SlideShare a Scribd company logo

Securty Testing For RESTful Applications

Source Conference
Source Conference

SOURCE Barcelona 2011 - Ofer Shezaf

Technology
1 of 30
Download to read offline
Security Testing For RESTful Applications Ofer Shezaf, HP Enterprise Security Products ofr@hp.com ©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
About Myself Currently, chief architect for Risk and Vulnerability Management at HP. I create security Security research and Product Management at Breach Security, a Web Application Firewalls products vendor. Electric Cars security… Director, Web Application Security Consortium. I am an application Founded the OWASP Israeli chapter. security veteran ModSecurity Core Rule Set Project, WASC Web Hacking Incident Database. Read my blog at http://www.xiom.com I really try to learn what information Be ready to some philosophy of science and cognitive psychology security is I live in Kibbutz Yiftah, Israel
In this Presentation About RESTful Web Services RESTful WS in the Wild Security of RESTful WS Pen-testing RESTful WS Automated security testing of RESTful WS Research Test Remediate
About RESTful Web Services About RESTful Web Services RESTful WS in the Wild Security of RESTful WS Pen-testing RESTful WS Automated security testing of RESTful WS 4
Web Services • Employing web technology (i.e. HTTP) for machine to machine communication. • Used for: – Inter application communication – Web 2.0 and Mashups – Think client applications – Phone applications
SOAP Web Services: Example GET /InStock/GetStockPrice?StockName=HP 6
SOAP Web Services Commonly used protocol set for Web Services The theory: However: • Structures and well • Complex and heavy defined • Especially for phone • Robust and Web 2.0 • Secure • Not the HTTP way • Designed to work on any protocol including SMTP 7
The REST design pattern Essentially what the Web always was Client/Server • Clients are separated from servers by a uniform interface. • The client–server communication is further constrained by no client Stateless context being stored on the server between requests*. • Responses must therefore, implicitly or explicitly, define themselves as Cacheable cacheable or not • A client cannot ordinarily tell whether it is connected directly to the end Layered server, or to an intermediary along the way. • A uniform interface between clients and servers simplifies and Uniform decouples the architecture. Code on demand • Servers are able to temporarily extend or customize the functionality of (optional) a client by transferring logic to it that it can execute. * The server can be stateful; this constraint merely requires that server-side state be addressable by URL as a resource. 8
RESTful Web Services Are: • A common practice for using REST design patterns for Web Services Are Not: • A well defined protocol • A set of software libraries or frameworks 9
Common RESTful WS Practices GET /InStock/HP Use of HTTP • CRUD: Create (PUT), Read (GET), Update (POST), methods to indicate Delete (DELETE) action Embedding • As part of the URL parameters in the • In headers request • Serialized as JSON in a parameter value of request body Structured output • Using JSON or XML for information serialization Custom • Use of the security token concept authentication and • Often use headers session management 10
RESTful WS Example More http://api.geonames.org/earthquakesJSON?north=44.1&south=- 9.9&east=-22.4&west=55.2&username=demo {"earthquakes": [ {"eqid":"c0001xgp","magnitude":8.8,"lng":142.369,"src":"us","datetime":"2011 -03-11 04:46:23","depth":24.4,"lat":38.322}, {"eqid":"2007hear","magnitude":8.4,"lng":101.3815,"src":"us","datetime":"200 7-09-12 09:10:26","depth":30,"lat":-4.5172}, {"eqid":"2007aqbk","magnitude":8,"lng":156.9567,"src":"us","datetime":"2007- 04-01 18:39:56","depth":10,"lat":-8.4528}, {"eqid":"2007hec6","magnitude":7.8,"lng":100.9638,"src":"us","datetime":"200 7-09-12 21:49:01","depth":10,"lat":-2.5265}, {"eqid":"a00043nx","magnitude":7.7,"lng":100.1139,"src":"us","datetime":"201 0-10-25 12:42:22","depth":20.6,"lat":-3.4841}, ... 11
