SlideShare a Scribd company logo

Securty Testing For RESTful Applications

Source Conference
Source Conference

This document discusses security testing for RESTful applications. It begins with an introduction to RESTful web services and how they differ from SOAP web services in using HTTP methods to indicate actions and embedding parameters in requests. It notes challenges in testing RESTful applications including that documentation may not reveal the full attack surface and requests can be dynamically generated. It recommends using documentation, proxies, and fuzzing to determine parameters and potential vulnerabilities. The document concludes by discussing how automated pen testing works by crawling to determine the attack surface through both links and emulated JavaScript to find dynamic requests.

1 of 30
Downloaded 453 times
1
Security Testing For RESTful Applications Ofer Shezaf, HP Enterprise Security Products ofr@hp.com ©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
2
About Myself Currently, chief architect for Risk and Vulnerability Management at HP. I create security Security research and Product Management at Breach Security, a Web Application Firewalls products vendor. Electric Cars security… Director, Web Application Security Consortium. I am an application Founded the OWASP Israeli chapter. security veteran ModSecurity Core Rule Set Project, WASC Web Hacking Incident Database. Read my blog at http://www.xiom.com I really try to learn what information Be ready to some philosophy of science and cognitive psychology security is I live in Kibbutz Yiftah, Israel
3
In this Presentation About RESTful Web Services RESTful WS in the Wild Security of RESTful WS Pen-testing RESTful WS Automated security testing of RESTful WS Research Test Remediate
4
About RESTful Web Services About RESTful Web Services RESTful WS in the Wild Security of RESTful WS Pen-testing RESTful WS Automated security testing of RESTful WS 4
5
Web Services • Employing web technology (i.e. HTTP) for machine to machine communication. • Used for: – Inter application communication – Web 2.0 and Mashups – Think client applications – Phone applications
6
SOAP Web Services: Example GET /InStock/GetStockPrice?StockName=HP 6
7
SOAP Web Services Commonly used protocol set for Web Services The theory: However: • Structures and well • Complex and heavy defined • Especially for phone • Robust and Web 2.0 • Secure • Not the HTTP way • Designed to work on any protocol including SMTP 7
8
The REST design pattern Essentially what the Web always was Client/Server • Clients are separated from servers by a uniform interface. • The client–server communication is further constrained by no client Stateless context being stored on the server between requests*. • Responses must therefore, implicitly or explicitly, define themselves as Cacheable cacheable or not • A client cannot ordinarily tell whether it is connected directly to the end Layered server, or to an intermediary along the way. • A uniform interface between clients and servers simplifies and Uniform decouples the architecture. Code on demand • Servers are able to temporarily extend or customize the functionality of (optional) a client by transferring logic to it that it can execute. * The server can be stateful; this constraint merely requires that server-side state be addressable by URL as a resource. 8
9
RESTful Web Services Are: • A common practice for using REST design patterns for Web Services Are Not: • A well defined protocol • A set of software libraries or frameworks 9
10
Common RESTful WS Practices GET /InStock/HP Use of HTTP • CRUD: Create (PUT), Read (GET), Update (POST), methods to indicate Delete (DELETE) action Embedding • As part of the URL parameters in the • In headers request • Serialized as JSON in a parameter value of request body Structured output • Using JSON or XML for information serialization Custom • Use of the security token concept authentication and • Often use headers session management 10
11
