Upload
nutan-kumar-panda
View
773
Download
0
Embed Size (px)
Citation preview
PENTESTING REST API
null Bangalore Meet
Introduction
■ Nutan Kumar Panda■ Aka @TheOsintGuy■ Senior Information Security Engineer■ Osint Enthusiast■ Presenter at BH US/ BIU Israel/ GroundZero Summit/ CISO Summit etc■ Co-Author of book “Hacking Web Intelligence ”■ Contributor of DataSploit project■ Active Contributor of null Bangalore Chapter
What can you expect?
■ Basic Theory■ My personal Experience■ Approach■ Tools to trade■ Test beds■ One Example to think out of the box■ Some Common Findings■ Hands on Demos
Web Services
■ SOAP■ Components
– Service Consumer
– Service Provider
– XML (Extensible Markup Language)
– SOAP (Simple Object Access Protocol)
– WSDL (Web Services Description Language)
– UDDI (Universal Description, Discovery and Integration)
■ http://resources.infosecinstitute.com/web-services-penetration-testing-part-1/
■ ReST■ Components
– Resources (example.com/users/1)– Verbs (CRUD/ POGPUD)
– Media Type (Application/Json)
– Status Codes (200,201,404 etc)– Authentication (Oauth)– http://www.slideshare.net/null0x00/o-
auth-tokens
■ http://www.slideshare.net/null0x00/pentesting-restful-webservices-v10
http://www.slideshare.net/PraveenKumarKOSCP/introduction-to-web-services-penetration-testing (page 3)
How I Started?
https://www.owasp.org/index.php/REST_Security_Cheat_Sheet
Approach
■ Do not jump to testing by getting an end point or set of end points■ Ask for the documentation■ Ask for the sample request response/ Postman collection■ Ask for any particular header needed■ Ask for token or any specific parameter or values for a parameter (to get in
right flow)■ Ask for the workflows (Sometime workflows are bound you can not direct
jump to a web services and test you need some data that u get from other end points)
■ Its not only about fuzzing parameters
Tools to trade
■ ReST Client (Plug in)■ Postman (App and Plugin)■ Burp (ZAP/ Charles/ IronWASP or any other interception proxy)■ Hurl.it (Online rest client)■ SoapUI (https://www.youtube.com/watch?v=XV7WW0bDy9c)■ Fuzzapi (https://github.com/lalithr95/Fuzzapi) Just presented just day before
at AppSec USA by Abhijeet n Lalith– http://
www.slideshare.net/AbhijethDugginapeddi/automated-api-pentesting-using-fuzzapi
– If you like this tool just spread the word with #fuzzapi
Test Beds
■ Hackazon – Code: https://github.com/rapid7/hackazon– Web Version: http://hackazon.webscantest.com/– There is an apk also: https://github.com/rapid7/hackazon/tree/master/web/app.apk– Youtube Video: https://www.youtube.com/watch?v=Yekzm0Olc3Y (Demo starts 24:00)
■ Mutillidae– Code: https://sourceforge.net/projects/mutillidae/– Video: https://www.youtube.com/watch?v=e6HAQnvuaic
■ DVWS– Code : https://github.com/snoopythesecuritydog/dvws– Tutorial: https://kali.tools/?p=1729
Example
POST example.com/users/view/253
{ “user”:”adam”, “role”:”tester”
}
Common Finding
■ Enumeration■ Rate limiting not implemented■ Information Disclosure■ POST to GET conversion (Method Conversion)■ IDOR■ SQLI■ Authorization Flaws■ Token related issues (Expiry, reuse, predictable etc)
Demo
Questions
References
■ https://www.soapui.org/testing-dojo/world-of-api-testing/soap-vs--rest-challenges.html
■ http://cybersecology.com/hackazon-review/■ http://cybersecology.com/2014/11/googles-firing-range-test-site/■ http://
www.slideshare.net/SmartBear_Software/getting-started-with-api-security-testing
■ http://www.slideshare.net/ask4answers/rest-api-testing-with-specflow■ http://www.slideshare.net/stormpath/rest-api-security■ http://www.slideshare.net/taiseerjoudeh/http-services-security
Thanks