`
MOHAMMED A. IMRANRESTfulWebServices
Pentesting
Hello
MOHAMMED A. IMRAN
ApplicationSecurityEngineer,CAInc
Null Hyderabad Lead
OWASP Hyderabad Board Member
@MohammedAImran...
LET’S TALK ABOUT ...
PROBLEMS WITH REST
WS TESTING
TOOLS & TECHNIQUES
WHAT IS RESTful
WEB SERVICES?
METHODOLOGY TO TEST
RE...
DID
YOU
KNOW?
THEUGLYTRUTH SOAP Webservices VS RESTful Webservices
Google Trends
TheyalsorestonRESTAPIs
WhyRESTWebServices?
Easy&Simple
<?xml version="1.0"?>
<soap:Envelope
xmlns:soap="http://www.w3.org/2001/12/soap-envelope"
soap:encodingStyle="...
Lightweight
<soap:Body xmlns:m="http://www.mysite.com/users">
  <m:GetUserDetailsResponse>
    <m:UserName>MohammedAImran<...
Manymorereasonstouse...
●
Easy to understand & document
●
Easy on limited bandwidth
●
READS can be cached and hence reduce...
ButwhatisREST ?
Representational state transfer (REST) is an
architectural style consisting of a coordinated
set of constraints applied to...
What?Letmeexplain...
REST is an architectural style with some imposed constraints
in how data is accessed and represented ...
Insimpleterms
REST = RFC 2616Well, almost
Insimpleterms...
REST = HTTP Protocol
with constraints
Architectureconstraints
●
Uniform interface
●
Client-server
●
Stateless
●
Cache-able
●
Layered system
●
Code on demand(opt...
RESTStyleconsistsof...
Resources VERBS Media Types Status Codes
RESTStyleconsistsof...
Resource URLs VERBS Media Types Status Codes
RESOURCES
Site.com/users/1
INSTANCE
RESOURCES
Collection
RESOURCES
NOUN
Site.com/users
RESTStyleconsistsof...
Resources VERBS Media Types Status Codes
VERBS
POST
READ
PUT
DELETE
POST = CREATECreate a new some resource
*
* POST can be used for both create and update
POST http://mysite.com/users/
{
"login": "MohammedAImran",
"id": "313",
"name": "Mohammed A. Imran",
"company": "CA Inc",
...
GET = READFetch some resource
GET site.com/users/
{ users:[
{
"login": "MohammedAImran",
"id": "313",
"name": "Mohammed A. Imran",
"company": "CA Inc",
...
GET site.com/users/313
{
"login": "MohammedAImran",
"id": "313",
"name": "Mohammed A. Imran",
"company": "CA Inc",
"email"...
PUT =UPDATE/MODIFYUpdate some resource
* PUT can be used for both create and update
*
DELETE = DELETEDelete a resource
RESTStyleconsistsof...
Resources VERBS Media Types Status Codes
HATEOAS
Hypermedia As The Engine Of Application State
Media TypesParsing RulesSpecifications
+ =
MediaTypeExamples
Application/json
Application/xml
Application/imrans+json;v1
RESTStyleconsistsof...
Resources VERBS Media Types Status Codes
StatusCodes
400 Bad Request
401 Unauthorized
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
200 OK
201 Cr...
RESTfulWStestingproblems
DifficultyindoingRESTPT
●
Many JSON variables to fuzz and difficult to find which ones
are optional and to be fuzzed
●
Cus...
DifficultyindoingRESTPT...
●
Not so good automated tool support
●
Every API is different from other and hence need custom
...
RESTWStestingMethodology
Authentication
Badpractices
http://site.com/token/a3b3c2be5f53c8/
https://site.com/token/a3b3c2be5f53c8/
Authentication...
●
REST APIs rely heavily on SSL
●
Often basic authentication is coupled with SSL ( Bruteforce ? )
●
Ofte...
SessionManagement
●
Check all session based attacks on tokens as well
●
Session timeout
●
Session brute force
●
Generally ...
Authorization
●
Privilege escalation (Horizontal and Vertical)
●
Make sure there is a tight access control on DELETE, PUT ...
