0% found this document useful (0 votes)
49 views65 pages

Restful W Eb Servic Es: Pentest Ing

The document discusses RESTful web services and testing them. It begins by defining REST and describing the architectural constraints of RESTful systems like using a uniform interface, being stateless, and having layered systems. It then discusses common REST components like resources addressed by URLs, HTTP verbs like GET and POST, media types, and status codes. The document outlines some problems with testing RESTful web services and proposes a methodology involving authentication, session management, authorization, input validation, output encoding, and cryptography. It recommends tools like cURL and browser add-ons to test services and provides examples of using cURL.

Uploaded by

Robert Stan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
49 views65 pages

Restful W Eb Servic Es: Pentest Ing

The document discusses RESTful web services and testing them. It begins by defining REST and describing the architectural constraints of RESTful systems like using a uniform interface, being stateless, and having layered systems. It then discusses common REST components like resources addressed by URLs, HTTP verbs like GET and POST, media types, and status codes. The document outlines some problems with testing RESTful web services and proposes a methodology involving authentication, session management, authorization, input validation, output encoding, and cryptography. It recommends tools like cURL and browser add-ons to test services and provides examples of using cURL.

Uploaded by

Robert Stan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 65

`

Se rv ice s
e n t e s t i n g

fu l We b
T
P
R E S MOH AM ME D A. IM R AN
Hello

MOHAMMED A. IMRAN

MI
Application Security Engineer, CA Inc
Null Hyderabad Lead
OWASP Hyderabad Board Member

@MohammedAImran

Created and Designed using


LET’S TALK ABOUT ...

WHAT IS RESTful PROBLEMS WITH REST METHODOLOGY TO TEST


WEB SERVICES? WS TESTING RESTful WS

TOOLS & TECHNIQUES


DID
YOU
KNOW ?
THE UGLY TRUTH SOAP Webservices VS RESTful Webservices

Google Trends
They also rest on REST APIs
Why REST WebServices ?
Easy & Simple
GET /users/313/

VS
<?xml version="1.0"?>
<soap:Envelope
xmlns:soap="http://www.w3.org/2001/12/soap-envelope"
soap:encodingStyle="http://www.w3.org/2001/12/soap-encoding">

<soap:Body xmlns:m="http://www.mysite.com/users">
  <m:GetUserDetails>
    <m:UserID>313</m:UserID>
  </m:GetUserDetails>
</soap:Body>

</soap:Envelope>
Light weight
<soap:Body xmlns:m="http://www.mysite.com/users">
  <m:GetUserDetailsResponse>
    <m:UserName>MohammedAImran</m:UserName>
{
"login": "MohammedAImran", <m:Type>user</m:Type>
"type": "User",

VS
"site_admin": false, <m:SiteAdmin>false</m:SiteAdmin>
"name": "Mohammed A. Imran",
"company": "CA Inc", <m:UserName>Mohammed A.Imran</m:UserName>
"email": "[email protected]"
} <m:Company>CA Inc</m:Company>

<m:Email> [email protected] </m:Email>


  </m:GetUserDetailsResponse>
</soap:Body>

Note: REST can also use XML as media type


Many more reasons to use ...

Easy to understand & document

Easy on limited bandwidth

READS can be cached and hence reduces the bandwidth

Better browser support since data format mostly is json

Can be used by mobile devices

Loosely coupled
But what is REST ?
“ Representational state transfer (REST) is an
architectural style consisting of a coordinated
set of constraints applied to components,
connectors, and data elements, within a
distributed hypermedia system.
What ? Let me explain ...
REST is an architectural style with some imposed constraints
in how data is accessed and represented while developing web
services or applications. It uses HTTP 1.1 as inspiration.
In simple terms

REST = RFC 2616


Well, almost
In simple terms ...

REST = HTTP Protocol


with constraints
Architecture constraints

Uniform interface

Client-server

Stateless

Cache-able

Layered system

Code on demand(optional)
REST Style consists of ...

Resources VERBS Media Types Status Codes


REST Style consists of ...

Resource URLs VERBS Media Types Status Codes


Collection INSTANCE
RESOURCES RESOURCES

RESOURCES

Site.com/users Site.com/users/1

NOUN
REST Style consists of ...

Resources VERBS Media Types Status Codes


DELETE
VERBS
POST
PUT
READ
POST = CREATE
*

Create a new some resource

* POST can be used for both create and update


POST http://mysite.com/users/

{
"login": "MohammedAImran",
"id": "313",
"name": "Mohammed A. Imran",
"company": "CA Inc",
"email": "[email protected]"
}
GET = READ
Fetch some resource
GET site.com/users/
{ users:[
{
"login": "MohammedAImran",
"id": "313",
"name": "Mohammed A. Imran",
"company": "CA Inc",
"email": "[email protected]"},
{
"login": "Raghunath",
"id": "311",
"name": " G Raghunath",
"company": "X Inc",
"email": "[email protected]"}]
}
GET site.com/users/313

{
"login": "MohammedAImran",
"id": "313",
"name": "Mohammed A. Imran",
"company": "CA Inc",
"email": "[email protected]"
}
PUT =UPDATE/MODIFY
*

Update some resource

* PUT can be used for both create and update


DELETE = DELETE
Delete a resource
REST Style consists of ...

