PENTESTING REST API

null Bangalore Meet

Introduction

■ Nutan Kumar Panda■ Aka @TheOsintGuy■ Senior Information Security Engineer■ Osint Enthusiast■ Presenter at BH US/ BIU Israel/ GroundZero Summit/ CISO Summit etc■ Co-Author of book “Hacking Web Intelligence ”■ Contributor of DataSploit project■ Active Contributor of null Bangalore Chapter

What can you expect?

■ Basic Theory■ My personal Experience■ Approach■ Tools to trade■ Test beds■ One Example to think out of the box■ Some Common Findings■ Hands on Demos

Web Services

■ SOAP■ Components

– Service Consumer

– Service Provider

– XML (Extensible Markup Language)

– SOAP (Simple Object Access Protocol)

– WSDL (Web Services Description Language)

– UDDI (Universal Description, Discovery and Integration)

■ http://resources.infosecinstitute.com/web-services-penetration-testing-part-1/

■ ReST■ Components

– Resources (example.com/users/1)– Verbs (CRUD/ POGPUD)

– Media Type (Application/Json)

– Status Codes (200,201,404 etc)– Authentication (Oauth)– http://www.slideshare.net/null0x00/o-

auth-tokens

■ http://www.slideshare.net/null0x00/pentesting-restful-webservices-v10

http://www.slideshare.net/PraveenKumarKOSCP/introduction-to-web-services-penetration-testing (page 3)

How I Started?

https://www.owasp.org/index.php/REST_Security_Cheat_Sheet

Approach

■ Do not jump to testing by getting an end point or set of end points■ Ask for the documentation■ Ask for the sample request response/ Postman collection■ Ask for any particular header needed■ Ask for token or any specific parameter or values for a parameter (to get in

right flow)■ Ask for the workflows (Sometime workflows are bound you can not direct

jump to a web services and test you need some data that u get from other end points)

■ Its not only about fuzzing parameters

Tools to trade

■ ReST Client (Plug in)■ Postman (App and Plugin)■ Burp (ZAP/ Charles/ IronWASP or any other interception proxy)■ Hurl.it (Online rest client)■ SoapUI (https://www.youtube.com/watch?v=XV7WW0bDy9c)■ Fuzzapi (https://github.com/lalithr95/Fuzzapi) Just presented just day before

at AppSec USA by Abhijeet n Lalith– http://

www.slideshare.net/AbhijethDugginapeddi/automated-api-pentesting-using-fuzzapi

– If you like this tool just spread the word with #fuzzapi

Test Beds

■ Hackazon – Code: https://github.com/rapid7/hackazon– Web Version: http://hackazon.webscantest.com/– There is an apk also: https://github.com/rapid7/hackazon/tree/master/web/app.apk– Youtube Video: https://www.youtube.com/watch?v=Yekzm0Olc3Y (Demo starts 24:00)

■ Mutillidae– Code: https://sourceforge.net/projects/mutillidae/– Video: https://www.youtube.com/watch?v=e6HAQnvuaic

■ DVWS– Code : https://github.com/snoopythesecuritydog/dvws– Tutorial: https://kali.tools/?p=1729

Example

POST example.com/users/view/253

{ “user”:”adam”, “role”:”tester”

}

Common Finding

■ Enumeration■ Rate limiting not implemented■ Information Disclosure■ POST to GET conversion (Method Conversion)■ IDOR■ SQLI■ Authorization Flaws■ Token related issues (Expiry, reuse, predictable etc)

Demo

Questions

References

■ https://www.soapui.org/testing-dojo/world-of-api-testing/soap-vs--rest-challenges.html

■ http://cybersecology.com/hackazon-review/■ http://cybersecology.com/2014/11/googles-firing-range-test-site/■ http://

www.slideshare.net/SmartBear_Software/getting-started-with-api-security-testing

■ http://www.slideshare.net/ask4answers/rest-api-testing-with-specflow■ http://www.slideshare.net/stormpath/rest-api-security■ http://www.slideshare.net/taiseerjoudeh/http-services-security

Thanks