CVE-2010-0738
JBOSSJMXConsoleVulnerability
NOTE
All attacks which are possible on any web application are possible with
REST APIs as well.
InputValidation
●
SQL Injection
●
XSS
●
Command Injection
●
XPATH Injection
However XSS becomes difficult to fuzz because ...
Outputencoding
●
If you application has a web interface then might want to use
the following headers:
– X-Content-Type-Opt...
Cryptography
●
Use TLS with good key size (384 bits preferably)
●
Use client side certificates possible however not usuall...
Fewnotes...
●
Use proxy to determine the attack surface and to understand
the application
●
Identify URLs, Resources, stat...
Tools&Techniques
Command-line-Fu
cURLPrimer
cURL
-b or - -cookie ”COOKIE HERE”
-h or - -header “Authorization: Custom SW1yYW5XYXNIZXJlCg==”
-X or - -reques...
cURLPrimer...
●
cURL is great for automation if you know how service works.
●
cURL libraries are available for majority of...
cURLExamples
#!/bin/bash
users="Imran Jaya Raghu Vinayak"
for dirName in $users
do
curl -i -H “Authorization: Custom SW1yY...
GraphicalTools
FirefoxAdd-on
FirefoxAdd-on...
●
If you need graphical interface, browser add-ons provide GUI, however not
as powerful as the cURL comma...
AutomatedTools
AppScanScan
http://blog.watchfire.com/wfblog/2012/01/testing-restful-services-with-appscan-standard.html
AppScanScan...
Thankyou!
Wanttodiscussmore?
Catch me on
www.twitter.com/MohammedAImran
www.linkedin.com/in/MohammedAImran
Youmightliketheseaswell!
Credits
* All icons are taken from The Noun project, credit goes to
respective artists
* OWASP Cheat sheet series
References
http://www.slideshare.net/SOURCEConference/security-testing-for-rest-applications-ofer-shezaf-source-barcelona-...
Upcoming SlideShare
Loading in...5
×

Pentesting RESTful WebServices v1.0

3,271

Published on

Pentesting RESTful WebServices v1.0

  1. 1. ` MOHAMMED A. IMRANRESTfulWebServices Pentesting
  2. 2. Hello MOHAMMED A. IMRAN ApplicationSecurityEngineer,CAInc Null Hyderabad Lead OWASP Hyderabad Board Member @MohammedAImran MI Created and Designed using
  3. 3. LET’S TALK ABOUT ... PROBLEMS WITH REST WS TESTING TOOLS & TECHNIQUES WHAT IS RESTful WEB SERVICES? METHODOLOGY TO TEST RESTful WS
  4. 4. DID YOU KNOW?
  5. 5. THEUGLYTRUTH SOAP Webservices VS RESTful Webservices Google Trends
  6. 6. TheyalsorestonRESTAPIs
  7. 7. WhyRESTWebServices?
  8. 8. Easy&Simple <?xml version="1.0"?> <soap:Envelope xmlns:soap="http://www.w3.org/2001/12/soap-envelope" soap:encodingStyle="http://www.w3.org/2001/12/soap-encoding"> <soap:Body xmlns:m="http://www.mysite.com/users">   <m:GetUserDetails>     <m:UserID>313</m:UserID>   </m:GetUserDetails> </soap:Body> </soap:Envelope> GET /users/313/ VS
  9. 9. Lightweight <soap:Body xmlns:m="http://www.mysite.com/users">   <m:GetUserDetailsResponse>     <m:UserName>MohammedAImran</m:UserName> <m:Type>user</m:Type> <m:SiteAdmin>false</m:SiteAdmin> <m:UserName>Mohammed A.Imran</m:UserName> <m:Company>CA Inc</m:Company> <m:Email> morpheus@null.co.in </m:Email>   </m:GetUserDetailsResponse> </soap:Body> { "login": "MohammedAImran", "type": "User", "site_admin": false, "name": "Mohammed A. Imran", "company": "CA Inc", "email": "morpheus@null.co.in" } VS Note: REST can also use XML as media type
  10. 10. Manymorereasonstouse... ● Easy to understand & document ● Easy on limited bandwidth ● READS can be cached and hence reduces the bandwidth ● Better browser support since data format mostly is json ● Can be used by mobile devices ● Loosely coupled
  11. 11. ButwhatisREST ?
