Security Testing For RESTful

Applications
Eyal Fingold & Ofer Shezaf, HP Enterprise Security Products

© Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is
subject to change without notice. Confidentiality label goes here
Agenda

• What are RESTful services (REST)?

• Security Issues in REST
• Challenges in security testing for REST

© Copyright 2011 Hewlett-Packard Development Company, L.P. The information

contained herein is subject to change without notice. Confidentiality label goes here
 What are RESTful services (REST)

Security Issues in REST

Challenges in security testing for REST

What is REST?

© Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is
3 subject to change without notice. Confidentiality label goes here
So What REST?
Representational State Transfer (REST) is a style of software
architecture for distributed systems such as the World Wide Web
(but not just Web)
Is:
•A style of software
architecture
•Essentially how the web
have always worked

Is Not:
•A well defined protocol
•A set of software libraries or
frameworks

4 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information

contained herein is subject to change without notice. Confidentiality label goes here
The Theory

Client/Server •Clients are separated from servers by a uniform interface.

•The client–server communication is further constrained by no client

Stateless context being stored on the server between requests*.

•Responses must therefore, implicitly or explicitly, define themselves

Cacheable as cacheable or not

•A client cannot ordinarily tell whether it is connected directly to the

Layered end server, or to an intermediary along the way.

•A uniform interface between clients and servers simplifies and

Uniform decouples the architecture.

Code on demand •Servers are able to temporarily extend or customize the functionality
(optional) of a client by transferring logic to it that it can execute.

* The server can be stateful; this constraint merely requires that server-side state be addressable by URL as a resource.

5 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information

contained herein is subject to change without notice. Confidentiality label goes here
So What RESTful services?
is a simple web service implemented using HTTP and the principles
of REST.

It is a collection of resources, with three defined aspects:

• URI for the web service, such as http://example.com/resources/

• The Internet media type of the data supported by the web

service. This is often JSON, XML or YAML but can be any other
valid Internet media type.

• The set of operations supported by the web service using HTTP

methods (e.g., POST, GET, PUT or DELETE, HEAD etc…).

6 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information

contained herein is subject to change without notice. Confidentiality label goes here
It’s Up and Coming!
But what is it?

7 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information

contained herein is subject to change without notice. Confidentiality label goes here
The Pitch for REST

We are tired of SOAP and WSDL

Would you like something cleaner than SOAP? Something less impenetrable than
WSDL? Something less confusingly intertwingled than the various WS-* bafflegab
standards? ... Say, just what is this Web Services jazz anyhow?

Let’s just get return to basics

It’s all No Problem. It’s all Easy as Pi. REST isn’t some obscure thing that nobody
supports; it’s the way the Web already works, just formalized a bit and with some
do’s and don’ts.

(John Cowan)

© Copyright 2011 Hewlett-Packard Development Company, L.P. The information

contained herein is subject to change without notice. Confidentiality label goes here
 Who Uses REST?

© Copyright 2011 Hewlett-Packard Development Company, L.P. The information

9 contained herein is subject to change without notice. Confidentiality label goes here
 RESTful services frameworks
More than 35 frameworks covering most platforms:
• Ruby
• Java
• .Net (C#, VB)
• PHP
• Perl
• Python
• C++
• etc…

& Mobile, Mobile, Mobile…

© Copyright 2011 Hewlett-Packard Development Company, L.P. The information

10 contained herein is subject to change without notice. Confidentiality label goes here
In Practice
HTML 1.1 is essentially a RESTful protocol

SOAP Request example: The same request, the REST way:

GET /StockPrice HTTP/1.1 GET /StockPrice/HPQ HTTP/1.1
Host: example.org Host: example.org
Content-Type: application/soap+xml; Accept: text/xml
charset=utf-8 Content-Length: nnn Accept-Charset: utf-8
<?xml version="1.0"?>
<env:Envelope
xmlns:env="http://www.w3.org/2003/05/soap-envelope"
xmlns:s="http://www.example.org/stock-service">
<env:Body>
<s:GetStockQuote>
<s:TickerSymbol>HPQ
</s:TickerSymbol>
</s:GetStockQuote>
</env:Body>
</env:Envelope>

