SlideShare a Scribd company logo
`

ces
vi
sting
er
ente
P
bS
e
lW
Tfu
ES
R
MOH

IMRAN
MED A.
AM
Hello

MI

MOHAMMED A. IMRAN
Application Security Engineer, CA Inc
Null Hyderabad Lead
OWASP Hyderabad Board Member

@MohammedAImran

Created and Designed using
LET’S TALK ABOUT ...
WHAT IS RESTful
WEB SERVICES?

PROBLEMS WITH REST
WS TESTING

TOOLS & TECHNIQUES

METHODOLOGY TO TEST
RESTful WS
DID

YOU

?

KNOW
THE UGLY TRUTH

SOAP Webservices VS RESTful Webservices

Google Trends
They also rest on REST APIs
Why REST WebServices ?
Easy & Simple
GET /users/313/

VS
<?xml version="1.0"?>
<soap:Envelope
xmlns:soap="http://www.w3.org/2001/12/soap-envelope"
soap:encodingStyle="http://www.w3.org/2001/12/soap-encoding">
<soap:Body xmlns:m="http://www.mysite.com/users">
  <m:GetUserDetails>
    <m:UserID>313</m:UserID>
  </m:GetUserDetails>
</soap:Body>
</soap:Envelope>
Light weight
{
"login": "MohammedAImran",
"type": "User",
"site_admin": false,
"name": "Mohammed A. Imran",
"company": "CA Inc",
"email": "morpheus@null.co.in"
}

<soap:Body xmlns:m="http://www.mysite.com/users">
  <m:GetUserDetailsResponse>
    <m:UserName>MohammedAImran</m:UserName>
<m:Type>user</m:Type>

VS

<m:SiteAdmin>false</m:SiteAdmin>
<m:UserName>Mohammed A.Imran</m:UserName>
<m:Company>CA Inc</m:Company>
<m:Email> morpheus@null.co.in </m:Email>
  </m:GetUserDetailsResponse>
</soap:Body>

Note: REST can also use XML as media type
Many more reasons to use ...
●

Easy to understand & document

●

Easy on limited bandwidth

●

READS can be cached and hence reduces the bandwidth

●

Better browser support since data format mostly is json

●

Can be used by mobile devices

●

Loosely coupled
But what is REST ?
“

Representational state transfer (REST) is an
architectural style consisting of a coordinated
set of constraints applied to components,
connectors, and data elements, within a
distributed hypermedia system.
What ? Let me explain ...
REST is an architectural style with some imposed constraints
in how data is accessed and represented while developing web
services or applications. It uses HTTP 1.1 as inspiration.
In simple terms

REST = RFC 2616almost
Well,
In simple terms ...

REST = HTTP Protocol
with constraints
Architecture constraints
●

Uniform interface

●

Client-server

●

Stateless

●

Cache-able

●

Layered system

●

Code on demand(optional)
REST Style consists of ...

Resources

VERBS

Media Types

Status Codes
REST Style consists of ...

Resource URLs

VERBS

Media Types

Status Codes
Collection
RESOURCES

INSTANCE
RESOURCES
RESOURCES

Site.com/users/1

Site.com/users
NOUN
REST Style consists of ...

Resources

VERBS

Media Types

Status Codes
DELETE
VERBS

POST
PUT
READ
POST = CREATE some resource
Create a new
*

* POST can be used for both create and update
POST

http://mysite.com/users/

{

}

"login": "MohammedAImran",
"id": "313",
"name": "Mohammed A. Imran",
"company": "CA Inc",
"email": "MohammedAbdullahImran@gmail.com"
GET = READsome resource
Fetch
GET site.com/users/
{ users:[
{
"login": "MohammedAImran",
"id": "313",
"name": "Mohammed A. Imran",
"company": "CA Inc",
"email": "MohammedAbdullahImran@gmail.com"},
{
"login": "Raghunath",
"id": "311",
"name": " G Raghunath",
"company": "X Inc",
"email": "raghu@null.co.in"}]
}
GET site.com/users/313
{
"login": "MohammedAImran",
"id": "313",
"name": "Mohammed A. Imran",
"company": "CA Inc",
"email": "MohammedAbdullahImran@gmail.com"
}
PUT =UPDATE/MODIFY
Update some resource

*

* PUT can be used for both create and update
DELETE = DELETE
Delete a resource
REST Style consists of ...

