Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

#ATAGTR2018 Presentation " Security Testing for RESTful APIs" By Anuradha Raman

156 views

Published on

Anuradha Raman who is a QA Lead at Encore Software Services took a Session on "Security Testing for RESTful APIs" at Global Testing Retreat #ATAGTR2018


please refer our linkedin post for session details
https://www.linkedin.com/pulse/security-testing-restful-apis-anuradha-raman-agile-testing-alliance/

Published in: Technology
  • Be the first to comment

  • Be the first to like this

#ATAGTR2018 Presentation " Security Testing for RESTful APIs" By Anuradha Raman

  1. 1. #ATAGTR2018 Security Testing for RESTful APIs Anuradha Raman 27th September 2018
  2. 2. #ATAGTR2018 As a author of this presentation I/we own the copyright and confirm the originality of the content. I/we allow Agile testing alliance to use the content for social media marketing, publishing it on ATA Blog or ATA social medial channels(Provided due credit is given to me/us) Introduction Most attacks that are possible with a web applications are possible with APIs as well. In this digital world, most applications make liberal use of APIs as they provide rich user experiences. APIs connect the billions of IoT devices to the cloud where the data they collect is processed, crunched and made useful. While “API strategy” is becoming an important business mantra, there is a gaping hole in API security. Just as an API can boost business; an API breach can bring it crashing down. Even if security was built into the internal services it is often made obsolete by new threats. The three pillars of today’s application system are: 1. Web applications and Web services 2. IoT 3. Connected applications (connected by RESTful APIs)
  3. 3. #ATAGTR2018 As a author of this presentation I/we own the copyright and confirm the originality of the content. I/we allow Agile testing alliance to use the content for social media marketing, publishing it on ATA Blog or ATA social medial channels(Provided due credit is given to me/us) Security Challenges in using REST APIs: 1. Use of Hyper Text Transfer Protocol Secure (HTTP/S): REST uses simple HTTP for communication between machines. Some APIs supports HTTPS only. Thus, RESTful services are subjected to all the application layer security vulnerabilities as that of web applications [OWASP Top 10 critical web application Security Risks] 2. Using HTTP Methods POST, PUT, DELETE(CRUD): REST services use HTTP methods for CRUD operations. These methods are limited to a resource by design, but does not get implemented correctly.
  4. 4. #ATAGTR2018 As a author of this presentation I/we own the copyright and confirm the originality of the content. I/we allow Agile testing alliance to use the content for social media marketing, publishing it on ATA Blog or ATA social medial channels(Provided due credit is given to me/us) Security Challenges in using REST APIs: 3. Action Based Authentication and Access control: Some REST frameworks intend to implement Action based authentication, wherein different access constraints are bound to different HTTP actions (methods). Like Create (POST) is restricted to users with admin access. But most such implementations turn out to be insecure. Actions DELETE POST PUT GET
  5. 5. #ATAGTR2018 As a author of this presentation I/we own the copyright and confirm the originality of the content. I/we allow Agile testing alliance to use the content for social media marketing, publishing it on ATA Blog or ATA social medial channels(Provided due credit is given to me/us) Security Challenges in using REST APIs: 4. Data Exchange (XML and JSON): REST services use XML or JSON for input(request) and output(response) parameters to exchange information. These parameters are consumed by the backend services or UI. These consumers should ensure special parsers for handling these formats, that has secure technology to protect these formats from malicious inputs. 5. URL Paths: HTTP passes input parameters in URL, REST passes parameters in different ways in URL or as JSON in the POST request body. Consider the following requests, to get details of a resource: The first is from a REST/JSON service, and the second is a Simple Object Access Protocol (SOAP) service. The resource id parameter is highlighted in red. Observe the lightness of the JSON request when compared to SOAP request. REST has no standard security mechanism like SOAP Web services.
  6. 6. #ATAGTR2018 As a author of this presentation I/we own the copyright and confirm the originality of the content. I/we allow Agile testing alliance to use the content for social media marketing, publishing it on ATA Blog or ATA social medial channels(Provided due credit is given to me/us) Security testing methodologies for REST APIs: Black box testing:  Black-box security testing refers to a method of software security testing in which the security controls, defences, and design of an application are tested from the outside-in, with little or no prior knowledge of the application’s internal workings. Essentially, black-box security testing takes an approach like that of a real attacker.  Black-box security testing does not assume or have knowledge of the target being tested, it is a technology independent method of testing. This makes black-box security testing ideal for a variety of situations, particularly, when testing for vulnerabilities that arise from deployment issues and server misconfigurations.  A black-box security test would start by collecting information about the target. This is typically accomplished by crawling the API using tools like REST crawler.
