SlideShare a Scribd company logo

Pentesting ReST API

Download as PPTX, PDF
Nutan Kumar Panda
Nutan Kumar Panda

This slide will take through the basic theory, tools, testbeds and approach with lots of references.

Technology
1 of 14
PENTESTING REST API null Bangalore Meet
Introduction ■ Nutan Kumar Panda ■ Aka @TheOsintGuy ■ Senior Information Security Engineer ■ Osint Enthusiast ■ Presenter at BH US/ BIU Israel/ GroundZero Summit/ CISO Summit etc ■ Co-Author of book “HackingWeb Intelligence ” ■ Contributor of DataSploit project ■ Active Contributor of null BangaloreChapter
What can you expect? ■ BasicTheory ■ My personal Experience ■ Approach ■ Tools to trade ■ Test beds ■ One Example to think out of the box ■ Some Common Findings ■ Hands on Demos
Web Services ■ SOAP ■ Components – ServiceConsumer – Service Provider – XML (Extensible Markup Language) – SOAP (SimpleObject Access Protocol) – WSDL (Web Services Description Language) – UDDI (Universal Description, Discovery and Integration) ■ http://resources.infosecinstitute.com/web-services- penetration-testing-part-1/ ■ ReST ■ Components – Resources (example.com/users/1) – Verbs (CRUD/ POGPUD) – MediaType (Application/Json) – Status Codes (200,201,404 etc) – Authentication (Oauth) – http://www.slideshare.net/null0x00/o-auth- tokens ■ http://www.slideshare.net/null0x00/pentesting- restful-webservices-v10 http://www.slideshare.net/PraveenKumarKOSCP/introduction-to-web-services-penetration- testing (page 3)
How I Started? https://www.owasp.org/index.php/REST_Security_Cheat_Sheet
Approach ■ Do not jump to testing by getting an end point or set of end points ■ Ask for the documentation ■ Ask for the sample request response/ Postman collection ■ Ask for any particular header needed ■ Ask for token or any specific parameter or values for a parameter (to get in right flow) ■ Ask for the workflows (Sometime workflows are bound you can not direct jump to a web services and test you need some data that u get from other end points) ■ Its not only about fuzzing parameters
Tools to trade ■ ReST Client (Plug in) ■ Postman (App and Plugin) ■ Burp (ZAP/ Charles/ IronWASP or any other interception proxy) ■ Hurl.it (Online rest client) ■ SoapUI (https://www.youtube.com/watch?v=XV7WW0bDy9c) ■ Fuzzapi (https://github.com/lalithr95/Fuzzapi) Just presented just day before at AppSec USA by Abhijeet n Lalith – http://www.slideshare.net/AbhijethDugginapeddi/automated-api-pentesting-using- fuzzapi – If you like this tool just spread the word with #fuzzapi
Test Beds ■ Hackazon – Code: https://github.com/rapid7/hackazon – WebVersion: http://hackazon.webscantest.com/ – There is an apk also: https://github.com/rapid7/hackazon/tree/master/web/app.apk – YoutubeVideo: https://www.youtube.com/watch?v=Yekzm0Olc3Y (Demo starts 24:00) ■ Mutillidae – Code: https://sourceforge.net/projects/mutillidae/ – Video: https://www.youtube.com/watch?v=e6HAQnvuaic ■ DVWS – Code : https://github.com/snoopythesecuritydog/dvws – Tutorial: https://kali.tools/?p=1729
Example POST example.com/users/view/253 { “user”:”adam”, “role”:”tester” }
Common Finding ■ Enumeration ■ Rate limiting not implemented ■ Information Disclosure ■ POST to GET conversion (Method Conversion) ■ IDOR ■ SQLI ■ Authorization Flaws ■ Token related issues (Expiry, reuse, predictable etc)
Demo
Questions
References ■ https://www.soapui.org/testing-dojo/world-of-api-testing/soap-vs--rest- challenges.html ■ http://cybersecology.com/hackazon-review/ ■ http://cybersecology.com/2014/11/googles-firing-range-test-site/ ■ http://www.slideshare.net/SmartBear_Software/getting-started-with-api-security- testing ■ http://www.slideshare.net/ask4answers/rest-api-testing-with-specflow ■ http://www.slideshare.net/stormpath/rest-api-security ■ http://www.slideshare.net/taiseerjoudeh/http-services-security
Thanks

Recommended

Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
OWASP Delhi
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security Testing
SmartBear
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
n|u - The Open Security Community
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
Ssrf
SsrfSsrf
Ssrf
Ilan Mindel
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
Marco Balduzzi
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
Avinash Thapa
 

