8) and Broken Object Property Level Authorization (API3). Analytically, the high prevalence of API3 reveals a systemic failure in backend serialization, where sensitive fieldsย including password hashes and internal administrative flags were exposed due to the absence of Data Transfer Objects (DTOs), contradicting the assumption of secure client-side filtering. Limitations of this study include the restriction to a single patient-role perspective and the exclusion of third-party integrations. The study concludes that automated fuzzing is superior to static analysis in detecting runtime data leakage and recommends mandatory Server-Side Output Filtering through explicit DTOs as a critical standard for secure health API development and data privacy compliance.
๐ Keywords
#API Security; Excessive Data Exposure; Fuzzing; Healthcare Application; OWASP Top 10
โน๏ธ Informasi Publikasi
Tanggal Publikasi
19 February 2026
Volume / Nomor / Tahun
Volume 19, Nomor 1, Tahun 2026
๐ HOW TO CITE
Hakim, Muhammad Ikhwanul; Nugroho, Radityo Adi; Nugrahadi, Dodon Turianto; Herteno, Rudy; Saputro, Setyo Wahyu; , "Performance Analysis of the Fuzzing Method in Detecting API Vulnerabilities in Mobile Healthcare Application X Based on OWASP API Security Top 10," Telematika, vol. 19, no. 1, Feb. 2026.
ACM
ACS
APA
ABNT
Chicago
Harvard
IEEE
MLA
Turabian
Vancouver
Download Citation
0
Sitasi
Cek Google Scholar