More Examples It often doesn’t look like your typical Web (1 or 2) application Parameters in Headers None Standard Parameters/Method None Standard Authentication and Authorization 12
RESTful services Documentation • No common documentation format similar to WSDL. • WADL (Web Application Definition Languages) is a standard proposal: – Not approved – Not widely used 13
RESTful Web Services in the Wild About RESTful Web Services RESTful WS in the Wild Security of RESTful WS Pen-testing RESTful WS Automated security testing of RESTful WS 1 4
It’s Up and Coming! 15
Who Uses REST? 1 6
RESTful Web Services Security About RESTful Web Services RESTful WS in the Wild Security of RESTful WS Pen-testing RESTful WS Automated security testing of RESTful WS 1 7
You Already Know This Part REST is just Web REST Security is just Web application security
Key issues to keep in mind Some common design flaws associated with No standard security REST: Proprietary mechanism similar to • Overreliance on SSL authentication and SOAP Web Services • Session IDs used in the URL session management. (WS-*) • Using basic HTTP Authentication • Bad implementation of SSO 19
Pen Testing RESTful Web Services About RESTful Web Services RESTful WS in the Wild Security of RESTful WS Pen-testing RESTful WS Automated security testing of RESTful WS 2 0
Challenges Inspecting the application does not reveal application attack surface: • None Web applications • Not all Web Service functionality actually used by application • Requests are often dynamically created, Web 2.0 style. Fuzzing standard parameters not sufficient anymore • Uses none standard parameters. • Serialized inputs as JSON or XML Guidelines for fuzzing are missing • Determining initial values for fuzzing is hard for unused features • Potentially large number of parameters is inhibitive in terms of time and requires selection Custom authentication and session management breaks common cookie sharing practices. 21
Use Documentation Determine: Programing Guides Available services Use of HTTP methods Use of parameters Potential Sources: WADL Apache Mod_rewrite configuration Programing guides Configuration information Application source 22
Additional Documentation Examples WADL WCF 23
Use a Proxy Determining attack surface when no documentation exists Useful also when documentation exists to determine initial fuzzing values Extremely helpful for: • None web applications • Dynamically generated requests 24
Determining Parameters Look for none standard headers Determine if URL segments have a pattern • Numerical values • Well known templates Look for structures in parameter values • JSON, XML, YAML or other Look for irregular 404 responses • Including site specific “file not found” messages. Brute force • Change methods • Attack any URL segment 25
Automated RESTful Pen Testing About RESTful Web Services RESTful WS in the Wild Security of RESTful WS Pen-testing RESTful WS Automated security testing of RESTful WS 2 6
How Does Automated Pen-Testing works? • Determining attack surface Crawling • Historically only links based • Today employ JavaScript emulation to get dynamic requests • Parameter based: • Sending known attack vectors Attacking • Fuzzing parameters • Comparing behavior for different users or before and after login Pre- • Understanding request generation (i.e. links) • Understanding parameters requisites • Understanding session management
RESTful WS Challenges Finding attack surface by crawling Determining what elements of the request to attack Optimizing attacking time while still addressing all potential parameters. Getting initial values for fuzzing Custom authentication and session management breaks common cookie sharing practices. 28
Defining Rules • Define parameter structure for URLs. • Enable tool to use documentation & proxy discovered attack surface. • Automated discovery of rules: – Automated import of documentation sources. – Applying parameter determination techniques. 29
Thank You! Ofer Shezaf, ofr@hp.com 30

