This document discusses testing REST web services at three levels: message level, resource level, and application level.
At the message level, tests check for correct HTTP syntax, semantics, and payload syntax and semantics. At the resource level, tests check if resources match link semantics, are available over time, have stable semantics over time, and maintain variants. At the application level, tests check if the service offers expected capabilities and if the user's goal is reachable.
The document provides guidance for both server and client developers, noting what each can rely on and what each must implement to ensure the service under test conforms to the constraints of REST.
Pentesting RESTful webservices talks about problems penetration testers face while testing RESTful Webservices and REST based web applications. The presentation also talks about tools and techniques to do pentesting of RESTful webservices.
Pragmatic RESTful API principles, along with a solid consumption architecture, can allow for a great amount of automation in your program development. At the same time, securing the application can be extremely tricky from JavaScript.
In this session we will explore several principles behind RESTful API design and consumption using JavaScript, many of the standards that were integrated in the redevelopment of the PayPal API architecture in the new RESTful APIs.
We will cover many of these architecture standards, including:
- Building in action automation using HATEOAS
- OAuth 2 in the JavaScript model
- The challenges behind secure resource consumption through JavaScript
Pragmatic RESTful API principles, along with a solid consumption architecture, can allow for a great amount of automation in your program development. At the same time, securing the application can be extremely tricky from JavaScript.
In this session we will explore several principles behind RESTful API design and consumption using JavaScript, many of the standards that were integrated in the redevelopment of the PayPal API architecture in the new RESTful APIs.
We will cover many of these architecture standards, including:
* Building in action automation using HATEOAS
* OAuth 2 in the JavaScript model
* The challenges behind secure resource consumption through JavaScript
Pentesting RESTful webservices talks about problems penetration testers face while testing RESTful Webservices and REST based web applications. The presentation also talks about tools and techniques to do pentesting of RESTful webservices.
Pragmatic RESTful API principles, along with a solid consumption architecture, can allow for a great amount of automation in your program development. At the same time, securing the application can be extremely tricky from JavaScript.
In this session we will explore several principles behind RESTful API design and consumption using JavaScript, many of the standards that were integrated in the redevelopment of the PayPal API architecture in the new RESTful APIs.
We will cover many of these architecture standards, including:
- Building in action automation using HATEOAS
- OAuth 2 in the JavaScript model
- The challenges behind secure resource consumption through JavaScript
Pragmatic RESTful API principles, along with a solid consumption architecture, can allow for a great amount of automation in your program development. At the same time, securing the application can be extremely tricky from JavaScript.
In this session we will explore several principles behind RESTful API design and consumption using JavaScript, many of the standards that were integrated in the redevelopment of the PayPal API architecture in the new RESTful APIs.
We will cover many of these architecture standards, including:
* Building in action automation using HATEOAS
* OAuth 2 in the JavaScript model
* The challenges behind secure resource consumption through JavaScript
Enterprise API adoption has gone beyond predictions. It has become the 'coolest' way of exposing business functionalities to the outside world. Both your public and private APIs, need to be protected, monitored and managed.
This session focuses on API Security. There are so many options out there to make someone easily confused. When to select one over the other is always a question - and you need to deal with it quite carefully to identify and isolate the tradeoffs. Security is not an afterthought. It has to be an integral part of any development project - so as for APIs. API security has evolved a lot in last five years. This talk covers best practices in building an API Security Ecosystem with OAuth 2.0, UMA, SCIM, XACML and LDAP.
In graph we trust: Microservices, GraphQL and security challengesMohammed A. Imran
In graph we trust: Microservices, GraphQL and security challenges - Mohammed A. Imran
Microservices, RESTful and API-first architectures are rage these days and rightfully so, they solve some of the challenges of modern application development. Microservices enable organisations in shipping code to production faster and is accomplished by dividing big monolithic applications into smaller but specialised applications. Though they provide great benefits, they are difficult to debug and secure in complex environments (different API versions, multiple API calls and frontend/backend gaps etc.,). GraphQL provides a powerful way to solve some of these challenges but with great power, comes great responsibility. GraphQL reduces the attack surface drastically(thanks to LangSec) but there are still many things which can go wrong.