  12. 12. Representational state transfer (REST) is an architectural style consisting of a coordinated set of constraints applied to components, connectors, and data elements, within a distributed hypermedia system. “
  13. 13. What?Letmeexplain... REST is an architectural style with some imposed constraints in how data is accessed and represented while developing web services or applications. It uses HTTP 1.1 as inspiration.
  14. 14. Insimpleterms REST = RFC 2616Well, almost
  15. 15. Insimpleterms... REST = HTTP Protocol with constraints
  16. 16. Architectureconstraints ● Uniform interface ● Client-server ● Stateless ● Cache-able ● Layered system ● Code on demand(optional)
  17. 17. RESTStyleconsistsof... Resources VERBS Media Types Status Codes
  18. 18. RESTStyleconsistsof... Resource URLs VERBS Media Types Status Codes
  19. 19. RESOURCES Site.com/users/1 INSTANCE RESOURCES Collection RESOURCES NOUN Site.com/users
  20. 20. RESTStyleconsistsof... Resources VERBS Media Types Status Codes
  21. 21. VERBS POST READ PUT DELETE
  22. 22. POST = CREATECreate a new some resource * * POST can be used for both create and update
  23. 23. POST http://mysite.com/users/ { "login": "MohammedAImran", "id": "313", "name": "Mohammed A. Imran", "company": "CA Inc", "email": "MohammedAbdullahImran@gmail.com" }
  24. 24. GET = READFetch some resource
  25. 25. GET site.com/users/ { users:[ { "login": "MohammedAImran", "id": "313", "name": "Mohammed A. Imran", "company": "CA Inc", "email": "MohammedAbdullahImran@gmail.com"}, { "login": "Raghunath", "id": "311", "name": " G Raghunath", "company": "X Inc", "email": "raghu@null.co.in"}] }
  26. 26. GET site.com/users/313 { "login": "MohammedAImran", "id": "313", "name": "Mohammed A. Imran", "company": "CA Inc", "email": "MohammedAbdullahImran@gmail.com" }
  27. 27. PUT =UPDATE/MODIFYUpdate some resource * PUT can be used for both create and update *
  28. 28. DELETE = DELETEDelete a resource
  29. 29. RESTStyleconsistsof... Resources VERBS Media Types Status Codes
  30. 30. HATEOAS Hypermedia As The Engine Of Application State
  31. 31. Media TypesParsing RulesSpecifications + =
  32. 32. MediaTypeExamples Application/json Application/xml Application/imrans+json;v1
  33. 33. RESTStyleconsistsof... Resources VERBS Media Types Status Codes
  34. 34. StatusCodes 400 Bad Request 401 Unauthorized 403 Forbidden 404 Not Found 405 Method Not Allowed 409 Conflict 200 OK 201 Created 204 No Content 304 Not Modified 500 Internal Server Error 501 Not Implemented
  35. 35. RESTfulWStestingproblems
  36. 36. DifficultyindoingRESTPT ● Many JSON variables to fuzz and difficult to find which ones are optional and to be fuzzed ● Custom authentication ● Statelessness ● Non common HTTP status codes which tools are used to
  37. 37. DifficultyindoingRESTPT... ● Not so good automated tool support ● Every API is different from other and hence need custom tweaking for tools ● Heavy reliance on Ajax frameworks for creating PUT and DELETE requests as most browsers don’t support them
  38. 38. RESTWStestingMethodology
  39. 39. Authentication
  40. 40. Badpractices http://site.com/token/a3b3c2be5f53c8/ https://site.com/token/a3b3c2be5f53c8/
  41. 41. Authentication... ● REST APIs rely heavily on SSL ● Often basic authentication is coupled with SSL ( Bruteforce ? ) ● Often custom token authentication schemes are built and used ( a sure recipe for disaster) ● Never pass username/password, tokens, keys in URL (use POST instead ) ● Implementing authentication tokens in Headers takes away headache of having a CSRF token
  42. 42. SessionManagement ● Check all session based attacks on tokens as well ● Session timeout ● Session brute force ● Generally tokens are stored in local storage of browsers, make sure you delete the token after log-out and upon browser window close ● Invalidate the token at server side upon on logout
  43. 43. Authorization ● Privilege escalation (Horizontal and Vertical) ● Make sure there is a tight access control on DELETE, PUT methods ● Use role based authentication ● Since usually the consumers of the REST APIs are machines, there are no checks if service is heavily used, could lead to DoS or BruteForce. ● Protect administrative functionality
  44. 44. CVE-2010-0738
  45. 45. JBOSSJMXConsoleVulnerability
  46. 46. NOTE All attacks which are possible on any web application are possible with REST APIs as well.