Recommended

Pentesting RESTful webservices
Pentesting RESTful webservicesPentesting RESTful webservices
Pentesting RESTful webservicesMohammed A. Imran
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security TestingSmartBear
 
Testing REST Web Services
Testing REST Web ServicesTesting REST Web Services
Testing REST Web ServicesJan Algermissen
 
Api security
Api security Api security
Api security teodorcotruta
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityStormpath
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web ServicesRob Daigneau
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management
 

Recommended

Pentesting RESTful webservices
Pentesting RESTful webservicesPentesting RESTful webservices
Pentesting RESTful webservicesMohammed A. Imran
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security TestingSmartBear
 
Testing REST Web Services
Testing REST Web ServicesTesting REST Web Services
Testing REST Web ServicesJan Algermissen
 
Api security
Api security Api security
Api security teodorcotruta
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityStormpath
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web ServicesRob Daigneau
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management
 
In graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesIn graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesMohammed A. Imran
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIStormpath
 
Best Practices in Web Service Design
Best Practices in Web Service DesignBest Practices in Web Service Design
Best Practices in Web Service DesignLorna Mitchell
 
RESTful modules in zf2
RESTful modules in zf2RESTful modules in zf2
RESTful modules in zf2Corley S.r.l.
 
HTTP Services & REST API Security
HTTP Services & REST API SecurityHTTP Services & REST API Security
HTTP Services & REST API SecurityTaiseer Joudeh
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodann|u - The Open Security Community
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationStormpath
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongDerek Perkins
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide Isabelle Mauny
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & DevelopmentAshok Pundit
 
Attacking REST API
Attacking REST APIAttacking REST API
Attacking REST APISiddharth Bezalwar
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingShreeraj Shah
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsKaty Anton
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
An approach to app security - For beginners
An approach to app security - For beginnersAn approach to app security - For beginners
An approach to app security - For beginnersvodQA
 
Pentesting RESTful WebServices v1.0
Pentesting RESTful WebServices v1.0Pentesting RESTful WebServices v1.0
Pentesting RESTful WebServices v1.0n|u - The Open Security Community
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST APINutan Kumar Panda
 

More Related Content

What's hot

In graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesIn graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesMohammed A. Imran
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIStormpath
 
Best Practices in Web Service Design
Best Practices in Web Service DesignBest Practices in Web Service Design
Best Practices in Web Service DesignLorna Mitchell
 
RESTful modules in zf2
RESTful modules in zf2RESTful modules in zf2
RESTful modules in zf2Corley S.r.l.
 
HTTP Services & REST API Security
HTTP Services & REST API SecurityHTTP Services & REST API Security
HTTP Services & REST API SecurityTaiseer Joudeh
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationStormpath
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongDerek Perkins
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide Isabelle Mauny
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & DevelopmentAshok Pundit
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingShreeraj Shah
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsKaty Anton
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
An approach to app security - For beginners
An approach to app security - For beginnersAn approach to app security - For beginners
An approach to app security - For beginnersvodQA
 

What's hot (20)

In graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesIn graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challenges
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON API
 
Best Practices in Web Service Design
Best Practices in Web Service DesignBest Practices in Web Service Design
Best Practices in Web Service Design
 
RESTful modules in zf2
RESTful modules in zf2RESTful modules in zf2
RESTful modules in zf2
 
HTTP Services & REST API Security
HTTP Services & REST API SecurityHTTP Services & REST API Security
HTTP Services & REST API Security
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token Authentication
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrong
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & Development
 
Attacking REST API
Attacking REST APIAttacking REST API
Attacking REST API
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services Hacking
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive Controls
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
An approach to app security - For beginners
An approach to app security - For beginnersAn approach to app security - For beginners
An approach to app security - For beginners
 

Viewers also liked

Automated API pentesting using fuzzapi
Automated API pentesting using fuzzapiAutomated API pentesting using fuzzapi
Automated API pentesting using fuzzapiAbhijeth D
 
Why vREST?
Why vREST?Why vREST?
Why vREST?vrest_io
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
JSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons LearnedJSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons LearnedKazuho Oku
 
REST API testing with SpecFlow
REST API testing with SpecFlowREST API testing with SpecFlow
REST API testing with SpecFlowAiste Stikliute
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Stormpath
 
Vulnerabilities are bugs, Let's Test For Them!
Vulnerabilities are bugs, Let's Test For Them!Vulnerabilities are bugs, Let's Test For Them!
Vulnerabilities are bugs, Let's Test For Them!VAddy
 
Web Service Workshop - 3 days
Web Service Workshop - 3 daysWeb Service Workshop - 3 days
Web Service Workshop - 3 daysDavid Ionut
 
TDD a REST API With Node.js and MongoDB
TDD a REST API With Node.js and MongoDBTDD a REST API With Node.js and MongoDB
TDD a REST API With Node.js and MongoDBValeri Karpov
 
Web Service Testing using TestComplete
Web Service Testing using TestCompleteWeb Service Testing using TestComplete
Web Service Testing using TestCompletesrivinayak
 
