Downloaded 301 times
Uploaded byNutan Kumar Panda
Pentesting ReST API
The document provides an overview of a presentation on pentesting REST APIs. The presentation will cover basic theory, personal experience, methodology, tools used, test beds, example vulnerabilities, common findings, and include hands-on demos. The presentation will discuss both SOAP and REST APIs, pentesting approaches, tools like Postman and Burp Suite, example test beds like Hackazon and Mutillidae, and common API vulnerabilities like information disclosure, IDOR, and token issues.
More Related Content
Similar to Pentesting ReST API
Pentesting ReST API
- 1.
- 2. Introduction ■ Nutan KumarPanda ■ Aka @TheOsintGuy ■ Senior Information Security Engineer ■ Osint Enthusiast ■ Presenter at BH US/ BIU Israel/ GroundZero Summit/ CISO Summit etc ■ Co-Author of book “HackingWeb Intelligence ” ■ Contributor of DataSploit project ■ Active Contributor of null BangaloreChapter
- 3. What can youexpect? ■ BasicTheory ■ My personal Experience ■ Approach ■ Tools to trade ■ Test beds ■ One Example to think out of the box ■ Some Common Findings ■ Hands on Demos
- 4. Web Services ■ SOAP ■Components – ServiceConsumer – Service Provider – XML (Extensible Markup Language) – SOAP (SimpleObject Access Protocol) – WSDL (Web Services Description Language) – UDDI (Universal Description, Discovery and Integration) ■ http://resources.infosecinstitute.com/web-services- penetration-testing-part-1/ ■ ReST ■ Components – Resources (example.com/users/1) – Verbs (CRUD/ POGPUD) – MediaType (Application/Json) – Status Codes (200,201,404 etc) – Authentication (Oauth) – http://www.slideshare.net/null0x00/o-auth- tokens ■ http://www.slideshare.net/null0x00/pentesting- restful-webservices-v10 http://www.slideshare.net/PraveenKumarKOSCP/introduction-to-web-services-penetration- testing (page 3)
- 5.
- 6. Approach ■ Do notjump to testing by getting an end point or set of end points ■ Ask for the documentation ■ Ask for the sample request response/ Postman collection ■ Ask for any particular header needed ■ Ask for token or any specific parameter or values for a parameter (to get in right flow) ■ Ask for the workflows (Sometime workflows are bound you can not direct jump to a web services and test you need some data that u get from other end points) ■ Its not only about fuzzing parameters
- 7. Tools to trade ■ReST Client (Plug in) ■ Postman (App and Plugin) ■ Burp (ZAP/ Charles/ IronWASP or any other interception proxy) ■ Hurl.it (Online rest client) ■ SoapUI (https://www.youtube.com/watch?v=XV7WW0bDy9c) ■ Fuzzapi (https://github.com/lalithr95/Fuzzapi) Just presented just day before at AppSec USA by Abhijeet n Lalith – http://www.slideshare.net/AbhijethDugginapeddi/automated-api-pentesting-using- fuzzapi – If you like this tool just spread the word with #fuzzapi
- 8. Test Beds ■ Hackazon –Code: https://github.com/rapid7/hackazon – WebVersion: http://hackazon.webscantest.com/ – There is an apk also: https://github.com/rapid7/hackazon/tree/master/web/app.apk – YoutubeVideo: https://www.youtube.com/watch?v=Yekzm0Olc3Y (Demo starts 24:00) ■ Mutillidae – Code: https://sourceforge.net/projects/mutillidae/ – Video: https://www.youtube.com/watch?v=e6HAQnvuaic ■ DVWS – Code : https://github.com/snoopythesecuritydog/dvws – Tutorial: https://kali.tools/?p=1729
- 9.
- 10. Common Finding ■ Enumeration ■Rate limiting not implemented ■ Information Disclosure ■ POST to GET conversion (Method Conversion) ■ IDOR ■ SQLI ■ Authorization Flaws ■ Token related issues (Expiry, reuse, predictable etc)
- 11.
- 12.
- 13. References ■ https://www.soapui.org/testing-dojo/world-of-api-testing/soap-vs--rest- challenges.html ■ http://cybersecology.com/hackazon-review/ ■http://cybersecology.com/2014/11/googles-firing-range-test-site/ ■ http://www.slideshare.net/SmartBear_Software/getting-started-with-api-security- testing ■ http://www.slideshare.net/ask4answers/rest-api-testing-with-specflow ■ http://www.slideshare.net/stormpath/rest-api-security ■ http://www.slideshare.net/taiseerjoudeh/http-services-security
- 14.