Resources

VERBS

Media Types

Status Codes
HATEOAS
Hypermedia As The Engine Of Application State
=

+
Specifications

Parsing Rules

Media Types
Media Type Examples
Application/json
Application/xml
Application/imrans+json;v1
REST Style consists of ...

Resources

VERBS

Media Types

Status Codes
Status Codes
200 OK
201 Created
204 No Content
304 Not Modified
500 Internal Server Error
501 Not Implemented

400 Bad Request
401 Unauthorized
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
RESTful WS testing problems
Difficulty in doing REST PT
●

Many JSON variables to fuzz and difficult to find which ones
are optional and to be fuzzed

●

Custom authentication

●

Statelessness

●

Non common HTTP status codes which tools are used to
Difficulty in doing REST PT ...
●
●

●

Not so good automated tool support
Every API is different from other and hence need custom
tweaking for tools
Heavy reliance on Ajax frameworks for creating PUT and
DELETE requests as most browsers don’t support them
REST WS testing Methodology
Authentication
Bad practices
http://site.com/token/a3b3c2be5f53c8/
https://site.com/token/a3b3c2be5f53c8/
Authentication ...
●

REST APIs rely heavily on SSL

●

Often basic authentication is coupled with SSL ( Bruteforce ? )

●

Often custom token authentication schemes are built and used
( a sure recipe for disaster)

●

Never pass username/password, tokens, keys in URL
(use POST instead )

●

Implementing authentication tokens in Headers takes away headache of
having a CSRF token
Session Management
●

Check all session based attacks on tokens as well

●

Session timeout

●

Session brute force

●

●

Generally tokens are stored in local storage of browsers,
make sure you delete the token after log-out and upon
browser window close
Invalidate the token at server side upon on logout
Authorization
●

Privilege escalation (Horizontal and Vertical)

●

Make sure there is a tight access control on DELETE, PUT methods

●

Use role based authentication

●

●

Since usually the consumers of the REST APIs are machines, there
are no checks if service is heavily used, could lead to DoS or
BruteForce.
Protect administrative functionality
CVE-2010-0738
JBOSS JMX Console Vulnerability
NOTE
All attacks which are possible on any web application are possible with
REST APIs as well.
Input Validation
●

SQL Injection

●

XSS

●

Command Injection

●

XPATH Injection

However XSS becomes difficult to fuzz because of JSON
and you might want to scan with sql injection and xss
profiles separately
Output encoding
●

If you application has a web interface then might want to use
the following headers:
X-Content-Type-Options: nosniff
– X-Frame-Options: DENY/SAMEORIGIN/ALLOW-FROM
JSON Encoding
–

●
Cryptography
●
●

Use TLS with good key size (384 bits preferably)
Use client side certificates possible however not usually seen
for APIs

●

Use strong hashing algorithms(scrypt/bcrypt/SHA512)

●

Use strong encryption mechanisms (AES)
Few notes ...
●

●
●

●

Use proxy to determine the attack surface and to understand
the application
Identify URLs, Resources, status codes and data needed
Every part of the http protocol is potential for fuzzing in
RESTful APIs (dont forget headers)
WAF evasion is possible since json is not well understood by
WAFs
Tools & Techniques
Command-line-Fu
cURL Primer
cURL
-b or - -cookie ”COOKIE HERE”
-h or - -header “Authorization: Custom SW1yYW5XYXNIZXJlCg==”
-X or - -request PUT/POST/DELETE
-i or - -include //include response headers
-d or - -data “username=imran&password=Imran” or - -data @filecontaining-data
-x or - - proxy 127.0.0.1:8080
-A or - -user-agent ”Firefox 27.0”
cURL Primer ...
●

●

●

cURL is great for automation if you know how service works.
cURL libraries are available for majority of the languages like php, python
and many more...
You can perform complex operations and script them pretty fast.
cURL Examples
#!/bin/bash
users="Imran Jaya Raghu Vinayak"
for dirName in $users
do
curl -i -H “Authorization: Custom SW1yYW5XYXNIZXJlCg==”
"http://www.mysite.com/users/$dirName" --proxy 127.0.0.1:8080
done
Graphical Tools
Firefox Add-on
Firefox Add-on ...
●