RESTful WS Example More http://api.geonames.org/earthquakesJSON?north=44.1&south=- 9.9&east=-22.4&west=55.2&username=demo {"earthquakes": [ {"eqid":"c0001xgp","magnitude":8.8,"lng":142.369,"src":"us","datetime":"2011 -03-11 04:46:23","depth":24.4,"lat":38.322}, {"eqid":"2007hear","magnitude":8.4,"lng":101.3815,"src":"us","datetime":"200 7-09-12 09:10:26","depth":30,"lat":-4.5172}, {"eqid":"2007aqbk","magnitude":8,"lng":156.9567,"src":"us","datetime":"2007- 04-01 18:39:56","depth":10,"lat":-8.4528}, {"eqid":"2007hec6","magnitude":7.8,"lng":100.9638,"src":"us","datetime":"200 7-09-12 21:49:01","depth":10,"lat":-2.5265}, {"eqid":"a00043nx","magnitude":7.7,"lng":100.1139,"src":"us","datetime":"201 0-10-25 12:42:22","depth":20.6,"lat":-3.4841}, ... 11
12
More Examples It often doesn’t look like your typical Web (1 or 2) application Parameters in Headers None Standard Parameters/Method None Standard Authentication and Authorization 12
13
RESTful services Documentation • No common documentation format similar to WSDL. • WADL (Web Application Definition Languages) is a standard proposal: – Not approved – Not widely used 13
14
RESTful Web Services in the Wild About RESTful Web Services RESTful WS in the Wild Security of RESTful WS Pen-testing RESTful WS Automated security testing of RESTful WS 1 4
15
It’s Up and Coming! 15
16
Who Uses REST? 1 6
17
RESTful Web Services Security About RESTful Web Services RESTful WS in the Wild Security of RESTful WS Pen-testing RESTful WS Automated security testing of RESTful WS 1 7
18
You Already Know This Part REST is just Web REST Security is just Web application security
19
Key issues to keep in mind Some common design flaws associated with No standard security REST: Proprietary mechanism similar to • Overreliance on SSL authentication and SOAP Web Services • Session IDs used in the URL session management. (WS-*) • Using basic HTTP Authentication • Bad implementation of SSO 19
20
Pen Testing RESTful Web Services About RESTful Web Services RESTful WS in the Wild Security of RESTful WS Pen-testing RESTful WS Automated security testing of RESTful WS 2 0
21
Challenges Inspecting the application does not reveal application attack surface: • None Web applications • Not all Web Service functionality actually used by application • Requests are often dynamically created, Web 2.0 style. Fuzzing standard parameters not sufficient anymore • Uses none standard parameters. • Serialized inputs as JSON or XML Guidelines for fuzzing are missing • Determining initial values for fuzzing is hard for unused features • Potentially large number of parameters is inhibitive in terms of time and requires selection Custom authentication and session management breaks common cookie sharing practices. 21
22
Use Documentation Determine: Programing Guides Available services Use of HTTP methods Use of parameters Potential Sources: WADL Apache Mod_rewrite configuration Programing guides Configuration information Application source 22
23
Additional Documentation Examples WADL WCF 23
24
Use a Proxy Determining attack surface when no documentation exists Useful also when documentation exists to determine initial fuzzing values Extremely helpful for: • None web applications • Dynamically generated requests 24
25
Determining Parameters Look for none standard headers Determine if URL segments have a pattern • Numerical values • Well known templates Look for structures in parameter values • JSON, XML, YAML or other Look for irregular 404 responses • Including site specific “file not found” messages. Brute force • Change methods • Attack any URL segment 25
26
Automated RESTful Pen Testing About RESTful Web Services RESTful WS in the Wild Security of RESTful WS Pen-testing RESTful WS Automated security testing of RESTful WS 2 6
27
How Does Automated Pen-Testing works? • Determining attack surface Crawling • Historically only links based • Today employ JavaScript emulation to get dynamic requests • Parameter based: • Sending known attack vectors Attacking • Fuzzing parameters • Comparing behavior for different users or before and after login Pre- • Understanding request generation (i.e. links) • Understanding parameters requisites • Understanding session management
28