Recommended

Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
OWASP Delhi
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security Testing
SmartBear
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
n|u - The Open Security Community
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
Ssrf
SsrfSsrf
Ssrf
Ilan Mindel
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
Marco Balduzzi
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
Avinash Thapa
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
Ivan Novikov
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
José Haro Peralta
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security Risks
IndusfacePvtLtd
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
Isabelle Mauny
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
n|u - The Open Security Community
 
API Testing
API TestingAPI Testing
API Testing
Bikash Sharma
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & Development
Ashok Pundit
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
Api Testing
Api TestingApi Testing
Api Testing
Vishwanath KC
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security Lifecycle
Apigee | Google Cloud
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
Stormpath
 
What is an API
What is an APIWhat is an API
What is an API
Elliott Richmond
 
Introduction to REST - API
Introduction to REST - APIIntroduction to REST - API
Introduction to REST - API
Chetan Gadodia
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
neexemil
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
OWASP Nagpur
 
API Testing. Streamline your testing process.
API Testing. Streamline your testing process.API Testing. Streamline your testing process.
API Testing. Streamline your testing process.
Andrey Oleynik
 
Automated API pentesting using fuzzapi
Automated API pentesting using fuzzapiAutomated API pentesting using fuzzapi
Automated API pentesting using fuzzapi
Abhijeth D
 
Pentesting RESTful WebServices v1.0
Pentesting RESTful WebServices v1.0Pentesting RESTful WebServices v1.0
Pentesting RESTful WebServices v1.0
n|u - The Open Security Community
 

More Related Content

What's hot

OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 

What's hot (20)

SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security Risks
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
API Testing
API TestingAPI Testing
API Testing
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & Development
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
Api Testing
Api TestingApi Testing
Api Testing
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security Lifecycle
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
 
What is an API
What is an APIWhat is an API
What is an API
 
Introduction to REST - API
Introduction to REST - APIIntroduction to REST - API
Introduction to REST - API
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
API Testing. Streamline your testing process.
API Testing. Streamline your testing process.API Testing. Streamline your testing process.
API Testing. Streamline your testing process.
 

Viewers also liked

Viewers also liked (20)

Automated API pentesting using fuzzapi
Automated API pentesting using fuzzapiAutomated API pentesting using fuzzapi
Automated API pentesting using fuzzapi
 
Pentesting RESTful WebServices v1.0
Pentesting RESTful WebServices v1.0Pentesting RESTful WebServices v1.0
Pentesting RESTful WebServices v1.0
 
Pentesting RESTful webservices
Pentesting RESTful webservicesPentesting RESTful webservices
Pentesting RESTful webservices
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful Applications
 
REST API testing with SpecFlow
REST API testing with SpecFlowREST API testing with SpecFlow
REST API testing with SpecFlow
 
HTTP Services & REST API Security
HTTP Services & REST API SecurityHTTP Services & REST API Security
HTTP Services & REST API Security
 
Newbytes NullHyd
Newbytes NullHydNewbytes NullHyd
Newbytes NullHyd
 
Api testing
Api testingApi testing
Api testing
 
JSON Injection
JSON InjectionJSON Injection
JSON Injection
 
Api testing
Api testingApi testing
Api testing
 
4 Major Advantages of API Testing
4 Major Advantages of API Testing4 Major Advantages of API Testing
4 Major Advantages of API Testing
 
JSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons LearnedJSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons Learned
 
Getting started with CFEngine - Webinar
Getting started with CFEngine - WebinarGetting started with CFEngine - Webinar
Getting started with CFEngine - Webinar
 
WCF And ASMX Web Services
WCF And ASMX Web ServicesWCF And ASMX Web Services
WCF And ASMX Web Services
 
Attack chaining for web exploitation #c0c0n2015
Attack chaining for web exploitation #c0c0n2015Attack chaining for web exploitation #c0c0n2015
Attack chaining for web exploitation #c0c0n2015
 
API TEST
API TESTAPI TEST
API TEST
 
OAuth Tokens
OAuth TokensOAuth Tokens
OAuth Tokens
 
API TEST
API TESTAPI TEST
API TEST
 
Hacker's jargons
Hacker's jargonsHacker's jargons
Hacker's jargons
 
DNS hijacking - null Singapore
DNS hijacking - null SingaporeDNS hijacking - null Singapore
DNS hijacking - null Singapore
 

Similar to Pentesting ReST API

Основы нагрузочного тестирования с инструментом Jmeter
Основы нагрузочного тестирования с инструментом JmeterОсновы нагрузочного тестирования с инструментом Jmeter
Основы нагрузочного тестирования с инструментом Jmeter
Компьютерная школа Hillel
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
Expressive Microservice Framework Blastoff
Expressive Microservice Framework BlastoffExpressive Microservice Framework Blastoff
Expressive Microservice Framework Blastoff
Adam Culp
 

Similar to Pentesting ReST API (20)