This talk will cover the risks associated with GraphQL, challenges and solutions, which help in implementing Secure GraphQL based APIs. We will start off with introduction to GraphQL and its benefits. We then discuss the difficulty in securing these applications and why traditional security scanners don’t work with them. At last, we will cover solutions which help in securing these API by shifting left in DevOps pipeline.
We will cover the following as part of this presentation:
GraphQL use cases and how unicorns use them
Benefits and security challenges with GraphQL
Authentication and Authorisation
Resource exhaustion
Backend complexities with microservices
Need for tweaking conventional DevSecOps tools for security assurance
Security solutions which works with GraphQL
A RESTful API is only truly RESTful if it uses hypermedia to tell us about all the actions that can be performed on the curent resource, allowing us to traverse the API from a single entry point.
His session looks at REST and HATEOAS (Hypermedia As The Engine Of Application State) to illustrate good service structure. Ben will use the RESTful file sharing service fdrop.it to illustrate the various examples of how this can be used.
This session is recommended for architects and senior developers alike and will give a good grounding in writing excellent, self-explanatory RESTful services.
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management
The adoption of Mobile and Cloud applications drives API traffic across domains. OAuth 2.0 is being implemented in complex enterprise environments where new authorization endpoints are combined with various existing identity components, in various configurations.
Handshakes are federated to help provide a single sign-on experience across applications and enhance adoption. Mediation between tokens at the edge of each domain helps extend existing data to new channels. Core grant types, extension grant types, custom schemes, standards, patterns and use cases – let us count the ways in which API access control is applied.
This presentation will examine the role of API management infrastructure in API Security, API Access Control and API Federation and its interaction with enterprise infrastructure, social identity and application developers.
The Ultimate Guide to Mobile API SecurityStormpath
Join Stormpath Developer Evangelist Edward Jiang to learn more about the common ways developers authenticate users in their mobile apps, what to watch out for when building your backend API and mobile apps, and how to integrate a secure user datastore to manage your users and authentication.
An introduction to REST and RESTful web services.
You can take the course below to learn about REST & RESTful web services.
https://www.udemy.com/building-php-restful-web-services/
A basic guide on how to scale up your web app.
It lists basic architectural principals and consist basic idea on caching, security, state less architecture etc
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
Brief overview of API
▸ Fingerprinting & Discovering API
▸ Authentication attacks on API (JWT)
▸ Authorization attacks on API (OAuth)
▸ Bruteforce attacks on API
▸ Attacking Dev/Staging API
▸ Traditional attacks
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
Constructing a successful and simple API is the lifeblood of your developer community, and REST is a simple standard through which this can be accomplished. As we construct our API and need to secure the system to authenticate and track applications making requests, the open standard of OAuth 2 provides us with a secure and open source method of doing just this. In this talk, we will explore REST and OAuth 2 as standards for building out a secure API infrastructure, exploring many of the architectural decisions that PayPal took in choosing variations in the REST standard and specific implementations of OAuth 2.
The Internet is full of Web Services, everyday more and more. Some services offer API (application programming interface) that developers use to build new applications (mash-ups). One of the most known and used technology for the machine-to-machine communication is SOAP (Simple Object Access Protocol) but in the last years we can use another paradigm, ReST (Representational State Transfer). How does it work?
Enterprise API adoption has gone beyond predictions. It has become the 'coolest' way of exposing business functionalities to the outside world. Both your public and private APIs, need to be protected, monitored and managed.
This session focuses on API Security. There are so many options out there to make someone easily confused. When to select one over the other is always a question - and you need to deal with it quite carefully to identify and isolate the tradeoffs. Security is not an afterthought. It has to be an integral part of any development project - so as for APIs. API security has evolved a lot in last five years. This talk covers best practices in building an API Security Ecosystem with OAuth 2.0, UMA, SCIM, XACML and LDAP.
In graph we trust: Microservices, GraphQL and security challengesMohammed A. Imran
In graph we trust: Microservices, GraphQL and security challenges - Mohammed A. Imran
Microservices, RESTful and API-first architectures are rage these days and rightfully so, they solve some of the challenges of modern application development. Microservices enable organisations in shipping code to production faster and is accomplished by dividing big monolithic applications into smaller but specialised applications. Though they provide great benefits, they are difficult to debug and secure in complex environments (different API versions, multiple API calls and frontend/backend gaps etc.,). GraphQL provides a powerful way to solve some of these challenges but with great power, comes great responsibility. GraphQL reduces the attack surface drastically(thanks to LangSec) but there are still many things which can go wrong.