  7. 7. #ATAGTR2018 As a author of this presentation I/we own the copyright and confirm the originality of the content. I/we allow Agile testing alliance to use the content for social media marketing, publishing it on ATA Blog or ATA social medial channels(Provided due credit is given to me/us) Penetration Testing Penetration Testing is practiced to find out the vulnerabilities that an attacker could exploit. Pen testing Prerequisites:  Documentation(WADL)  Formal Service Description  Application source/configuration  Sample request response/Postman collection  Request Headers if any  Access Token, API key  Specific Workflows that are dependent on other endpoints Test Approach for Pen Testing of a RESTful web service: o Attack surface Detection o Collect Requests o Analyse Requests
  8. 8. #ATAGTR2018 As a author of this presentation I/we own the copyright and confirm the originality of the content. I/we allow Agile testing alliance to use the content for social media marketing, publishing it on ATA Blog or ATA social medial channels(Provided due credit is given to me/us) Attack Surface Detection: Determining the attack surface through documentation. Unfortunately, an API has no UI to show the attack surface. As a Pen tester, we need to know as much as possible about an API’s endpoints, messages, parameters and behaviour. Attack surface Detection can be done using 1. API metadata 2. Record traffic via proxy or network sniffer to record and learn an API
  9. 9. #ATAGTR2018 As a author of this presentation I/we own the copyright and confirm the originality of the content. I/we allow Agile testing alliance to use the content for social media marketing, publishing it on ATA Blog or ATA social medial channels(Provided due credit is given to me/us)
  10. 10. #ATAGTR2018 As a author of this presentation I/we own the copyright and confirm the originality of the content. I/we allow Agile testing alliance to use the content for social media marketing, publishing it on ATA Blog or ATA social medial channels(Provided due credit is given to me/us) Tests for API attack methods: API Attack Method What is it? How to test? API Fuzzing Sending random content as input parameters to the API. Fuzzing with all possible input values is recursive fuzzing This can be achieved by creating automated fuzz tests that validate response messages to  not to conceal system information  Return correct error messages/response codes Injection Attacks Using SQL, XML, XPATH, JSON, JavaScript etc., attempt to inject code that is executed where it should not be. Understanding how the API works: SQL? NoSQL? Other APIs Invalid input attacks Sending known invalid input (can be auto generated using API metadata) like invalid dates, invalid data types Validate for system information and error messages/status codes. Cross Site Request Forgery(CSRF): Include an unpredictable token with each request Functional testing of the API will validate the API Call without token and reused tokens. Insecure Direct Object References For Parameters like IDs and which seem to be sequential, trying to submit IDs to get access -Validate Authorisation enforcement -Combine fuzzing or boundry tests with invalid IDs Insufficient SSL configurations -Eavesdropping on API traffic -APIs should always use SSL -Create simple tests that fail if HTTPS is not enforced. -Create simple tests that will fail if certificates are selfsigned
  11. 11. #ATAGTR2018 As a author of this presentation I/we own the copyright and confirm the originality of the content. I/we allow Agile testing alliance to use the content for social media marketing, publishing it on ATA Blog or ATA social medial channels(Provided due credit is given to me/us) Pen Testing using Wireshark (in Windows):  Wireshark is one of the most popular open source network protocol analysis tool.  It is used for troubleshooting, analysis, and software and communications protocol development  Application vulnerabilities such as parameter pollution, SQL injection, lack of input validation, as well as buffer overflow can be easily detected and exploited using Wireshark
  12. 12. #ATAGTR2018 As a author of this presentation I/we own the copyright and confirm the originality of the content. I/we allow Agile testing alliance to use the content for social media marketing, publishing it on ATA Blog or ATA social medial channels(Provided due credit is given to me/us) Pen Testing with Wireshark can be done in three phases, namely: I. Capturing the packets II. Filtering the packets III. Analysing the packets I. Capturing the Packets:  Launch the Wireshark from start menu.  Set your browser to load the webpage on test.  To capture packets, the capturing interface needs to be set up. Hence, go to the Menu bar and click Capture -> Interfaces and choose the device that has an active IP address. Click on start to so that Wireshark is ready to capture any packets sent through the interface.
  13. 13. #ATAGTR2018 As a author of this presentation I/we own the copyright and confirm the originality of the content. I/we allow Agile testing alliance to use the content for social media marketing, publishing it on ATA Blog or ATA social medial channels(Provided due credit is given to me/us) Analysing the packets: There are different sections to examine, as seen above. Wireshark segregates the relevant data following the transmission control protocol (TCP) stack principle for better understanding.  Frame: This tells users the frame number, time related information regarding the packet, frame length, protocols within the frame, and the coloring rule.  Ethernet II: Indicates the packet’s source and destination. o Internet Protocol: Contains the source and destination information along with version, header details, and lifetime. You will find source and destination IP addresses here.  TCP: Captures information about source and destination ports involved in the communication, next sequence number to look out for, and different flags (along with their values).  HTTP: Contains information on the HTTP version, server info, timeout value, connection status, content type, and character set used in the communication.  Line-based text data: This contains HTML source code (for analysing the HTTP protocol).
