#ATAGTR2018 Presentation " Security Testing for RESTful APIs" By Anuradha Raman

#ATAGTR2018
Security Testing for
RESTful APIs
Anuradha Raman
27th September 2018

#ATAGTR2018
As a author of this presentation I/we own the copyright and confirm the originality of the content. I/we allow Agile testing alliance to use the content for social media
marketing, publishing it on ATA Blog or ATA social medial channels(Provided due credit is given to me/us)
Introduction
Most attacks that are possible with a web applications are possible with APIs as well. In
this digital world, most applications make liberal use of APIs as they provide rich user
experiences. APIs connect the billions of IoT devices to the cloud where the data they
collect is processed, crunched and made useful. While “API strategy” is becoming an
important business mantra, there is a gaping hole in API security. Just as an API can boost
business; an API breach can bring it crashing down. Even if security was built into the
internal services it is often made obsolete by new threats.
The three pillars of today’s application system are:
1. Web applications and Web services
2. IoT
3. Connected applications (connected by RESTful APIs)

#ATAGTR2018
Security Challenges in using REST APIs:
1. Use of Hyper Text Transfer Protocol Secure (HTTP/S):
REST uses simple HTTP for communication between machines. Some
APIs supports HTTPS only. Thus, RESTful services are subjected to all
the application layer security vulnerabilities as that of web applications
[OWASP Top 10 critical web application Security Risks]
2. Using HTTP Methods POST, PUT, DELETE(CRUD):
REST services use HTTP methods for CRUD operations. These methods
are limited to a resource by design, but does not get implemented
correctly.

#ATAGTR2018
3. Action Based Authentication and Access control:
Some REST frameworks intend to implement Action based authentication, wherein
different access constraints are bound to different HTTP actions (methods). Like
Create (POST) is restricted to users with admin access. But most such
implementations turn out to be insecure.
Actions
DELETE
POST
PUT
GET

#ATAGTR2018
4. Data Exchange (XML and JSON):
REST services use XML or JSON for input(request) and output(response) parameters
to exchange information. These parameters are consumed by the backend services or
UI. These consumers should ensure special parsers for handling these formats, that
has secure technology to protect these formats from malicious inputs.
5. URL Paths:
HTTP passes input parameters in URL, REST passes parameters in different ways in
URL or as JSON in the POST request body.
Consider the following requests, to get details of a resource:
The first is from a REST/JSON service, and the second is a Simple Object Access
Protocol (SOAP) service. The resource id parameter is highlighted in red. Observe the
lightness of the JSON request when compared to SOAP request. REST has no standard
security mechanism like SOAP Web services.

#ATAGTR2018
Security testing methodologies for REST APIs:
Black box testing:
 Black-box security testing refers to a method of software security testing in which
the security controls, defences, and design of an application are tested from the
outside-in, with little or no prior knowledge of the application’s internal workings.
Essentially, black-box security testing takes an approach like that of a real attacker.
 Black-box security testing does not assume or have knowledge of the target being
tested, it is a technology independent method of testing. This makes black-box
security testing ideal for a variety of situations, particularly, when testing for
vulnerabilities that arise from deployment issues and server misconfigurations.
 A black-box security test would start by collecting information about the target.
This is typically accomplished by crawling the API using tools like REST crawler.

#ATAGTR2018
Penetration Testing
Penetration Testing is practiced to find out the vulnerabilities that an attacker could
exploit.
Pen testing Prerequisites:
 Documentation(WADL)
 Formal Service Description
 Application source/configuration
 Sample request response/Postman collection
 Request Headers if any
 Access Token, API key
 Specific Workflows that are dependent on other endpoints
Test Approach for Pen Testing of a RESTful web service:
o Attack surface Detection
o Collect Requests
o Analyse Requests

#ATAGTR2018
Attack Surface Detection:
Determining the attack surface through documentation. Unfortunately,
an API has no UI to show the attack surface. As a Pen tester, we need to
know as much as possible about an API’s endpoints, messages,
parameters and behaviour. Attack surface Detection can be done using
1. API metadata
2. Record traffic via proxy or network sniffer to record and learn an API

#ATAGTR2018

#ATAGTR2018
Tests for API attack methods:
API Attack Method What is it? How to test?
API Fuzzing Sending random content as
input parameters to the API.
Fuzzing with all possible input
values is recursive fuzzing
This can be achieved by creating
automated fuzz tests that validate
response messages to
 not to conceal system information
 Return correct error
messages/response codes
Injection Attacks Using SQL, XML,
XPATH, JSON,
JavaScript etc., attempt to
inject code that is executed
where it should not be.
Understanding how the API works: SQL?
NoSQL? Other APIs
Invalid input attacks Sending known invalid input
(can be auto generated using
API metadata) like invalid
dates, invalid data types
Validate for system information and
error messages/status codes.
Cross Site
Request
Forgery(CSRF):
Include an unpredictable
token with each request
Functional testing of the API will validate
the API
Call without token and reused tokens.
Insecure Direct
Object
References
For Parameters like IDs and
which seem to be sequential,
trying to submit IDs to get
access
-Validate Authorisation enforcement
-Combine fuzzing or boundry tests with
invalid
IDs
Insufficient SSL
configurations
-Eavesdropping on
API traffic
-APIs should always use SSL
-Create simple tests that fail if HTTPS is
not enforced. -Create simple tests that
will
fail if certificates are selfsigned