This talk will cover the risks associated with GraphQL, challenges and solutions, which help in implementing Secure GraphQL based APIs. We will start off with introduction to GraphQL and its benefits. We then discuss the difficulty in securing these applications and why traditional security scanners don’t work with them. At last, we will cover solutions which help in securing these API by shifting left in DevOps pipeline.
We will cover the following as part of this presentation:
GraphQL use cases and how unicorns use them
Benefits and security challenges with GraphQL
Authentication and Authorisation
Resource exhaustion
Backend complexities with microservices
Need for tweaking conventional DevSecOps tools for security assurance
Security solutions which works with GraphQL
A RESTful API is only truly RESTful if it uses hypermedia to tell us about all the actions that can be performed on the curent resource, allowing us to traverse the API from a single entry point.
His session looks at REST and HATEOAS (Hypermedia As The Engine Of Application State) to illustrate good service structure. Ben will use the RESTful file sharing service fdrop.it to illustrate the various examples of how this can be used.
This session is recommended for architects and senior developers alike and will give a good grounding in writing excellent, self-explanatory RESTful services.
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management
The adoption of Mobile and Cloud applications drives API traffic across domains. OAuth 2.0 is being implemented in complex enterprise environments where new authorization endpoints are combined with various existing identity components, in various configurations.
Handshakes are federated to help provide a single sign-on experience across applications and enhance adoption. Mediation between tokens at the edge of each domain helps extend existing data to new channels. Core grant types, extension grant types, custom schemes, standards, patterns and use cases – let us count the ways in which API access control is applied.
This presentation will examine the role of API management infrastructure in API Security, API Access Control and API Federation and its interaction with enterprise infrastructure, social identity and application developers.
The Ultimate Guide to Mobile API SecurityStormpath
Join Stormpath Developer Evangelist Edward Jiang to learn more about the common ways developers authenticate users in their mobile apps, what to watch out for when building your backend API and mobile apps, and how to integrate a secure user datastore to manage your users and authentication.
An introduction to REST and RESTful web services.
You can take the course below to learn about REST & RESTful web services.
https://www.udemy.com/building-php-restful-web-services/
A basic guide on how to scale up your web app.
It lists basic architectural principals and consist basic idea on caching, security, state less architecture etc
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
Brief overview of API
▸ Fingerprinting & Discovering API
▸ Authentication attacks on API (JWT)
▸ Authorization attacks on API (OAuth)
▸ Bruteforce attacks on API
▸ Attacking Dev/Staging API
▸ Traditional attacks
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
Constructing a successful and simple API is the lifeblood of your developer community, and REST is a simple standard through which this can be accomplished. As we construct our API and need to secure the system to authenticate and track applications making requests, the open standard of OAuth 2 provides us with a secure and open source method of doing just this. In this talk, we will explore REST and OAuth 2 as standards for building out a secure API infrastructure, exploring many of the architectural decisions that PayPal took in choosing variations in the REST standard and specific implementations of OAuth 2.
The Internet is full of Web Services, everyday more and more. Some services offer API (application programming interface) that developers use to build new applications (mash-ups). One of the most known and used technology for the machine-to-machine communication is SOAP (Simple Object Access Protocol) but in the last years we can use another paradigm, ReST (Representational State Transfer). How does it work?
This presentation walks through essential points for developing and working with REST APIs or web services to communicate through various platforms. This also explains HTTP methods.
This is the presentation from Null/OWASP/g4h December Bangalore MeetUp by Akash Mahajan.
technology.inmobi.com/events/null-owasp-g4h-december-meetup
Abstract:
This will cover the basics of Hyper Text Transfer Protocol. You will learn how to send HTTP requests like GET, POST by crafting them manually and using a command line tool like CURL. You will also see how session management using cookies happens using the same tools.
To practice along please install curl (http://curl.haxx.se/download.html).