SOAP-UI The Web service Testing
SOAP-UI The Web service TestingSOAP-UI The Web service Testing
SOAP-UI The Web service TestingGanesh Mandala
 
Postman Collection Format v2.0 (pre-draft)
Postman Collection Format v2.0 (pre-draft)Postman Collection Format v2.0 (pre-draft)
Postman Collection Format v2.0 (pre-draft)Postman
 
Top 5 Ways To Increase API Adoption
Top 5 Ways To Increase API AdoptionTop 5 Ways To Increase API Adoption
Top 5 Ways To Increase API AdoptionProgrammableWeb
 

Viewers also liked (20)

Pentesting RESTful WebServices v1.0
Pentesting RESTful WebServices v1.0Pentesting RESTful WebServices v1.0
Pentesting RESTful WebServices v1.0
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
 
Automated API pentesting using fuzzapi
Automated API pentesting using fuzzapiAutomated API pentesting using fuzzapi
Automated API pentesting using fuzzapi
 
JSON Injection
JSON InjectionJSON Injection
JSON Injection
 
Why vREST?
Why vREST?Why vREST?
Why vREST?
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
 
JSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons LearnedJSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons Learned
 
API Testing
API TestingAPI Testing
API Testing
 
Api testing
Api testingApi testing
Api testing
 
REST API testing with SpecFlow
REST API testing with SpecFlowREST API testing with SpecFlow
REST API testing with SpecFlow
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)
 
Piotr Boho - testing web services (soap)
Piotr Boho - testing web services (soap)Piotr Boho - testing web services (soap)
Piotr Boho - testing web services (soap)
 
Webservice Testing
Webservice TestingWebservice Testing
Webservice Testing
 
Vulnerabilities are bugs, Let's Test For Them!
Vulnerabilities are bugs, Let's Test For Them!Vulnerabilities are bugs, Let's Test For Them!
Vulnerabilities are bugs, Let's Test For Them!
 
Web Service Workshop - 3 days
Web Service Workshop - 3 daysWeb Service Workshop - 3 days
Web Service Workshop - 3 days
 
TDD a REST API With Node.js and MongoDB
TDD a REST API With Node.js and MongoDBTDD a REST API With Node.js and MongoDB
TDD a REST API With Node.js and MongoDB
 
Web Service Testing using TestComplete
Web Service Testing using TestCompleteWeb Service Testing using TestComplete
Web Service Testing using TestComplete
 
SOAP-UI The Web service Testing
SOAP-UI The Web service TestingSOAP-UI The Web service Testing
SOAP-UI The Web service Testing
 
Postman Collection Format v2.0 (pre-draft)
Postman Collection Format v2.0 (pre-draft)Postman Collection Format v2.0 (pre-draft)
Postman Collection Format v2.0 (pre-draft)
 
Top 5 Ways To Increase API Adoption
Top 5 Ways To Increase API AdoptionTop 5 Ways To Increase API Adoption
Top 5 Ways To Increase API Adoption
 

Similar to Securty Testing For RESTful Applications

Owin from spec to application
Owin from spec to applicationOwin from spec to application
Owin from spec to applicationdamian-h
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?Ksenia Peguero
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsFelipe Prado
 
Overview of REST - Raihan Ullah
Overview of REST - Raihan UllahOverview of REST - Raihan Ullah
Overview of REST - Raihan UllahCefalo
 
Structured Functional Automated Web Service Testing
Structured Functional Automated Web Service TestingStructured Functional Automated Web Service Testing
Structured Functional Automated Web Service Testingrdekleijn
 
InterConnect 2015 session 2825 cics_and_the_new soa
InterConnect 2015 session 2825 cics_and_the_new soaInterConnect 2015 session 2825 cics_and_the_new soa
InterConnect 2015 session 2825 cics_and_the_new soanick_garrod
 
Middleware in the cloud platform-v2
Middleware in the cloud platform-v2Middleware in the cloud platform-v2
Middleware in the cloud platform-v2Hammad Rajjoub
 