11 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information

contained herein is subject to change without notice. Confidentiality label goes here
However…
It often doesn’t look like your typical Web (1 or 2) application

Parameters in Headers

None Standard
Parameters/Method

None Standard AAA

12 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information

contained herein is subject to change without notice. Confidentiality label goes here
 What are RESTful services (REST)

Security Issues in REST

Challenges in security testing for REST

REST Security

© Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is
1 subject to change without notice. Confidentiality label goes here
REST Security Overview

• No standard security mechanism similar to

SOAP Web Services (WS-*)
• Most session management methods are not
REST oriented:
– REST is supposed to be stateless.
– However often standard Web practices are used.
• (Over)relying on:
– SSL
– HTTP Authentication (Basic!, Digest or custom
headers)

• SSO
– Web app calling REST services

© Copyright 2011 Hewlett-Packard Development Company, L.P. The information

contained herein is subject to change without notice. Confidentiality label goes here
Are There Any RESTful specific Vulnerabilities?
Well, it seems the most common attack vector is a REST one…

..the attacker may be able to exploit the URL

published as a Get method that actually performs
updates (instead of merely retrieving data). This
may result in malicious or inadvertent altering of
data on the server.

© Copyright 2011 Hewlett-Packard Development Company, L.P. The information

contained herein is subject to change without notice. Confidentiality label goes here
More Seriously

Design pattern related Related to commonly Somewhat linked to Any Other Web
vulnerabilities use implementation REST Application Vulnerability
•Restful Privilege Elevation method •XSRF •It is just a web application
•Utilizing REST's Trust in the •JSON hijacking array after all
System Resource to Register vulnerability
Man in the Middle
•Session ID in the URL 

Nothing to Call Home About

© Copyright 2011 Hewlett-Packard Development Company, L.P. The information 16

contained herein is subject to change without notice. Confidentiality label goes here
 What are RESTful services (REST)

Security Issues in REST

Challenges in security testing for REST

Testing Challenges

© Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is
1 subject to change without notice. Confidentiality label goes here
Parameters Embedded in URLs
Susceptible to Injection and Manipulation

18 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information

contained herein is subject to change without notice. Confidentiality label goes here
And Other Strange Locations

• Parameters in request headers

• Matrix parameters
• JSON/XML as a structured value
to other parameters

19 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information

contained herein is subject to change without notice. Confidentiality label goes here
The Attack Surface Issue
REST APIs are Challenging to Map

• Larger than actually used in application:

– URIs, Methods, Parameters
• Poorly documented:
– WADL is only a proposed standard and hardly ever
used.
• Many different ways to express parameters.
• Especially difficult for automated pen-
testing.

20 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information

contained herein is subject to change without notice. Confidentiality label goes here
Solutions

• Manual Definition of the Attack Surface

• Analyze Documentation & Configuration

• Automated Discovery of Rules

21 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information

contained herein is subject to change without notice. Confidentiality label goes here
Manual Definition of the Attack Surface

Two use cases:

• Define the entire API –
complete but difficult.
Possible, especially as
part of a rigorous QA
(SoapUI example on right).

• Define templates for

identifying and handling
REST during crawl.
– Critical for JS frameworks.

22 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information

contained herein is subject to change without notice. Confidentiality label goes here
Analyze Documentation & Configuration

Informal documentation:
• Highly unstructured
• Requires heuristic, training and
trial and error.

Web Servers and applications

configuration:
• Easier to use but a limited
solution.

23 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information

contained herein is subject to change without notice. Confidentiality label goes here
Automated Discovery of Rules

• Irregular 404 codes

– Including site specific ones.
• Pattern analysis:
– Matrix parameters
– JSON or XML as values to parameters
• Irregular headers
• And….
– Need to wait till year end…..

24 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information

contained herein is subject to change without notice. Confidentiality label goes here
Thank You!

25 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information

contained herein is subject to change without notice. Confidentiality label goes here