Restful W Eb Servic Es: Pentest Ing
Restful W Eb Servic Es: Pentest Ing
Se rv ice s
e n t e s t i n g
fu l We b
T
P
R E S MOH AM ME D A. IM R AN
Hello
MOHAMMED A. IMRAN
MI
Application Security Engineer, CA Inc
Null Hyderabad Lead
OWASP Hyderabad Board Member
@MohammedAImran
Google Trends
They also rest on REST APIs
Why REST WebServices ?
Easy & Simple
GET /users/313/
VS
<?xml version="1.0"?>
<soap:Envelope
xmlns:soap="http://www.w3.org/2001/12/soap-envelope"
soap:encodingStyle="http://www.w3.org/2001/12/soap-encoding">
<soap:Body xmlns:m="http://www.mysite.com/users">
<m:GetUserDetails>
<m:UserID>313</m:UserID>
</m:GetUserDetails>
</soap:Body>
</soap:Envelope>
Light weight
<soap:Body xmlns:m="http://www.mysite.com/users">
<m:GetUserDetailsResponse>
<m:UserName>MohammedAImran</m:UserName>
{
"login": "MohammedAImran", <m:Type>user</m:Type>
"type": "User",
VS
"site_admin": false, <m:SiteAdmin>false</m:SiteAdmin>
"name": "Mohammed A. Imran",
"company": "CA Inc", <m:UserName>Mohammed A.Imran</m:UserName>
"email": "[email protected]"
} <m:Company>CA Inc</m:Company>
RESOURCES
Site.com/users Site.com/users/1
NOUN
REST Style consists of ...
{
"login": "MohammedAImran",
"id": "313",
"name": "Mohammed A. Imran",
"company": "CA Inc",
"email": "[email protected]"
}
GET = READ
Fetch some resource
GET site.com/users/
{ users:[
{
"login": "MohammedAImran",
"id": "313",
"name": "Mohammed A. Imran",
"company": "CA Inc",
"email": "[email protected]"},
{
"login": "Raghunath",
"id": "311",
"name": " G Raghunath",
"company": "X Inc",
"email": "[email protected]"}]
}
GET site.com/users/313
{
"login": "MohammedAImran",
"id": "313",
"name": "Mohammed A. Imran",
"company": "CA Inc",
"email": "[email protected]"
}
PUT =UPDATE/MODIFY
*
http://blog.watchfire.com/wfblog/2012/01/testing-restful-services-with-appscan-standard.html
AppScan Scan...
Thank you !
https://www.owasp.org/index.php/REST_Security_Cheat_Sheet
http://securityreliks.wordpress.com/2010/07/28/testing-restful-services-with-appscan/
http://www-01.ibm.com/support/docview.wss?uid=swg21412832
http://blog.watchfire.com/wfblog/2012/01/testing-restful-services-with-appscan-standard.html