Resources VERBS Media Types Status Codes


HATEOAS

Hypermedia As The Engine Of Application State


+ =
Specifications Parsing Rules Media Types
Media Type Examples
Application/json
Application/xml
Application/imrans+json;v1
REST Style consists of ...

Resources VERBS Media Types Status Codes


Status Codes
200 OK 400 Bad Request
201 Created 401 Unauthorized
204 No Content 403 Forbidden
304 Not Modified 404 Not Found
500 Internal Server Error 405 Method Not Allowed
501 Not Implemented 409 Conflict
RESTful WS testing problems
Difficulty in doing REST PT

Many JSON variables to fuzz and difficult to find which ones
are optional and to be fuzzed

Custom authentication

Statelessness

Non common HTTP status codes which tools are used to
Difficulty in doing REST PT ...

Not so good automated tool support

Every API is different from other and hence need custom
tweaking for tools

Heavy reliance on Ajax frameworks for creating PUT and
DELETE requests as most browsers don’t support them
REST WS testing Methodology
Authentication
Bad practices
http://site.com/token/a3b3c2be5f53c8/
https://site.com/token/a3b3c2be5f53c8/
Authentication ...

REST APIs rely heavily on SSL

Often basic authentication is coupled with SSL ( Bruteforce ? )

Often custom token authentication schemes are built and used
( a sure recipe for disaster)

Never pass username/password, tokens, keys in URL
(use POST instead )

Implementing authentication tokens in Headers takes away headache of
having a CSRF token
Session Management

Check all session based attacks on tokens as well

Session timeout

Session brute force

Generally tokens are stored in local storage of browsers,
make sure you delete the token after log-out and upon
browser window close

Invalidate the token at server side upon on logout
Authorization

Privilege escalation (Horizontal and Vertical)

Make sure there is a tight access control on DELETE, PUT methods

Use role based authentication

Since usually the consumers of the REST APIs are machines, there
are no checks if service is heavily used, could lead to DoS or
BruteForce.

Protect administrative functionality
CVE-2010-0738
JBOSS JMX Console Vulnerability
NOTE
All attacks which are possible on any web application are possible with
REST APIs as well.
Input Validation

SQL Injection

XSS

Command Injection

XPATH Injection
However XSS becomes difficult to fuzz because of JSON
and you might want to scan with sql injection and xss
profiles separately
Output encoding

If you application has a web interface then might want to use
the following headers:
– X-Content-Type-Options: nosniff
– X-Frame-Options: DENY/SAMEORIGIN/ALLOW-FROM

JSON Encoding
Cryptography

Use TLS with good key size (384 bits preferably)

Use client side certificates possible however not usually seen
for APIs

Use strong hashing algorithms(scrypt/bcrypt/SHA512)

Use strong encryption mechanisms (AES)
Few notes ...

Use proxy to determine the attack surface and to understand
the application

Identify URLs, Resources, status codes and data needed

Every part of the http protocol is potential for fuzzing in
RESTful APIs (dont forget headers)

WAF evasion is possible since json is not well understood by
WAFs
Tools & Techniques
Command-line-Fu
cURL Primer
cURL
-b or - -cookie ”COOKIE HERE”
-h or - -header “Authorization: Custom SW1yYW5XYXNIZXJlCg==”
-X or - -request PUT/POST/DELETE
-i or - -include //include response headers
-d or - -data “username=imran&password=Imran” or - -data @filecontaining-data
-x or - - proxy 127.0.0.1:8080
-A or - -user-agent ”Firefox 27.0”
cURL Primer ...

cURL is great for automation if you know how service works.

cURL libraries are available for majority of the languages like php, python
and many more...

You can perform complex operations and script them pretty fast.
cURL Examples
#!/bin/bash
users="Imran Jaya Raghu Vinayak"
for dirName in $users
do
curl -i -H “Authorization: Custom SW1yYW5XYXNIZXJlCg==”
"http://www.mysite.com/users/$dirName" --proxy 127.0.0.1:8080
done
Graphical Tools
Firefox Add-on
Firefox Add-on ...

If you need graphical interface, browser add-ons provide GUI, however not
as powerful as the cURL command.

Specialized developer tools ( SOAP UI ) can also be used for testing.
Automated Tools
AppScan Scan

http://blog.watchfire.com/wfblog/2012/01/testing-restful-services-with-appscan-standard.html
AppScan Scan...
Thank you !

Want to discuss more ?


Catch me on
www.twitter.com/MohammedAImran
www.linkedin.com/in/MohammedAImran
You might like these as well!
Credits
* All icons are taken from The Noun project, credit goes to
respective artists
* OWASP Cheat sheet series
References
http://www.slideshare.net/SOURCEConference/security-testing-for-rest-applications-ofer-shezaf-source-barcelona-nov-2011

https://www.owasp.org/index.php/REST_Security_Cheat_Sheet

http://securityreliks.wordpress.com/2010/07/28/testing-restful-services-with-appscan/

http://www-01.ibm.com/support/docview.wss?uid=swg21412832

http://blog.watchfire.com/wfblog/2012/01/testing-restful-services-with-appscan-standard.html

You might also like