`

MOHAMMED A. IMRANRESTful Web ServicesPentesting

Hello

MOHAMMED A. IMRANApplication Security Engineer, CA IncNull Hyderabad LeadOWASP Hyderabad Board Member

@MohammedAImran

MICreated and Designed using

LET’S TALK ABOUT ...

P RO B L E M S W I T H R E S TW S T E S T I N G

TO O L S & T E C H N I Q U E S

W H AT I S R E S Tfu l W E B S E RV I C E S ?

M E T H O D O LO G Y TO T E S TR E S Tfu l W S

DIDYOUKNOW?

THE

UGLY

TRU

TH SOAP Webservices VS RESTful Webservices

Google Trends

They also rest on REST APIs

Why REST WebServices ?

Easy & Simple

<?xml version="1.0"?><soap:Envelopexmlns:soap="http://www.w3.org/2001/12/soap-envelope"soap:encodingStyle="http://www.w3.org/2001/12/soap-encoding">

<soap:Body xmlns:m="http://www.mysite.com/users">  <m:GetUserDetails>    <m:UserID>313</m:UserID>  </m:GetUserDetails></soap:Body>

</soap:Envelope>

GET /users/313/

VS

Light weight<soap:Body xmlns:m="http://www.mysite.com/users">  <m:GetUserDetailsResponse>    <m:UserName>MohammedAImran</m:UserName>

<m:Type>user</m:Type>

<m:SiteAdmin>false</m:SiteAdmin>

<m:UserName>Mohammed A.Imran</m:UserName>

<m:Company>CA Inc</m:Company>

<m:Email> morpheus@null.co.in </m:Email>  </m:GetUserDetailsResponse></soap:Body>

{ "login": "MohammedAImran", "type": "User", "site_admin": false, "name": "Mohammed A. Imran", "company": "CA Inc", "email": "morpheus@null.co.in" }

VS

Note: REST can also use XML as media type

Many more reasons to use ...● Easy to understand & document● Easy on limited bandwidth● READS can be cached and hence reduces the bandwidth● Better browser support since data format mostly is json● Can be used by mobile devices● Loosely coupled

But what is REST ?

Representational state transfer (REST) is an architectural style consisting of a coordinated set of constraints applied to components, connectors, and data elements, within a distributed hypermedia system.

“”

What ? Let me explain ...

REST is an architectural style with some imposed constraints in how data is accessed and represented while developing web services or applications. It uses HTTP 1.1 as inspiration.

In simple terms

REST = RFC 2616 Well, almost

In simple terms ...

REST = HTTP Protocol

with constraints

Architecture constraints● Uniform interface● Client-server● Stateless● Cache-able● Layered system● Code on demand(optional)

REST Style consists of ...

Resources VERBS Media Types Status Codes

REST Style consists of ...

Resource URLs VERBS Media Types Status Codes

RESOURCES

Site.com/users/1

INSTANCE RESOURCES

CollectionRESOURCES

NOUN

Site.com/users

REST Style consists of ...

Resources VERBS Media Types Status Codes

VERBS

POST

READ

PUT

DELETE

POST = CREATECreate a new some resource

*

* POST can be used for both create and update

POST http://mysite.com/users/

{ "login": "MohammedAImran", "id": "313", "name": "Mohammed A. Imran", "company": "CA Inc", "email": "MohammedAbdullahImran@gmail.com"}

GET = READFetch some resource

GET site.com/users/

{ users:[ { "login": "MohammedAImran", "id": "313", "name": "Mohammed A. Imran", "company": "CA Inc", "email": "MohammedAbdullahImran@gmail.com"}, { "login": "Raghunath", "id": "311", "name": " G Raghunath", "company": "X Inc", "email": "raghu@null.co.in"}]}

GET site.com/users/313 { "login": "MohammedAImran", "id": "313", "name": "Mohammed A. Imran", "company": "CA Inc", "email": "MohammedAbdullahImran@gmail.com"}

PUT =UPDATE/MODIFYUpdate some resource

* PUT can be used for both create and update

*

DELETE = DELETEDelete a resource

REST Style consists of ...

Resources VERBS Media Types Status Codes

HATEOAS

Hypermedia As The Engine Of Application State

Media TypesParsing RulesSpecifications

+ =

Media Type ExamplesApplication/json

Application/xml

Application/imrans+json;v1

REST Style consists of ...