●

If you need graphical interface, browser add-ons provide GUI, however not
as powerful as the cURL command.
Specialized developer tools ( SOAP UI ) can also be used for testing.
Automated Tools
AppScan Scan

http://blog.watchfire.com/wfblog/2012/01/testing-restful-services-with-appscan-standard.html
AppScan Scan...
Thank you !
Want to discuss more ?
Catch me on

www.twitter.com/MohammedAImran
www.linkedin.com/in/MohammedAImran
You might like these as well!
Credits
* All icons are taken from The Noun project, credit goes to
respective artists
* OWASP Cheat sheet series
References
http://www.slideshare.net/SOURCEConference/security-testing-for-rest-applications-ofer-shezaf-source-barcelona-nov-2011
https://www.owasp.org/index.php/REST_Security_Cheat_Sheet
http://securityreliks.wordpress.com/2010/07/28/testing-restful-services-with-appscan/
http://www-01.ibm.com/support/docview.wss?uid=swg21412832
http://blog.watchfire.com/wfblog/2012/01/testing-restful-services-with-appscan-standard.html

More Related Content

What's hot

Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
Rest api standards and best practices
Rest api standards and best practicesRest api standards and best practices
Rest api standards and best practices
Ankita Mahajan
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
Orest Ivasiv
 
Api Testing
Api TestingApi Testing
Api Testing
Vishwanath KC
 
REST and Microservices
REST and MicroservicesREST and Microservices
REST and Microservices
Shaun Abram
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
n|u - The Open Security Community
 
Rest API
Rest APIRest API
Spring Boot and REST API
Spring Boot and REST APISpring Boot and REST API
Spring Boot and REST API
07.pallav
 
Understanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple StepsUnderstanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple Steps
Tessa Mero
 
An Introduction To REST API
An Introduction To REST APIAn Introduction To REST API
An Introduction To REST API
Aniruddh Bhilvare
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
What is REST API? REST API Concepts and Examples | Edureka
What is REST API? REST API Concepts and Examples | EdurekaWhat is REST API? REST API Concepts and Examples | Edureka
What is REST API? REST API Concepts and Examples | Edureka
Edureka!
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testing
Napendra Singh
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
Asish Kumar Rath
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
Stormpath
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
n|u - The Open Security Community
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
Understanding REST
Understanding RESTUnderstanding REST
Understanding REST
Nitin Pande
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 

What's hot (20)

Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 
Rest api standards and best practices
Rest api standards and best practicesRest api standards and best practices
Rest api standards and best practices
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
 
Api Testing
Api TestingApi Testing
Api Testing
 
REST and Microservices
REST and MicroservicesREST and Microservices
REST and Microservices
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Rest API
Rest APIRest API
Rest API
 
Spring Boot and REST API
Spring Boot and REST APISpring Boot and REST API
Spring Boot and REST API
 
Understanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple StepsUnderstanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple Steps
 
An Introduction To REST API
An Introduction To REST APIAn Introduction To REST API
An Introduction To REST API
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 
What is REST API? REST API Concepts and Examples | Edureka
What is REST API? REST API Concepts and Examples | EdurekaWhat is REST API? REST API Concepts and Examples | Edureka
What is REST API? REST API Concepts and Examples | Edureka
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testing
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
Understanding REST
Understanding RESTUnderstanding REST
Understanding REST
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 

Viewers also liked

Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
Nutan Kumar Panda
 
Automated API pentesting using fuzzapi
Automated API pentesting using fuzzapiAutomated API pentesting using fuzzapi
Automated API pentesting using fuzzapi
Abhijeth D
 
Pentesting RESTful WebServices v1.0
Pentesting RESTful WebServices v1.0Pentesting RESTful WebServices v1.0
Pentesting RESTful WebServices v1.0
n|u - The Open Security Community
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful Applications
Source Conference
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)
Stormpath
 
RESTful services on IBM Domino/XWork (ICON UK 21-22 Sept. 2015)
RESTful services on IBM Domino/XWork (ICON UK 21-22 Sept. 2015)RESTful services on IBM Domino/XWork (ICON UK 21-22 Sept. 2015)
RESTful services on IBM Domino/XWork (ICON UK 21-22 Sept. 2015)
John Dalsgaard
 
pwnd.sh
pwnd.shpwnd.sh
OMA Strategy on Open API Standardization
OMA Strategy on Open API StandardizationOMA Strategy on Open API Standardization
OMA Strategy on Open API Standardization
Musa Unmehopa
 