Scraping the web with Laravel, Dusk, Docker, and PHP
Scraping the web with Laravel, Dusk, Docker, and PHPScraping the web with Laravel, Dusk, Docker, and PHP
Scraping the web with Laravel, Dusk, Docker, and PHP
 
Основы нагрузочного тестирования с инструментом Jmeter
Основы нагрузочного тестирования с инструментом JmeterОсновы нагрузочного тестирования с инструментом Jmeter
Основы нагрузочного тестирования с инструментом Jmeter
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011
 
Node.js Course 2 of 2 - Advanced techniques
Node.js Course 2 of 2 - Advanced techniquesNode.js Course 2 of 2 - Advanced techniques
Node.js Course 2 of 2 - Advanced techniques
 
Mobile+API
Mobile+APIMobile+API
Mobile+API
 
Using the new WordPress REST API
Using the new WordPress REST APIUsing the new WordPress REST API
Using the new WordPress REST API
 
Public PaaS Throwdown!
Public PaaS Throwdown!Public PaaS Throwdown!
Public PaaS Throwdown!
 
Client-Side Performance Testing
Client-Side Performance TestingClient-Side Performance Testing
Client-Side Performance Testing
 
OWASP Zed Attack Proxy
OWASP Zed Attack ProxyOWASP Zed Attack Proxy
OWASP Zed Attack Proxy
 
SOA Testing
SOA TestingSOA Testing
SOA Testing
 
Microsoft power point automation-opensourcetestingtools_matrix-1
Microsoft power point automation-opensourcetestingtools_matrix-1Microsoft power point automation-opensourcetestingtools_matrix-1
Microsoft power point automation-opensourcetestingtools_matrix-1
 
Microsoft power point automation-opensourcetestingtools_matrix-1
Microsoft power point automation-opensourcetestingtools_matrix-1Microsoft power point automation-opensourcetestingtools_matrix-1
Microsoft power point automation-opensourcetestingtools_matrix-1
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration Testing
 
Owasp owtf the offensive (web) testing framework + ptes penetration testing e...
Owasp owtf the offensive (web) testing framework + ptes penetration testing e...Owasp owtf the offensive (web) testing framework + ptes penetration testing e...
Owasp owtf the offensive (web) testing framework + ptes penetration testing e...
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
 
10 Useful Testing Tools for Open Source Projects @ TuxCon 2015
10 Useful Testing Tools for Open Source Projects @ TuxCon 201510 Useful Testing Tools for Open Source Projects @ TuxCon 2015
10 Useful Testing Tools for Open Source Projects @ TuxCon 2015
 
Modern Tools for API Testing, Debugging and Monitoring
Modern Tools for API Testing, Debugging and MonitoringModern Tools for API Testing, Debugging and Monitoring
Modern Tools for API Testing, Debugging and Monitoring
 
Expressive Microservice Framework Blastoff
Expressive Microservice Framework BlastoffExpressive Microservice Framework Blastoff
Expressive Microservice Framework Blastoff
 
Developing Brilliant and Powerful APIs in Ruby & Python
Developing Brilliant and Powerful APIs in Ruby & PythonDeveloping Brilliant and Powerful APIs in Ruby & Python
Developing Brilliant and Powerful APIs in Ruby & Python
 
Great APIs - Future of Your Progress App
Great APIs - Future of Your Progress AppGreat APIs - Future of Your Progress App
Great APIs - Future of Your Progress App
 

More from Nutan Kumar Panda

OSINT Black Magic: Listen who whispers your name in the dark!!!
OSINT Black Magic: Listen who whispers your name in the dark!!!OSINT Black Magic: Listen who whispers your name in the dark!!!
OSINT Black Magic: Listen who whispers your name in the dark!!!
Nutan Kumar Panda
 

More from Nutan Kumar Panda (15)

Dark Arts Of Social Engineering
Dark Arts Of Social EngineeringDark Arts Of Social Engineering
Dark Arts Of Social Engineering
 
OSINT Black Magic: Listen who whispers your name in the dark!!!
OSINT Black Magic: Listen who whispers your name in the dark!!!OSINT Black Magic: Listen who whispers your name in the dark!!!
OSINT Black Magic: Listen who whispers your name in the dark!!!
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security Testing
 
Win 8 password cracking
Win 8 password crackingWin 8 password cracking
Win 8 password cracking
 
Backtrack Manual Part10
Backtrack Manual Part10Backtrack Manual Part10
Backtrack Manual Part10
 
Backtrack Manual Part9
Backtrack Manual Part9Backtrack Manual Part9
Backtrack Manual Part9
 
Backtrack Manual Part8
Backtrack Manual Part8Backtrack Manual Part8
Backtrack Manual Part8
 
Backtrack Manual Part7
Backtrack Manual Part7Backtrack Manual Part7
Backtrack Manual Part7
 