  14. 14. #ATAGTR2018 As a author of this presentation I/we own the copyright and confirm the originality of the content. I/we allow Agile testing alliance to use the content for social media marketing, publishing it on ATA Blog or ATA social medial channels(Provided due credit is given to me/us) How to grab passwords using Wireshark: This section deals with how to capture username and password from transferred packets. If the username and password are not in clear text format, you might have to use few descriptors to get a readable username and password. The following screenshot presents a clear text form of packing data. Hence, there is no need of decryption tools. This technique can be used for FTP, HTTP, and other protocols, since they are in clear text form
  15. 15. #ATAGTR2018 As a author of this presentation I/we own the copyright and confirm the originality of the content. I/we allow Agile testing alliance to use the content for social media marketing, publishing it on ATA Blog or ATA social medial channels(Provided due credit is given to me/us) How to export selected bytes from captured packets: 1) Open any website that has few images of type .jpeg or .gif 2) Ensure that Wireshark’s Capture mode is active and navigate through the pages with images. o Stop the capture of packets and search for a packet with HTTP filter. Traverse through the filtered packets to find out the HTTP call in which the image was retrieved by a GET call. 3) Select the packet and observe the second section. Select the .gif and right click and select “Export Selected Bytes”. The images can be exported to the local system successfully.
  16. 16. #ATAGTR2018 As a author of this presentation I/we own the copyright and confirm the originality of the content. I/we allow Agile testing alliance to use the content for social media marketing, publishing it on ATA Blog or ATA social medial channels(Provided due credit is given to me/us) Detecting Cross Site scripting Vulnerability: 1) Download BTS Pentesting lab from Sourcefoge.net 2) Install XAMPP or WAMPP in your machine 3) Extract the zip file htdocs folder. 4) Open http://localhost/btslab/setup.php url in browser 5) Click setup
  17. 17. #ATAGTR2018 As a author of this presentation I/we own the copyright and confirm the originality of the content. I/we allow Agile testing alliance to use the content for social media marketing, publishing it on ATA Blog or ATA social medial channels(Provided due credit is given to me/us) Detecting Cross Site scripting Vulnerability:
  18. 18. #ATAGTR2018 As a author of this presentation I/we own the copyright and confirm the originality of the content. I/we allow Agile testing alliance to use the content for social media marketing, publishing it on ATA Blog or ATA social medial channels(Provided due credit is given to me/us) Detecting Cross Site scripting Vulnerability:
  19. 19. #ATAGTR2018 As a author of this presentation I/we own the copyright and confirm the originality of the content. I/we allow Agile testing alliance to use the content for social media marketing, publishing it on ATA Blog or ATA social medial channels(Provided due credit is given to me/us) Xenotix – Cross site scripting (XSS)
  20. 20. #ATAGTR2018 As a author of this presentation I/we own the copyright and confirm the originality of the content. I/we allow Agile testing alliance to use the content for social media marketing, publishing it on ATA Blog or ATA social medial channels(Provided due credit is given to me/us) Xenotix – Cross site scripting (XSS)
  21. 21. #ATAGTR2018 As a author of this presentation I/we own the copyright and confirm the originality of the content. I/we allow Agile testing alliance to use the content for social media marketing, publishing it on ATA Blog or ATA social medial channels(Provided due credit is given to me/us) Other Tools for Securing REST API: Fiddler: Fiddler is an open source tool that lets you monitor, manipulate and reuse HTTP requests. It can be used for troubleshooting issues with web application and debugging web traffic from most devices. It can act as an HTTP proxy. It is the easiest tool to begin testing APIs. Appspider: Appspider is a DAST (Dynamic Application Security Testing) tool capable of testing swagger enabled APIs. Ability to test Swagger enabled APIs saves huge time for application security testers. AppSpider has two major innovations that enable it to fully test Swagger APIs. The first is AppSpider’s Universal Translator and the second is the ability to analyse these Swagger files. The Universal Translator was built to enable AppSpider to analyse the parts of the application that can’t be crawled, like APIs. The Universal Translator analyses traffic, normalizes an attacks the application.
  22. 22. #ATAGTR2018 As a author of this presentation I/we own the copyright and confirm the originality of the content. I/we allow Agile testing alliance to use the content for social media marketing, publishing it on ATA Blog or ATA social medial channels(Provided due credit is given to me/us) Challenges in securing REST: I. Inspecting the application does not reveal application attack surface: REST APIs expose resources and transactional operations on them and applications only use a subset of them. Thus, determining the URL space and attack surface is not easy. II. Fuzzing standard parameters are not sufficient anymore III. Guidelines for fuzzing are not defined IV. Custom authentication and session management breaks common cookie sharing practices V. URLS are generated dynamically in REST based services References: https://www.owasp.org/index.php/REST_Security_Cheat_S heet
  23. 23. #ATAGTR2018 As a author of this presentation I/we own the copyright and confirm the originality of the content. I/we allow Agile testing alliance to use the content for social media marketing, publishing it on ATA Blog or ATA social medial channels(Provided due credit is given to me/us) Xenotix – Cross site scripting (XSS)
  24. 24. #ATAGTR2018 Thank you 27th September 2018

×