Building a RESTful API on Heroku for Your Force.com App
Building a RESTful API on Heroku for Your Force.com AppBuilding a RESTful API on Heroku for Your Force.com App
Building a RESTful API on Heroku for Your Force.com App
Salesforce Developers
 
ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge
ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challengeITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge
ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge
ITCamp
 
Paypal-IPN
Paypal-IPNPaypal-IPN
Paypal-IPN
Mindfire Solutions
 
How to Launch a Web Security Service in an Hour
How to Launch a Web Security Service in an HourHow to Launch a Web Security Service in an Hour
How to Launch a Web Security Service in an Hour
Cyren, Inc
 
Pyscho-Strategies for Social Engineering
Pyscho-Strategies for Social EngineeringPyscho-Strategies for Social Engineering
Pyscho-Strategies for Social Engineering
Ishan Girdhar
 
Burp suite
Burp suiteBurp suite
Burp suite
Ammar WK
 
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsCusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
August Detlefsen
 
Windows Azure Versioning Strategies
Windows Azure Versioning StrategiesWindows Azure Versioning Strategies
Windows Azure Versioning Strategies
Pavel Revenkov
 
Wcf security session 1
Wcf security session 1Wcf security session 1
Wcf security session 1
Anil Kumar M
 
Burp plugin development for java n00bs (44 con)
Burp plugin development for java n00bs (44 con)Burp plugin development for java n00bs (44 con)
Burp plugin development for java n00bs (44 con)
Marc Wickenden
 
Web Service Security
Web Service SecurityWeb Service Security
Web Service Security
n|u - The Open Security Community
 
Basics of WCF and its Security
Basics of WCF and its SecurityBasics of WCF and its Security
Basics of WCF and its Security
Mindfire Solutions
 

Viewers also liked (20)

Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
 
Automated API pentesting using fuzzapi
Automated API pentesting using fuzzapiAutomated API pentesting using fuzzapi
Automated API pentesting using fuzzapi
 
Pentesting RESTful WebServices v1.0
Pentesting RESTful WebServices v1.0Pentesting RESTful WebServices v1.0
Pentesting RESTful WebServices v1.0
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful Applications
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)
 
RESTful services on IBM Domino/XWork (ICON UK 21-22 Sept. 2015)
RESTful services on IBM Domino/XWork (ICON UK 21-22 Sept. 2015)RESTful services on IBM Domino/XWork (ICON UK 21-22 Sept. 2015)
RESTful services on IBM Domino/XWork (ICON UK 21-22 Sept. 2015)
 
pwnd.sh
pwnd.shpwnd.sh
pwnd.sh
 
OMA Strategy on Open API Standardization
OMA Strategy on Open API StandardizationOMA Strategy on Open API Standardization
OMA Strategy on Open API Standardization
 
Building a RESTful API on Heroku for Your Force.com App
Building a RESTful API on Heroku for Your Force.com AppBuilding a RESTful API on Heroku for Your Force.com App
Building a RESTful API on Heroku for Your Force.com App
 
ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge
ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challengeITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge
ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge
 
Paypal-IPN
Paypal-IPNPaypal-IPN
Paypal-IPN
 
How to Launch a Web Security Service in an Hour
How to Launch a Web Security Service in an HourHow to Launch a Web Security Service in an Hour
How to Launch a Web Security Service in an Hour
 
Pyscho-Strategies for Social Engineering
Pyscho-Strategies for Social EngineeringPyscho-Strategies for Social Engineering
Pyscho-Strategies for Social Engineering
 
Burp suite
Burp suiteBurp suite
Burp suite
 
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsCusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
 
Windows Azure Versioning Strategies
Windows Azure Versioning StrategiesWindows Azure Versioning Strategies
Windows Azure Versioning Strategies
 
Wcf security session 1
Wcf security session 1Wcf security session 1
Wcf security session 1
 
Burp plugin development for java n00bs (44 con)
Burp plugin development for java n00bs (44 con)Burp plugin development for java n00bs (44 con)
Burp plugin development for java n00bs (44 con)
 