Resources VERBS Media Types Status Codes

Status Codes

400 Bad Request 401 Unauthorized 403 Forbidden 404 Not Found 405 Method Not Allowed 409 Conflict

200 OK201 Created204 No Content304 Not Modified500 Internal Server Error501 Not Implemented

RESTful WS testing problems

Difficulty in doing REST PT● Many JSON variables to fuzz and difficult to find which ones

are optional and to be fuzzed● Custom authentication● Statelessness● Non common HTTP status codes which tools are used to

Difficulty in doing REST PT ...● Not so good automated tool support● Every API is different from other and hence need custom

tweaking for tools● Heavy reliance on Ajax frameworks for creating PUT and

DELETE requests as most browsers don’t support them

REST WS testing Methodology

Authentication

Bad practices

http://site.com/token/a3b3c2be5f53c8/

https://site.com/token/a3b3c2be5f53c8/

Authentication ...● REST APIs rely heavily on SSL● Often basic authentication is coupled with SSL ( Bruteforce ? )● Often custom token authentication schemes are built and used

( a sure recipe for disaster) ● Never pass username/password, tokens, keys in URL

(use POST instead )● Implementing authentication tokens in Headers takes away headache of

having a CSRF token

Session Management● Check all session based attacks on tokens as well● Session timeout● Session brute force● Generally tokens are stored in local storage of browsers,

make sure you delete the token after log-out and upon browser window close

● Invalidate the token at server side upon on logout

Authorization● Privilege escalation (Horizontal and Vertical)● Make sure there is a tight access control on DELETE, PUT methods● Use role based authentication● Since usually the consumers of the REST APIs are machines, there

are no checks if service is heavily used, could lead to DoS or BruteForce.

● Protect administrative functionality

CVE-2010-0738

JBOSS JMX Console Vulnerability

NOTE

All attacks which are possible on any web application are possible with REST APIs as well.

Input Validation● SQL Injection● XSS● Command Injection● XPATH Injection

However XSS becomes difficult to fuzz because of JSON and you might want to scan with sql injection and xss profiles separately

Output encoding● If you application has a web interface then might want to use

the following headers:– X-Content-Type-Options: nosniff– X-Frame-Options: DENY/SAMEORIGIN/ALLOW-FROM

● JSON Encoding

Cryptography● Use TLS with good key size (384 bits preferably)● Use client side certificates possible however not usually seen

for APIs● Use strong hashing algorithms(scrypt/bcrypt/SHA512)● Use strong encryption mechanisms (AES)

Few notes ...● Use proxy to determine the attack surface and to understand

the application● Identify URLs, Resources, status codes and data needed● Every part of the http protocol is potential for fuzzing in

RESTful APIs (dont forget headers)● WAF evasion is possible since json is not well understood by

WAFs

Tools & Techniques

Command-line-Fu

cURL Primer cURL

-b or - -cookie ”COOKIE HERE”

-h or - -header “Authorization: Custom SW1yYW5XYXNIZXJlCg==”

-X or - -request PUT/POST/DELETE

-i or - -include //include response headers

-d or - -data “username=imran&password=Imran” or - -data @filecontaining-data

-x or - - proxy 127.0.0.1:8080

-A or - -user-agent ”Firefox 27.0”

cURL Primer ...● cURL is great for automation if you know how service works.● cURL libraries are available for majority of the languages like php, python

and many more...● You can perform complex operations and script them pretty fast.

cURL Examples #!/bin/bash

users="Imran Jaya Raghu Vinayak"

for dirName in $users

do

curl -i -H “Authorization: Custom SW1yYW5XYXNIZXJlCg==” "http://www.mysite.com/users/$dirName" --proxy 127.0.0.1:8080

done

Graphical Tools

Firefox Add-on

Firefox Add-on ...● If you need graphical interface, browser add-ons provide GUI, however not

as powerful as the cURL command.● Specialized developer tools ( SOAP UI ) can also be used for testing.

Automated Tools

AppScan Scan

http://blog.watchfire.com/wfblog/2012/01/testing-restful-services-with-appscan-standard.html

AppScan Scan...

Thank you !

Want to discuss more ? Catch me on

www.twitter.com/MohammedAImran www.linkedin.com/in/MohammedAImran

You might like these as well!

Credits

* All icons are taken from The Noun project, credit goes to respective artists

* OWASP Cheat sheet series

Referenceshttp://www.slideshare.net/SOURCEConference/security-testing-for-rest-applications-ofer-shezaf-source-barcelona-nov-2011

https://www.owasp.org/index.php/REST_Security_Cheat_Sheet

http://securityreliks.wordpress.com/2010/07/28/testing-restful-services-with-appscan/

http://www-01.ibm.com/support/docview.wss?uid=swg21412832

http://blog.watchfire.com/wfblog/2012/01/testing-restful-services-with-appscan-standard.html