Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Pentesting ReST API

8,609 views

Published on

This slide will take through the basic theory, tools, testbeds and approach with lots of references.

Published in: Technology

Pentesting ReST API

  1. 1. PENTESTING REST API null Bangalore Meet
  2. 2. Introduction ■ Nutan Kumar Panda ■ Aka @TheOsintGuy ■ Senior Information Security Engineer ■ Osint Enthusiast ■ Presenter at BH US/ BIU Israel/ GroundZero Summit/ CISO Summit etc ■ Co-Author of book “HackingWeb Intelligence ” ■ Contributor of DataSploit project ■ Active Contributor of null BangaloreChapter
  3. 3. What can you expect? ■ BasicTheory ■ My personal Experience ■ Approach ■ Tools to trade ■ Test beds ■ One Example to think out of the box ■ Some Common Findings ■ Hands on Demos
  4. 4. Web Services ■ SOAP ■ Components – ServiceConsumer – Service Provider – XML (Extensible Markup Language) – SOAP (SimpleObject Access Protocol) – WSDL (Web Services Description Language) – UDDI (Universal Description, Discovery and Integration) ■ http://resources.infosecinstitute.com/web-services- penetration-testing-part-1/ ■ ReST ■ Components – Resources (example.com/users/1) – Verbs (CRUD/ POGPUD) – MediaType (Application/Json) – Status Codes (200,201,404 etc) – Authentication (Oauth) – http://www.slideshare.net/null0x00/o-auth- tokens ■ http://www.slideshare.net/null0x00/pentesting- restful-webservices-v10 http://www.slideshare.net/PraveenKumarKOSCP/introduction-to-web-services-penetration- testing (page 3)
  5. 5. How I Started? https://www.owasp.org/index.php/REST_Security_Cheat_Sheet
  6. 6. Approach ■ Do not jump to testing by getting an end point or set of end points ■ Ask for the documentation ■ Ask for the sample request response/ Postman collection ■ Ask for any particular header needed ■ Ask for token or any specific parameter or values for a parameter (to get in right flow) ■ Ask for the workflows (Sometime workflows are bound you can not direct jump to a web services and test you need some data that u get from other end points) ■ Its not only about fuzzing parameters
  7. 7. Tools to trade ■ ReST Client (Plug in) ■ Postman (App and Plugin) ■ Burp (ZAP/ Charles/ IronWASP or any other interception proxy) ■ Hurl.it (Online rest client) ■ SoapUI (https://www.youtube.com/watch?v=XV7WW0bDy9c) ■ Fuzzapi (https://github.com/lalithr95/Fuzzapi) Just presented just day before at AppSec USA by Abhijeet n Lalith – http://www.slideshare.net/AbhijethDugginapeddi/automated-api-pentesting-using- fuzzapi – If you like this tool just spread the word with #fuzzapi
  8. 8. Test Beds ■ Hackazon – Code: https://github.com/rapid7/hackazon – WebVersion: http://hackazon.webscantest.com/ – There is an apk also: https://github.com/rapid7/hackazon/tree/master/web/app.apk – YoutubeVideo: https://www.youtube.com/watch?v=Yekzm0Olc3Y (Demo starts 24:00) ■ Mutillidae – Code: https://sourceforge.net/projects/mutillidae/ – Video: https://www.youtube.com/watch?v=e6HAQnvuaic ■ DVWS – Code : https://github.com/snoopythesecuritydog/dvws – Tutorial: https://kali.tools/?p=1729
  9. 9. Example POST example.com/users/view/253 { “user”:”adam”, “role”:”tester” }
  10. 10. Common Finding ■ Enumeration ■ Rate limiting not implemented ■ Information Disclosure ■ POST to GET conversion (Method Conversion) ■ IDOR ■ SQLI ■ Authorization Flaws ■ Token related issues (Expiry, reuse, predictable etc)
  11. 11. Demo
  12. 12. Questions
  13. 13. References ■ https://www.soapui.org/testing-dojo/world-of-api-testing/soap-vs--rest- challenges.html ■ http://cybersecology.com/hackazon-review/ ■ http://cybersecology.com/2014/11/googles-firing-range-test-site/ ■ http://www.slideshare.net/SmartBear_Software/getting-started-with-api-security- testing ■ http://www.slideshare.net/ask4answers/rest-api-testing-with-specflow ■ http://www.slideshare.net/stormpath/rest-api-security ■ http://www.slideshare.net/taiseerjoudeh/http-services-security
  14. 14. Thanks

×