This presentation will discuss how the Representational State Transfer (REST) architectural style can be applied to the design of your web services.
You will learn how to use HTTP methods and status codes properly and we will discuss how to use Hypermedia As The Engine Of Application State (HATEOAS). The principles of REST and HATEOAS will be demonstrated through the Atom Publishing Protocol (AtomPub) using the Google Data APIs and other AtomPub implementations as examples.
You know you have to have a great experience when you develop your iOS, android and Windows Phone applications right? The greatest experience you can give your users is around their data.
Covers topics like RestApi, Authentication, Authorization, Cacheability, Advantage of RestApi over SOAP and some basics regarding Open Data Protocol(OData).
This ppt will give you information about what is http protocol, who had developed it, how it works, http request and response, features, advantages, disadvantages and brief information about world wide web.
HTTP is the protocol of the web, and in this session we will look at HTTP from a web developer's perspective. We will cover resources, messages, cookies, and authentication protocols and we will see how the web scales to meet demand using cache headers. Armed with the fundamentals about HTTP, you will have the knowledge not only to build better Web/Mobile applications but also for consuming Web API.
KaTe RESTful adapter for SAP Process Integration: IntroductionKate_RESTful
Introduction and sample walktrough of the KaTe RESTful adapter for SAP Process Integration
http://kate-group.de/sap-beratung-services-projektmanagment/sap-rest-adapter/
40. curl -I http://foo.org/img/dog.jpg -HAccept:image/*
HTTP/1.1 406 Not Acceptable
Content-Length: 0
Verify that it is an image
406 —› Test failed
41. curl -I http://foo.org/blog/entries
-HAccept:application/atom+xml
HTTP/1.1 200 Ok
Content-Type: application/atom+xml
Verify that it is a collection
200 —› Test passed
50. GET /stock-quote/COKE HTTP/1.0
HTTP/1.0 200 Ok
Date: Wed, 3 Jun 2010 11:00:00 GMT
Content-Type: text/plain
Current weather in Berlin: 25 degrees
Celsius, sunny.
?
55. GET /orders/42 HTTP/1.0
Accept: application/order
HTTP/1.0 406 Not Acceptable
Date: Wed, 3 Jun 2010 11:00:00 GMT
Content-Type: text/plain
Media type application/order no longer
available. Try application/order.v2
?
57. TESTS
Resource
Level
•Does resource match link semantics?
•Is resource available over time?
•Are resource semantics stable over time?
•Are variants available over time?
59. What’s an application anyway?
•Buying a book in an online store
•Looking up a word in an online dictionary
•Taking an online exam
•Indexing a set of Web sites
•Checking for updates in monitored feeds
•Monitoring programming language
adoption using stackoverflow.com
61. GET /shop-home.html HTTP/1.0
Host: www.bestbookshop.com
HTTP/1.0 200 Ok
Content-Type: text/html
<html><body><p>
Sorry, buying is not possible here anymore.
Check out the store catalog at <a href=”/
catalog.html”/> and walk to one of our
stores. </p></body></html>
?
63. Application Level Tests
Does the service work
as expected by the application?
Testable only in context of the application. The server
cannot know how it is being re-used!
67. Resource
Level
•Does resource match link semantics?
•Is resource available over time?
•Are resource semantics stable over time?
•Are variants available over time?
Testing REST Web Services
Message
Level
•Correct HTTP syntax?
•Correct HTTP semantics?
•Correct payload syntax?
•Correct payload semantics?
68. Resource
Level
•Does resource match link semantics?
•Is resource available over time?
•Are resource semantics stable over time?
•Are variants available over time?
Testing REST Web Services
Application
Level
•Does service offer expected capability?
•Is the user goal reachable?
Message
Level
•Correct HTTP syntax?
•Correct HTTP semantics?
•Correct payload syntax?
•Correct payload semantics?
74. Server must...
•Conform to HTTP
•Conform to the media types used
•Resources must match link semantics
•Keep URIs around
•Keep resource semantics stable
•Maintain variants over time
•Maintain capabilities
78. Client may rely on...
•Message level correctness
•Resources matching link semantics
•Bookmarkable URIs
•Stable resource semantics
•Variant availability over time
•Stable service nature