The Hidden Risk of Auto-generated OpenAPI Specifications: An Analysis of WordPress Plugins and Lightweight Specification Correction
摘要
OpenAPI specifications (OAS) underpin automated API security testing, yet the correctness of auto-generated OAS documents in real-world systems remains largely unexamined. In this paper, we conduct the first systematic study of OAS accuracy in WordPress, evaluating WP OpenAPI across 20 widely used plugins. We find that generated specifications exhibit severe behavioral inaccuracies—only 25% correctness—stemming from WordPress’s dynamic, runtime-dependent API behavior. These inaccuracies directly impair security testing: OWASP ZAP misses several vulnerabilities, including unauthenticated media enumeration, when guided by incorrect specifications. To address this issue, we introduce a lightweight validation pipeline that uses runtime observations (via Playwright) to largely automate the repair of inaccurate OAS fields. Corrected specifications improve vulnerability detection by 44% and reduce conformance errors by 92.9%. Our results reveal a previously overlooked threat: inaccurate auto-generated API specifications undermine automated security analysis, and validating them is essential for reliable API security testing.