Serverless: The future of application delivery
Serverless: The future of application deliveryServerless: The future of application delivery
Serverless: The future of application deliveryDoug Vanderweide
 
.NET microservices with Azure Service Fabric
.NET microservices with Azure Service Fabric.NET microservices with Azure Service Fabric
.NET microservices with Azure Service FabricDavide Benvegnù
 
15-factor-apps.pdf
15-factor-apps.pdf15-factor-apps.pdf
15-factor-apps.pdfNilesh Gule
 
Itp web application development
Itp web application developmentItp web application development
Itp web application developmentShibu S R
 
Developing and Hosting SOAP Based Services
Developing and Hosting SOAP Based ServicesDeveloping and Hosting SOAP Based Services
Developing and Hosting SOAP Based ServicesStephenKardian
 
MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...
MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...
MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...Spiffy
 
Overview of Rest Service and ASP.NET WEB API
Overview of Rest Service and ASP.NET WEB APIOverview of Rest Service and ASP.NET WEB API
Overview of Rest Service and ASP.NET WEB APIPankaj Bajaj
 
REST - Representational state transfer
REST - Representational state transferREST - Representational state transfer
REST - Representational state transferTricode (part of Dept)
 
Moving Windows Applications to the Cloud
Moving Windows Applications to the CloudMoving Windows Applications to the Cloud
Moving Windows Applications to the CloudRightScale
 
“Secure Portal” or WebSphere Portal – Security with Everything
“Secure Portal” or WebSphere Portal – Security with Everything“Secure Portal” or WebSphere Portal – Security with Everything
“Secure Portal” or WebSphere Portal – Security with EverythingDave Hay
 

Similar to Securty Testing For RESTful Applications (20)

Owin from spec to application
Owin from spec to applicationOwin from spec to application
Owin from spec to application
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
 
RESTful services
RESTful servicesRESTful services
RESTful services
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
 
Overview of REST - Raihan Ullah
Overview of REST - Raihan UllahOverview of REST - Raihan Ullah
Overview of REST - Raihan Ullah
 
Structured Functional Automated Web Service Testing
Structured Functional Automated Web Service TestingStructured Functional Automated Web Service Testing
Structured Functional Automated Web Service Testing
 
InterConnect 2015 session 2825 cics_and_the_new soa
InterConnect 2015 session 2825 cics_and_the_new soaInterConnect 2015 session 2825 cics_and_the_new soa
InterConnect 2015 session 2825 cics_and_the_new soa
 
Middleware in the cloud platform-v2
Middleware in the cloud platform-v2Middleware in the cloud platform-v2
Middleware in the cloud platform-v2
 
Serverless: The future of application delivery
Serverless: The future of application deliveryServerless: The future of application delivery
Serverless: The future of application delivery
 
.NET microservices with Azure Service Fabric
.NET microservices with Azure Service Fabric.NET microservices with Azure Service Fabric
.NET microservices with Azure Service Fabric
 
15-factor-apps.pdf
15-factor-apps.pdf15-factor-apps.pdf
15-factor-apps.pdf
 
Itp web application development
Itp web application developmentItp web application development
Itp web application development
 
Real time web apps
Real time web appsReal time web apps
Real time web apps
 
Developing and Hosting SOAP Based Services
Developing and Hosting SOAP Based ServicesDeveloping and Hosting SOAP Based Services
Developing and Hosting SOAP Based Services
 
a
aa
a
 
MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...
MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...
MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...
 
Overview of Rest Service and ASP.NET WEB API
Overview of Rest Service and ASP.NET WEB APIOverview of Rest Service and ASP.NET WEB API
Overview of Rest Service and ASP.NET WEB API
 
REST - Representational state transfer
REST - Representational state transferREST - Representational state transfer
REST - Representational state transfer
 
Moving Windows Applications to the Cloud
Moving Windows Applications to the CloudMoving Windows Applications to the Cloud
Moving Windows Applications to the Cloud
 
“Secure Portal” or WebSphere Portal – Security with Everything
“Secure Portal” or WebSphere Portal – Security with Everything“Secure Portal” or WebSphere Portal – Security with Everything
“Secure Portal” or WebSphere Portal – Security with Everything
 