RESTful WS Challenges Finding attack surface by crawling Determining what elements of the request to attack Optimizing attacking time while still addressing all potential parameters. Getting initial values for fuzzing Custom authentication and session management breaks common cookie sharing practices. 28
29
Defining Rules • Define parameter structure for URLs. • Enable tool to use documentation & proxy discovered attack surface. • Automated discovery of rules: – Automated import of documentation sources. – Applying parameter determination techniques. 29
30
Thank You! Ofer Shezaf, ofr@hp.com 30
Security Testing For RESTful Applications Ofer Shezaf, HP Enterprise Security Products ofr@hp.com ©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
About Myself Currently, chief architect for Risk and Vulnerability Management at HP. I create security Security research and Product Management at Breach Security, a Web Application Firewalls products vendor. Electric Cars security… Director, Web Application Security Consortium. I am an application Founded the OWASP Israeli chapter. security veteran ModSecurity Core Rule Set Project, WASC Web Hacking Incident Database. Read my blog at http://www.xiom.com I really try to learn what information Be ready to some philosophy of science and cognitive psychology security is I live in Kibbutz Yiftah, Israel
In this Presentation About RESTful Web Services RESTful WS in the Wild Security of RESTful WS Pen-testing RESTful WS Automated security testing of RESTful WS Research Test Remediate
About RESTful Web Services About RESTful Web Services RESTful WS in the Wild Security of RESTful WS Pen-testing RESTful WS Automated security testing of RESTful WS 4
Web Services • Employing web technology (i.e. HTTP) for machine to machine communication. • Used for: – Inter application communication – Web 2.0 and Mashups – Think client applications – Phone applications
SOAP Web Services: Example GET /InStock/GetStockPrice?StockName=HP 6
SOAP Web Services Commonly used protocol set for Web Services The theory: However: • Structures and well • Complex and heavy defined • Especially for phone • Robust and Web 2.0 • Secure • Not the HTTP way • Designed to work on any protocol including SMTP 7
The REST design pattern Essentially what the Web always was Client/Server • Clients are separated from servers by a uniform interface. • The client–server communication is further constrained by no client Stateless context being stored on the server between requests*. • Responses must therefore, implicitly or explicitly, define themselves as Cacheable cacheable or not • A client cannot ordinarily tell whether it is connected directly to the end Layered server, or to an intermediary along the way. • A uniform interface between clients and servers simplifies and Uniform decouples the architecture. Code on demand • Servers are able to temporarily extend or customize the functionality of (optional) a client by transferring logic to it that it can execute. * The server can be stateful; this constraint merely requires that server-side state be addressable by URL as a resource. 8
RESTful Web Services Are: • A common practice for using REST design patterns for Web Services Are Not: • A well defined protocol • A set of software libraries or frameworks 9
Common RESTful WS Practices GET /InStock/HP Use of HTTP • CRUD: Create (PUT), Read (GET), Update (POST), methods to indicate Delete (DELETE) action Embedding • As part of the URL parameters in the • In headers request • Serialized as JSON in a parameter value of request body Structured output • Using JSON or XML for information serialization Custom • Use of the security token concept authentication and • Often use headers session management 10
RESTful WS Example More http://api.geonames.org/earthquakesJSON?north=44.1&south=- 9.9&east=-22.4&west=55.2&username=demo {"earthquakes": [ {"eqid":"c0001xgp","magnitude":8.8,"lng":142.369,"src":"us","datetime":"2011 -03-11 04:46:23","depth":24.4,"lat":38.322}, {"eqid":"2007hear","magnitude":8.4,"lng":101.3815,"src":"us","datetime":"200 7-09-12 09:10:26","depth":30,"lat":-4.5172}, {"eqid":"2007aqbk","magnitude":8,"lng":156.9567,"src":"us","datetime":"2007- 04-01 18:39:56","depth":10,"lat":-8.4528}, {"eqid":"2007hec6","magnitude":7.8,"lng":100.9638,"src":"us","datetime":"200 7-09-12 21:49:01","depth":10,"lat":-2.5265}, {"eqid":"a00043nx","magnitude":7.7,"lng":100.1139,"src":"us","datetime":"201 0-10-25 12:42:22","depth":20.6,"lat":-3.4841}, ... 11
