Hacking REST APIs

A beginner’s guide
Lab preparations
• SecureStore - Virtual Machine with vulnerable APIs
• API Documentation
• VirtualBox
• Browser (Google Chrome, Firefox, etc)
• Postman
• Burp Suite Community Edition
• Ubuntu 18.04 Desktop Virtual Machine with Docker Installed
What is REST?
• REST (Representational State Transfer) is a software architecture style
that can be followed while design software systems.
• The principles related to REST were first described by Roy Fielding.
• https://www.ics.uci.edu/~fielding/pubs/dissertation/fielding_disserta
tion.pdf
• REST is a protocol, it’s not.
REST Fundamentals
• RESOURCES
• http://site.com/api/users/admin
• VERBS
• GET, POST, PUT, PATCH, DELETE
• MEDIA TYPES – Parsing rules
• Application/json
• Application/xml
• STATUS CODE
• 2XX, 3XX, 4XX, 5XX
REST Fundamentals
• Stateless
• Server does not hold any state and it does not track what the client is doing.
• Each request from any client contains all the information necessary to service
the request, and session state is held in the client.
REST API security testing approach
• Understanding the workflow.
• Request X give you same value in the response, you may have to use it in request Y.
• Get the documentation if any.
• Good to have working samples of requests & responses.
• Get the details of mandatory headers.
Traditional web vulnerabilities
• SQL Injection.
• Command Injection.
• XXE – If XML is processed by the server.
• Lack of Output Encoding.
• Insecure Direct Object References and the list goes on.