More from Source Conference

iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on AndroidSource Conference
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICSource Conference
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsSource Conference
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesSource Conference
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network SecuritySource Conference
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration TestersSource Conference
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSource Conference
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserSource Conference
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItSource Conference
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of AnonymousSource Conference
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary plantingSource Conference
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudSource Conference
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?Source Conference
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawSource Conference
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendSource Conference
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationSource Conference
 

More from Source Conference (20)

Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on Android
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUIC
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and Bobs
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus Derivatives
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration Testers
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on Rails
 
Esteganografia
EsteganografiaEsteganografia
Esteganografia
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done It
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of Anonymous
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary planting
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime Law
 
JSF Security
JSF SecurityJSF Security
JSF Security
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security Spend
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitation
 

Recently uploaded

Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 

Recently uploaded (20)

Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 

Securty Testing For RESTful Applications

  • 1. Security Testing For RESTful Applications Ofer Shezaf, HP Enterprise Security Products ofr@hp.com ©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
  • 2. About Myself Currently, chief architect for Risk and Vulnerability Management at HP. I create security Security research and Product Management at Breach Security, a Web Application Firewalls products vendor. Electric Cars security… Director, Web Application Security Consortium. I am an application Founded the OWASP Israeli chapter. security veteran ModSecurity Core Rule Set Project, WASC Web Hacking Incident Database. Read my blog at http://www.xiom.com I really try to learn what information Be ready to some philosophy of science and cognitive psychology security is I live in Kibbutz Yiftah, Israel
  • 3. In this Presentation About RESTful Web Services RESTful WS in the Wild Security of RESTful WS Pen-testing RESTful WS Automated security testing of RESTful WS Research Test Remediate
  • 4. About RESTful Web Services About RESTful Web Services RESTful WS in the Wild Security of RESTful WS Pen-testing RESTful WS Automated security testing of RESTful WS 4
  • 5. Web Services • Employing web technology (i.e. HTTP) for machine to machine communication. • Used for: – Inter application communication – Web 2.0 and Mashups – Think client applications – Phone applications
  • 6. SOAP Web Services: Example GET /InStock/GetStockPrice?StockName=HP 6
  • 7. SOAP Web Services Commonly used protocol set for Web Services The theory: However: • Structures and well • Complex and heavy defined • Especially for phone • Robust and Web 2.0 • Secure • Not the HTTP way • Designed to work on any protocol including SMTP 7
  • 8. The REST design pattern Essentially what the Web always was Client/Server • Clients are separated from servers by a uniform interface. • The client–server communication is further constrained by no client Stateless context being stored on the server between requests*. • Responses must therefore, implicitly or explicitly, define themselves as Cacheable cacheable or not • A client cannot ordinarily tell whether it is connected directly to the end Layered server, or to an intermediary along the way. • A uniform interface between clients and servers simplifies and Uniform decouples the architecture. Code on demand • Servers are able to temporarily extend or customize the functionality of (optional) a client by transferring logic to it that it can execute. * The server can be stateful; this constraint merely requires that server-side state be addressable by URL as a resource. 8
  • 9. RESTful Web Services Are: • A common practice for using REST design patterns for Web Services Are Not: • A well defined protocol • A set of software libraries or frameworks 9