Web Service Security
Web Service SecurityWeb Service Security
Web Service Security
 
Basics of WCF and its Security
Basics of WCF and its SecurityBasics of WCF and its Security
Basics of WCF and its Security
 

Similar to Pentesting RESTful webservices

Web Security
Web SecurityWeb Security
Web Security
Supankar Banik
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps Security
Victor Bucutea
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
bilcorry
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
Edouard de Lansalut
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
amiable_indian
 
Rails Security
Rails SecurityRails Security
Rails Security
Wen-Tien Chang
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
Rob Ragan
 
Security Best Practices for Bot Builders
Security Best Practices for Bot BuildersSecurity Best Practices for Bot Builders
Security Best Practices for Bot Builders
Max Feldman
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
Frank Kim
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on Purpose
Aman Kohli
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
bhumika2108
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
Michael Peters
 
Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017
Aaron Hnatiw
 
Technical Architecture of RASP Technology
Technical Architecture of RASP TechnologyTechnical Architecture of RASP Technology
Technical Architecture of RASP Technology
Priyanka Aash
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Anant Shrivastava
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
Hacking 101 (Session 2)
Hacking 101  (Session 2)Hacking 101  (Session 2)
Hacking 101 (Session 2)
Nitroxis Sprl
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
Devnology
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
Daniel Owens
 
API SECURITY
API SECURITYAPI SECURITY

Similar to Pentesting RESTful webservices (20)

Web Security
Web SecurityWeb Security
Web Security
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps Security
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Rails Security
Rails SecurityRails Security
Rails Security
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 
Security Best Practices for Bot Builders
Security Best Practices for Bot BuildersSecurity Best Practices for Bot Builders
Security Best Practices for Bot Builders
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on Purpose
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
 
Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017
 
Technical Architecture of RASP Technology
Technical Architecture of RASP TechnologyTechnical Architecture of RASP Technology
Technical Architecture of RASP Technology
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
Hacking 101 (Session 2)
Hacking 101  (Session 2)Hacking 101  (Session 2)
Hacking 101 (Session 2)
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
 
API SECURITY
API SECURITYAPI SECURITY
API SECURITY
 

More from Mohammed A. Imran

Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsAutomating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Mohammed A. Imran
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or less
Mohammed A. Imran
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Mohammed A. Imran
 
Scale security for a dollar or less
Scale security for a dollar or lessScale security for a dollar or less
Scale security for a dollar or less
Mohammed A. Imran
 
In graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesIn graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challenges
Mohammed A. Imran
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
Null Singapore 2015 accomplishments
Null Singapore 2015 accomplishmentsNull Singapore 2015 accomplishments
Null Singapore 2015 accomplishments
Mohammed A. Imran
 
Exploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null SingaporeExploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null Singapore
Mohammed A. Imran
 
Null Singapore Introduction
Null Singapore Introduction Null Singapore Introduction
Null Singapore Introduction
Mohammed A. Imran
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
Mohammed A. Imran
 
Assembly language part I
Assembly language part IAssembly language part I
Assembly language part I
Mohammed A. Imran
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applications
Mohammed A. Imran
 
About Null open security community
About Null open security communityAbout Null open security community
About Null open security community
Mohammed A. Imran
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilities
Mohammed A. Imran
 

More from Mohammed A. Imran (15)

Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsAutomating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or less
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
 
Scale security for a dollar or less
Scale security for a dollar or lessScale security for a dollar or less
Scale security for a dollar or less
 
In graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesIn graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challenges
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
 
Null Singapore 2015 accomplishments
Null Singapore 2015 accomplishmentsNull Singapore 2015 accomplishments
Null Singapore 2015 accomplishments
 
Exploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null SingaporeExploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null Singapore
 
Null Singapore Introduction
Null Singapore Introduction Null Singapore Introduction
Null Singapore Introduction
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
 
Assembly language part I
Assembly language part IAssembly language part I
Assembly language part I
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applications
 
About Null open security community
About Null open security communityAbout Null open security community
About Null open security community
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilities
 

Recently uploaded

Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Zilliz
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Vladimir Iglovikov, Ph.D.
 

Recently uploaded (20)

Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
 

Pentesting RESTful webservices