9. Lightweight
<soap:Body xmlns:m="http://www.mysite.com/users">
<m:GetUserDetailsResponse>
<m:UserName>MohammedAImran</m:UserName>
<m:Type>user</m:Type>
<m:SiteAdmin>false</m:SiteAdmin>
<m:UserName>Mohammed A.Imran</m:UserName>
<m:Company>CA Inc</m:Company>
<m:Email> morpheus@null.co.in </m:Email>
</m:GetUserDetailsResponse>
</soap:Body>
{
"login": "MohammedAImran",
"type": "User",
"site_admin": false,
"name": "Mohammed A. Imran",
"company": "CA Inc",
"email": "morpheus@null.co.in"
}
VS
Note: REST can also use XML as media type
10. Manymorereasonstouse...
●
Easy to understand & document
●
Easy on limited bandwidth
●
READS can be cached and hence reduces the bandwidth
●
Better browser support since data format mostly is json
●
Can be used by mobile devices
●
Loosely coupled
12. Representational state transfer (REST) is an
architectural style consisting of a coordinated
set of constraints applied to components,
connectors, and data elements, within a
distributed hypermedia system.
“
13. What?Letmeexplain...
REST is an architectural style with some imposed constraints
in how data is accessed and represented while developing web
services or applications. It uses HTTP 1.1 as inspiration.
34. StatusCodes
400 Bad Request
401 Unauthorized
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
200 OK
201 Created
204 No Content
304 Not Modified
500 Internal Server Error
501 Not Implemented
36. DifficultyindoingRESTPT
●
Many JSON variables to fuzz and difficult to find which ones
are optional and to be fuzzed
●
Custom authentication
●
Statelessness
●
Non common HTTP status codes which tools are used to
37. DifficultyindoingRESTPT...
●
Not so good automated tool support
●
Every API is different from other and hence need custom
tweaking for tools
●
Heavy reliance on Ajax frameworks for creating PUT and
DELETE requests as most browsers don’t support them
41. Authentication...
●
REST APIs rely heavily on SSL
●
Often basic authentication is coupled with SSL ( Bruteforce ? )
●
Often custom token authentication schemes are built and used
( a sure recipe for disaster)
●
Never pass username/password, tokens, keys in URL
(use POST instead )
●
Implementing authentication tokens in Headers takes away headache of
having a CSRF token
42. SessionManagement
●
Check all session based attacks on tokens as well
●
Session timeout
●
Session brute force
●
Generally tokens are stored in local storage of browsers,
make sure you delete the token after log-out and upon
browser window close
●
Invalidate the token at server side upon on logout
43. Authorization
●
Privilege escalation (Horizontal and Vertical)
●
Make sure there is a tight access control on DELETE, PUT methods
●
Use role based authentication
●
Since usually the consumers of the REST APIs are machines, there
are no checks if service is heavily used, could lead to DoS or
BruteForce.
●
Protect administrative functionality
48. Outputencoding
●
If you application has a web interface then might want to use
the following headers:
– X-Content-Type-Options: nosniff
– X-Frame-Options: DENY/SAMEORIGIN/ALLOW-FROM
●
JSON Encoding
49. Cryptography
●
Use TLS with good key size (384 bits preferably)
●
Use client side certificates possible however not usually seen
for APIs
●
Use strong hashing algorithms(scrypt/bcrypt/SHA512)
●
Use strong encryption mechanisms (AES)
50. Fewnotes...
●
Use proxy to determine the attack surface and to understand
the application
●
Identify URLs, Resources, status codes and data needed
●
Every part of the http protocol is potential for fuzzing in
RESTful APIs (dont forget headers)
●
WAF evasion is possible since json is not well understood by
WAFs
53. cURLPrimer
cURL
-b or - -cookie ”COOKIE HERE”
-h or - -header “Authorization: Custom SW1yYW5XYXNIZXJlCg==”
-X or - -request PUT/POST/DELETE
-i or - -include //include response headers
-d or - -data “username=imran&password=Imran” or - -data @filecontaining-data
-x or - - proxy 127.0.0.1:8080
-A or - -user-agent ”Firefox 27.0”
54. cURLPrimer...
●
cURL is great for automation if you know how service works.
●
cURL libraries are available for majority of the languages like php, python
and many more...
●
You can perform complex operations and script them pretty fast.
55. cURLExamples
#!/bin/bash
users="Imran Jaya Raghu Vinayak"
for dirName in $users
do
curl -i -H “Authorization: Custom SW1yYW5XYXNIZXJlCg==”
"http://www.mysite.com/users/$dirName" --proxy 127.0.0.1:8080
done
58. FirefoxAdd-on...
●
If you need graphical interface, browser add-ons provide GUI, however not
as powerful as the cURL command.
●
Specialized developer tools ( SOAP UI ) can also be used for testing.