More Examples It often doesn’t look like your typical Web (1 or 2) application Parameters in Headers None Standard Parameters/Method None Standard Authentication and Authorization 12
RESTful services Documentation • No common documentation format similar to WSDL. • WADL (Web Application Definition Languages) is a standard proposal: – Not approved – Not widely used 13
RESTful Web Services in the Wild About RESTful Web Services RESTful WS in the Wild Security of RESTful WS Pen-testing RESTful WS Automated security testing of RESTful WS 1 4
It’s Up and Coming! 15
Who Uses REST? 1 6
RESTful Web Services Security About RESTful Web Services RESTful WS in the Wild Security of RESTful WS Pen-testing RESTful WS Automated security testing of RESTful WS 1 7
You Already Know This Part REST is just Web REST Security is just Web application security
Key issues to keep in mind Some common design flaws associated with No standard security REST: Proprietary mechanism similar to • Overreliance on SSL authentication and SOAP Web Services • Session IDs used in the URL session management. (WS-*) • Using basic HTTP Authentication • Bad implementation of SSO 19
Pen Testing RESTful Web Services About RESTful Web Services RESTful WS in the Wild Security of RESTful WS Pen-testing RESTful WS Automated security testing of RESTful WS 2 0
Challenges Inspecting the application does not reveal application attack surface: • None Web applications • Not all Web Service functionality actually used by application • Requests are often dynamically created, Web 2.0 style. Fuzzing standard parameters not sufficient anymore • Uses none standard parameters. • Serialized inputs as JSON or XML Guidelines for fuzzing are missing • Determining initial values for fuzzing is hard for unused features • Potentially large number of parameters is inhibitive in terms of time and requires selection Custom authentication and session management breaks common cookie sharing practices. 21
Use Documentation Determine: Programing Guides Available services Use of HTTP methods Use of parameters Potential Sources: WADL Apache Mod_rewrite configuration Programing guides Configuration information Application source 22
Additional Documentation Examples WADL WCF 23
Use a Proxy Determining attack surface when no documentation exists Useful also when documentation exists to determine initial fuzzing values Extremely helpful for: • None web applications • Dynamically generated requests 24
Determining Parameters Look for none standard headers Determine if URL segments have a pattern • Numerical values • Well known templates Look for structures in parameter values • JSON, XML, YAML or other Look for irregular 404 responses • Including site specific “file not found” messages. Brute force • Change methods • Attack any URL segment 25
Automated RESTful Pen Testing About RESTful Web Services RESTful WS in the Wild Security of RESTful WS Pen-testing RESTful WS Automated security testing of RESTful WS 2 6
How Does Automated Pen-Testing works? • Determining attack surface Crawling • Historically only links based • Today employ JavaScript emulation to get dynamic requests • Parameter based: • Sending known attack vectors Attacking • Fuzzing parameters • Comparing behavior for different users or before and after login Pre- • Understanding request generation (i.e. links) • Understanding parameters requisites • Understanding session management
RESTful WS Challenges Finding attack surface by crawling Determining what elements of the request to attack Optimizing attacking time while still addressing all potential parameters. Getting initial values for fuzzing Custom authentication and session management breaks common cookie sharing practices. 28
Defining Rules • Define parameter structure for URLs. • Enable tool to use documentation & proxy discovered attack surface. • Automated discovery of rules: – Automated import of documentation sources. – Applying parameter determination techniques. 29
Thank You! Ofer Shezaf, ofr@hp.com 30
Ad