  47. 47. InputValidation ● SQL Injection ● XSS ● Command Injection ● XPATH Injection However XSS becomes difficult to fuzz because of JSON and you might want to scan with sql injection and xss profiles separately
  48. 48. Outputencoding ● If you application has a web interface then might want to use the following headers: – X-Content-Type-Options: nosniff – X-Frame-Options: DENY/SAMEORIGIN/ALLOW-FROM ● JSON Encoding
  49. 49. Cryptography ● Use TLS with good key size (384 bits preferably) ● Use client side certificates possible however not usually seen for APIs ● Use strong hashing algorithms(scrypt/bcrypt/SHA512) ● Use strong encryption mechanisms (AES)
  50. 50. Fewnotes... ● Use proxy to determine the attack surface and to understand the application ● Identify URLs, Resources, status codes and data needed ● Every part of the http protocol is potential for fuzzing in RESTful APIs (dont forget headers) ● WAF evasion is possible since json is not well understood by WAFs
  51. 51. Tools&Techniques
  52. 52. Command-line-Fu
  53. 53. cURLPrimer cURL -b or - -cookie ”COOKIE HERE” -h or - -header “Authorization: Custom SW1yYW5XYXNIZXJlCg==” -X or - -request PUT/POST/DELETE -i or - -include //include response headers -d or - -data “username=imran&password=Imran” or - -data @filecontaining-data -x or - - proxy 127.0.0.1:8080 -A or - -user-agent ”Firefox 27.0”
  54. 54. cURLPrimer... ● cURL is great for automation if you know how service works. ● cURL libraries are available for majority of the languages like php, python and many more... ● You can perform complex operations and script them pretty fast.
  55. 55. cURLExamples #!/bin/bash users="Imran Jaya Raghu Vinayak" for dirName in $users do curl -i -H “Authorization: Custom SW1yYW5XYXNIZXJlCg==” "http://www.mysite.com/users/$dirName" --proxy 127.0.0.1:8080 done
  56. 56. GraphicalTools
  57. 57. FirefoxAdd-on
  58. 58. FirefoxAdd-on... ● If you need graphical interface, browser add-ons provide GUI, however not as powerful as the cURL command. ● Specialized developer tools ( SOAP UI ) can also be used for testing.
  59. 59. AutomatedTools
  60. 60. AppScanScan http://blog.watchfire.com/wfblog/2012/01/testing-restful-services-with-appscan-standard.html
  61. 61. AppScanScan...
  62. 62. Thankyou! Wanttodiscussmore? Catch me on www.twitter.com/MohammedAImran www.linkedin.com/in/MohammedAImran
  63. 63. Youmightliketheseaswell!
  64. 64. Credits * All icons are taken from The Noun project, credit goes to respective artists * OWASP Cheat sheet series
  65. 65. References http://www.slideshare.net/SOURCEConference/security-testing-for-rest-applications-ofer-shezaf-source-barcelona-nov-2011 https://www.owasp.org/index.php/REST_Security_Cheat_Sheet http://securityreliks.wordpress.com/2010/07/28/testing-restful-services-with-appscan/ http://www-01.ibm.com/support/docview.wss?uid=swg21412832 http://blog.watchfire.com/wfblog/2012/01/testing-restful-services-with-appscan-standard.html
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×