#ATAGTR2018
Pen Testing using Wireshark (in Windows):
 Wireshark is one of the most popular open source network protocol analysis tool.
 It is used for troubleshooting, analysis, and software and communications protocol
development
 Application vulnerabilities such as parameter pollution, SQL injection, lack of input
validation, as well as buffer overflow can be easily detected and exploited using
Wireshark

#ATAGTR2018
Pen Testing with Wireshark can be done in three phases, namely:
I. Capturing the packets
II. Filtering the packets
III. Analysing the packets
I. Capturing the Packets:
 Launch the Wireshark from start menu.
 Set your browser to load the webpage on test.
 To capture packets, the capturing interface needs to be set up. Hence, go to
the Menu bar and click Capture -> Interfaces and choose the device that has
an active IP address. Click on start to so that Wireshark is ready to capture
any packets sent through the interface.

#ATAGTR2018
Analysing the packets:
There are different sections to examine, as seen above. Wireshark segregates the
relevant data following the transmission control protocol (TCP) stack principle for
better understanding.
 Frame: This tells users the frame number, time related information regarding
the packet, frame length, protocols within the frame, and the coloring rule.
 Ethernet II: Indicates the packet’s source and destination. o Internet
Protocol: Contains the source and destination information along with version,
header details, and lifetime. You will find source and destination IP addresses
here.
 TCP: Captures information about source and destination ports involved in the
communication, next sequence number to look out for, and different flags
(along with their values).
 HTTP: Contains information on the HTTP version, server info, timeout value,
connection status, content type, and character set used in the
communication.
 Line-based text data: This contains HTML source code (for analysing the HTTP
protocol).

#ATAGTR2018
How to grab passwords using Wireshark:
This section deals with how to capture username and password from transferred
packets. If the username and password are not in clear text format, you might have to
use few descriptors to get a readable username and password. The following
screenshot presents a clear text form of packing data. Hence, there is no need of
decryption tools. This technique can be used for FTP, HTTP, and other protocols, since
they are in clear text form

#ATAGTR2018
How to export selected bytes from captured packets:
1) Open any website that has few images of type .jpeg or .gif
2) Ensure that Wireshark’s Capture mode is active and navigate through the
pages with images. o Stop the capture of packets and search for a packet
with HTTP filter. Traverse through the filtered packets to find out the
HTTP call in which the image was retrieved by a GET call.
3) Select the packet and observe the second section. Select the .gif and right
click and select “Export Selected Bytes”. The images can be exported to
the local system successfully.

#ATAGTR2018
Detecting Cross Site scripting Vulnerability:
1) Download BTS Pentesting lab from Sourcefoge.net
2) Install XAMPP or WAMPP in your machine
3) Extract the zip file htdocs folder.
4) Open http://localhost/btslab/setup.php url in browser
5) Click setup

#ATAGTR2018
Detecting Cross Site scripting Vulnerability:

#ATAGTR2018
Xenotix – Cross site scripting (XSS)

#ATAGTR2018
Other Tools for Securing REST API:
Fiddler:
Fiddler is an open source tool that lets you monitor, manipulate and reuse HTTP
requests. It can be used for troubleshooting issues with web application and
debugging web traffic from most devices. It can act as an HTTP proxy. It is the easiest
tool to begin testing APIs.
Appspider:
Appspider is a DAST (Dynamic Application Security Testing) tool capable of testing
swagger enabled APIs. Ability to test Swagger enabled APIs saves huge time for
application security testers. AppSpider has two major innovations that enable it to
fully test Swagger APIs. The first is AppSpider’s Universal Translator and the second is
the ability to analyse these Swagger files. The Universal Translator was built to enable
AppSpider to analyse the parts of the application that can’t be crawled, like APIs. The
Universal Translator analyses traffic, normalizes an attacks the application.

#ATAGTR2018
Challenges in securing REST:
I. Inspecting the application does not reveal application attack surface: REST APIs
expose resources and transactional operations on them and applications only use
a subset of them. Thus, determining the URL space and attack surface is not easy.
II. Fuzzing standard parameters are not sufficient anymore
III. Guidelines for fuzzing are not defined
IV. Custom authentication and session management breaks common cookie sharing
practices
V. URLS are generated dynamically in REST based services
References: https://www.owasp.org/index.php/REST_Security_Cheat_S heet

#ATAGTR2018
Thank you
27th September 2018

#ATAGTR2018 Presentation " Security Testing for RESTful APIs" By Anuradha Raman

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to #ATAGTR2018 Presentation " Security Testing for RESTful APIs" By Anuradha Raman

Similar to #ATAGTR2018 Presentation " Security Testing for RESTful APIs" By Anuradha Raman (20)

More from Agile Testing Alliance

More from Agile Testing Alliance (20)

Recently uploaded

Recently uploaded (20)

#ATAGTR2018 Presentation " Security Testing for RESTful APIs" By Anuradha Raman