Recommended

Pentesting RESTful webservices
Pentesting RESTful webservicesPentesting RESTful webservices
Pentesting RESTful webservices
Mohammed A. Imran
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security Testing
SmartBear
 
Testing REST Web Services
Testing REST Web ServicesTesting REST Web Services
Testing REST Web Services
Jan Algermissen
 
Api security
Api security Api security
Api security
teodorcotruta
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API Security
Stormpath
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web Services
Rob Daigneau
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
CA API Management
 
In graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesIn graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challenges
Mohammed A. Imran
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON API
Stormpath
 
Best Practices in Web Service Design
Best Practices in Web Service DesignBest Practices in Web Service Design
Best Practices in Web Service Design
Lorna Mitchell
 
RESTful modules in zf2
RESTful modules in zf2RESTful modules in zf2
RESTful modules in zf2
Corley S.r.l.
 
HTTP Services & REST API Security
HTTP Services & REST API SecurityHTTP Services & REST API Security
HTTP Services & REST API Security
Taiseer Joudeh
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
n|u - The Open Security Community
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token Authentication
Stormpath
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrong
Derek Perkins
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
Isabelle Mauny
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & Development
Ashok Pundit
 
Attacking REST API
Attacking REST APIAttacking REST API
Attacking REST API
Siddharth Bezalwar
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
Aung Thu Rha Hein
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
Stormpath
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services Hacking
Shreeraj Shah
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
Amila Paranawithana
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive Controls
Katy Anton
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
Stormpath
 
An approach to app security - For beginners
An approach to app security - For beginnersAn approach to app security - For beginners
An approach to app security - For beginners
vodQA
 
Pentesting RESTful WebServices v1.0
Pentesting RESTful WebServices v1.0Pentesting RESTful WebServices v1.0
Pentesting RESTful WebServices v1.0
n|u - The Open Security Community
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
Nutan Kumar Panda
 

More Related Content

What's hot (20)

In graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesIn graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challenges
Mohammed A. Imran
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON API
Stormpath
 
Best Practices in Web Service Design
Best Practices in Web Service DesignBest Practices in Web Service Design
Best Practices in Web Service Design
Lorna Mitchell
 
RESTful modules in zf2
RESTful modules in zf2RESTful modules in zf2
RESTful modules in zf2
Corley S.r.l.
 
HTTP Services & REST API Security
HTTP Services & REST API SecurityHTTP Services & REST API Security
HTTP Services & REST API Security
Taiseer Joudeh
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
n|u - The Open Security Community
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token Authentication
Stormpath
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrong
Derek Perkins
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
Isabelle Mauny
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & Development
Ashok Pundit
 
Attacking REST API
Attacking REST APIAttacking REST API
Attacking REST API
Siddharth Bezalwar
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
Aung Thu Rha Hein
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
Stormpath
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services Hacking
Shreeraj Shah
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
Amila Paranawithana
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive Controls
Katy Anton
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
Stormpath
 
An approach to app security - For beginners
An approach to app security - For beginnersAn approach to app security - For beginners
An approach to app security - For beginners
vodQA
 
In graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesIn graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challenges
Mohammed A. Imran
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON API
Stormpath
 
Best Practices in Web Service Design
Best Practices in Web Service DesignBest Practices in Web Service Design
Best Practices in Web Service Design
Lorna Mitchell
 
RESTful modules in zf2
RESTful modules in zf2RESTful modules in zf2
RESTful modules in zf2
Corley S.r.l.
 
HTTP Services & REST API Security
HTTP Services & REST API SecurityHTTP Services & REST API Security
HTTP Services & REST API Security
Taiseer Joudeh
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
n|u - The Open Security Community
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token Authentication
Stormpath
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrong
Derek Perkins
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
Isabelle Mauny
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & Development
Ashok Pundit
 
Attacking REST API
Attacking REST APIAttacking REST API
Attacking REST API
Siddharth Bezalwar
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
Aung Thu Rha Hein
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
Stormpath
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services Hacking
Shreeraj Shah
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
Amila Paranawithana
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive Controls
Katy Anton
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
Stormpath
 
An approach to app security - For beginners
An approach to app security - For beginnersAn approach to app security - For beginners
An approach to app security - For beginners
vodQA
 

Viewers also liked (20)

Pentesting RESTful WebServices v1.0
Pentesting RESTful WebServices v1.0Pentesting RESTful WebServices v1.0
Pentesting RESTful WebServices v1.0
n|u - The Open Security Community
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
Nutan Kumar Panda
 
Automated API pentesting using fuzzapi
Automated API pentesting using fuzzapiAutomated API pentesting using fuzzapi
Automated API pentesting using fuzzapi
Abhijeth D
 
JSON Injection
JSON InjectionJSON Injection
JSON Injection
n|u - The Open Security Community
 
Why vREST?
Why vREST?Why vREST?
Why vREST?
vrest_io
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
Stormpath
 
JSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons LearnedJSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons Learned
Kazuho Oku
 
API Testing
API TestingAPI Testing
API Testing
Bikash Sharma
 
Api testing
Api testingApi testing
Api testing
Keshav Kashyap
 
REST API testing with SpecFlow
REST API testing with SpecFlowREST API testing with SpecFlow
REST API testing with SpecFlow
Aiste Stikliute
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)
Stormpath
 