Backtrack Manual Part6
Backtrack Manual Part6Backtrack Manual Part6
Backtrack Manual Part6
 
Backtrack Manual Part5
Backtrack Manual Part5Backtrack Manual Part5
Backtrack Manual Part5
 
Backtrack Manual Part4
Backtrack Manual Part4Backtrack Manual Part4
Backtrack Manual Part4
 
Backtrack Manual Part3
Backtrack Manual Part3Backtrack Manual Part3
Backtrack Manual Part3
 
Backtrack Manual Part2
Backtrack Manual Part2Backtrack Manual Part2
Backtrack Manual Part2
 
Backtrack manual Part1
Backtrack manual Part1Backtrack manual Part1
Backtrack manual Part1
 
Google Hack
Google HackGoogle Hack
Google Hack
 

Recently uploaded

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 

Recently uploaded (20)

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 

Pentesting ReST API

  • 2. Introduction ■ Nutan Kumar Panda ■ Aka @TheOsintGuy ■ Senior Information Security Engineer ■ Osint Enthusiast ■ Presenter at BH US/ BIU Israel/ GroundZero Summit/ CISO Summit etc ■ Co-Author of book “HackingWeb Intelligence ” ■ Contributor of DataSploit project ■ Active Contributor of null BangaloreChapter
  • 3. What can you expect? ■ BasicTheory ■ My personal Experience ■ Approach ■ Tools to trade ■ Test beds ■ One Example to think out of the box ■ Some Common Findings ■ Hands on Demos
  • 4. Web Services ■ SOAP ■ Components – ServiceConsumer – Service Provider – XML (Extensible Markup Language) – SOAP (SimpleObject Access Protocol) – WSDL (Web Services Description Language) – UDDI (Universal Description, Discovery and Integration) ■ http://resources.infosecinstitute.com/web-services- penetration-testing-part-1/ ■ ReST ■ Components – Resources (example.com/users/1) – Verbs (CRUD/ POGPUD) – MediaType (Application/Json) – Status Codes (200,201,404 etc) – Authentication (Oauth) – http://www.slideshare.net/null0x00/o-auth- tokens ■ http://www.slideshare.net/null0x00/pentesting- restful-webservices-v10 http://www.slideshare.net/PraveenKumarKOSCP/introduction-to-web-services-penetration- testing (page 3)
  • 6. Approach ■ Do not jump to testing by getting an end point or set of end points ■ Ask for the documentation ■ Ask for the sample request response/ Postman collection ■ Ask for any particular header needed ■ Ask for token or any specific parameter or values for a parameter (to get in right flow) ■ Ask for the workflows (Sometime workflows are bound you can not direct jump to a web services and test you need some data that u get from other end points) ■ Its not only about fuzzing parameters
  • 7. Tools to trade ■ ReST Client (Plug in) ■ Postman (App and Plugin) ■ Burp (ZAP/ Charles/ IronWASP or any other interception proxy) ■ Hurl.it (Online rest client) ■ SoapUI (https://www.youtube.com/watch?v=XV7WW0bDy9c) ■ Fuzzapi (https://github.com/lalithr95/Fuzzapi) Just presented just day before at AppSec USA by Abhijeet n Lalith – http://www.slideshare.net/AbhijethDugginapeddi/automated-api-pentesting-using- fuzzapi – If you like this tool just spread the word with #fuzzapi
  • 8. Test Beds ■ Hackazon – Code: https://github.com/rapid7/hackazon – WebVersion: http://hackazon.webscantest.com/ – There is an apk also: https://github.com/rapid7/hackazon/tree/master/web/app.apk – YoutubeVideo: https://www.youtube.com/watch?v=Yekzm0Olc3Y (Demo starts 24:00) ■ Mutillidae – Code: https://sourceforge.net/projects/mutillidae/ – Video: https://www.youtube.com/watch?v=e6HAQnvuaic ■ DVWS – Code : https://github.com/snoopythesecuritydog/dvws – Tutorial: https://kali.tools/?p=1729
  • 10. Common Finding ■ Enumeration ■ Rate limiting not implemented ■ Information Disclosure ■ POST to GET conversion (Method Conversion) ■ IDOR ■ SQLI ■ Authorization Flaws ■ Token related issues (Expiry, reuse, predictable etc)
  • 11. Demo
  • 13. References ■ https://www.soapui.org/testing-dojo/world-of-api-testing/soap-vs--rest- challenges.html ■ http://cybersecology.com/hackazon-review/ ■ http://cybersecology.com/2014/11/googles-firing-range-test-site/ ■ http://www.slideshare.net/SmartBear_Software/getting-started-with-api-security- testing ■ http://www.slideshare.net/ask4answers/rest-api-testing-with-specflow ■ http://www.slideshare.net/stormpath/rest-api-security ■ http://www.slideshare.net/taiseerjoudeh/http-services-security