  • 10. Common RESTful WS Practices GET /InStock/HP Use of HTTP • CRUD: Create (PUT), Read (GET), Update (POST), methods to indicate Delete (DELETE) action Embedding • As part of the URL parameters in the • In headers request • Serialized as JSON in a parameter value of request body Structured output • Using JSON or XML for information serialization Custom • Use of the security token concept authentication and • Often use headers session management 10
  • 11. RESTful WS Example More http://api.geonames.org/earthquakesJSON?north=44.1&south=- 9.9&east=-22.4&west=55.2&username=demo {"earthquakes": [ {"eqid":"c0001xgp","magnitude":8.8,"lng":142.369,"src":"us","datetime":"2011 -03-11 04:46:23","depth":24.4,"lat":38.322}, {"eqid":"2007hear","magnitude":8.4,"lng":101.3815,"src":"us","datetime":"200 7-09-12 09:10:26","depth":30,"lat":-4.5172}, {"eqid":"2007aqbk","magnitude":8,"lng":156.9567,"src":"us","datetime":"2007- 04-01 18:39:56","depth":10,"lat":-8.4528}, {"eqid":"2007hec6","magnitude":7.8,"lng":100.9638,"src":"us","datetime":"200 7-09-12 21:49:01","depth":10,"lat":-2.5265}, {"eqid":"a00043nx","magnitude":7.7,"lng":100.1139,"src":"us","datetime":"201 0-10-25 12:42:22","depth":20.6,"lat":-3.4841}, ... 11
  • 12. More Examples It often doesn’t look like your typical Web (1 or 2) application Parameters in Headers None Standard Parameters/Method None Standard Authentication and Authorization 12
  • 13. RESTful services Documentation • No common documentation format similar to WSDL. • WADL (Web Application Definition Languages) is a standard proposal: – Not approved – Not widely used 13
  • 14. RESTful Web Services in the Wild About RESTful Web Services RESTful WS in the Wild Security of RESTful WS Pen-testing RESTful WS Automated security testing of RESTful WS 1 4
  • 15. It’s Up and Coming! 15
  • 17. RESTful Web Services Security About RESTful Web Services RESTful WS in the Wild Security of RESTful WS Pen-testing RESTful WS Automated security testing of RESTful WS 1 7
  • 18. You Already Know This Part REST is just Web REST Security is just Web application security
  • 19. Key issues to keep in mind Some common design flaws associated with No standard security REST: Proprietary mechanism similar to • Overreliance on SSL authentication and SOAP Web Services • Session IDs used in the URL session management. (WS-*) • Using basic HTTP Authentication • Bad implementation of SSO 19
  • 20. Pen Testing RESTful Web Services About RESTful Web Services RESTful WS in the Wild Security of RESTful WS Pen-testing RESTful WS Automated security testing of RESTful WS 2 0
  • 21. Challenges Inspecting the application does not reveal application attack surface: • None Web applications • Not all Web Service functionality actually used by application • Requests are often dynamically created, Web 2.0 style. Fuzzing standard parameters not sufficient anymore • Uses none standard parameters. • Serialized inputs as JSON or XML Guidelines for fuzzing are missing • Determining initial values for fuzzing is hard for unused features • Potentially large number of parameters is inhibitive in terms of time and requires selection Custom authentication and session management breaks common cookie sharing practices. 21
  • 22. Use Documentation Determine: Programing Guides Available services Use of HTTP methods Use of parameters Potential Sources: WADL Apache Mod_rewrite configuration Programing guides Configuration information Application source 22
  • 24. Use a Proxy Determining attack surface when no documentation exists Useful also when documentation exists to determine initial fuzzing values Extremely helpful for: • None web applications • Dynamically generated requests 24
  • 25. Determining Parameters Look for none standard headers Determine if URL segments have a pattern • Numerical values • Well known templates Look for structures in parameter values • JSON, XML, YAML or other Look for irregular 404 responses • Including site specific “file not found” messages. Brute force • Change methods • Attack any URL segment 25
  • 26. Automated RESTful Pen Testing About RESTful Web Services RESTful WS in the Wild Security of RESTful WS Pen-testing RESTful WS Automated security testing of RESTful WS 2 6
  • 27. How Does Automated Pen-Testing works? • Determining attack surface Crawling • Historically only links based • Today employ JavaScript emulation to get dynamic requests • Parameter based: • Sending known attack vectors Attacking • Fuzzing parameters • Comparing behavior for different users or before and after login Pre- • Understanding request generation (i.e. links) • Understanding parameters requisites • Understanding session management
  • 28. RESTful WS Challenges Finding attack surface by crawling Determining what elements of the request to attack Optimizing attacking time while still addressing all potential parameters. Getting initial values for fuzzing Custom authentication and session management breaks common cookie sharing practices. 28
  • 29. Defining Rules • Define parameter structure for URLs. • Enable tool to use documentation & proxy discovered attack surface. • Automated discovery of rules: – Automated import of documentation sources. – Applying parameter determination techniques. 29
  • 30. Thank You! Ofer Shezaf, ofr@hp.com 30