Piotr Boho - testing web services (soap)
Piotr Boho - testing web services (soap)Piotr Boho - testing web services (soap)
Piotr Boho - testing web services (soap)
Trójmiejska Grupa Testerska
 
Webservice Testing
Webservice TestingWebservice Testing
Webservice Testing
Rachana Khedekar
 
Vulnerabilities are bugs, Let's Test For Them!
Vulnerabilities are bugs, Let's Test For Them!Vulnerabilities are bugs, Let's Test For Them!
Vulnerabilities are bugs, Let's Test For Them!
VAddy
 
Web Service Workshop - 3 days
Web Service Workshop - 3 daysWeb Service Workshop - 3 days
Web Service Workshop - 3 days
David Ionut
 
TDD a REST API With Node.js and MongoDB
TDD a REST API With Node.js and MongoDBTDD a REST API With Node.js and MongoDB
TDD a REST API With Node.js and MongoDB
Valeri Karpov
 
Web Service Testing using TestComplete
Web Service Testing using TestCompleteWeb Service Testing using TestComplete
Web Service Testing using TestComplete
srivinayak
 
SOAP-UI The Web service Testing
SOAP-UI The Web service TestingSOAP-UI The Web service Testing
SOAP-UI The Web service Testing
Ganesh Mandala
 
Postman Collection Format v2.0 (pre-draft)
Postman Collection Format v2.0 (pre-draft)Postman Collection Format v2.0 (pre-draft)
Postman Collection Format v2.0 (pre-draft)
Postman
 
Top 5 Ways To Increase API Adoption
Top 5 Ways To Increase API AdoptionTop 5 Ways To Increase API Adoption
Top 5 Ways To Increase API Adoption
ProgrammableWeb
 
Pentesting RESTful WebServices v1.0
Pentesting RESTful WebServices v1.0Pentesting RESTful WebServices v1.0
Pentesting RESTful WebServices v1.0
n|u - The Open Security Community
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
Nutan Kumar Panda
 
Automated API pentesting using fuzzapi
Automated API pentesting using fuzzapiAutomated API pentesting using fuzzapi
Automated API pentesting using fuzzapi
Abhijeth D
 
JSON Injection
JSON InjectionJSON Injection
JSON Injection
n|u - The Open Security Community
 
Why vREST?
Why vREST?Why vREST?
Why vREST?
vrest_io
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
Stormpath
 
JSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons LearnedJSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons Learned
Kazuho Oku
 
API Testing
API TestingAPI Testing
API Testing
Bikash Sharma
 
Api testing
Api testingApi testing
Api testing
Keshav Kashyap
 
REST API testing with SpecFlow
REST API testing with SpecFlowREST API testing with SpecFlow
REST API testing with SpecFlow
Aiste Stikliute
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)
Stormpath
 
Piotr Boho - testing web services (soap)
Piotr Boho - testing web services (soap)Piotr Boho - testing web services (soap)
Piotr Boho - testing web services (soap)
Trójmiejska Grupa Testerska
 
Webservice Testing
Webservice TestingWebservice Testing
Webservice Testing
Rachana Khedekar
 
Vulnerabilities are bugs, Let's Test For Them!
Vulnerabilities are bugs, Let's Test For Them!Vulnerabilities are bugs, Let's Test For Them!
Vulnerabilities are bugs, Let's Test For Them!
VAddy
 
Web Service Workshop - 3 days
Web Service Workshop - 3 daysWeb Service Workshop - 3 days
Web Service Workshop - 3 days
David Ionut
 
TDD a REST API With Node.js and MongoDB
TDD a REST API With Node.js and MongoDBTDD a REST API With Node.js and MongoDB
TDD a REST API With Node.js and MongoDB
Valeri Karpov
 
Web Service Testing using TestComplete
Web Service Testing using TestCompleteWeb Service Testing using TestComplete
Web Service Testing using TestComplete
srivinayak
 
SOAP-UI The Web service Testing
SOAP-UI The Web service TestingSOAP-UI The Web service Testing
SOAP-UI The Web service Testing
Ganesh Mandala
 
Postman Collection Format v2.0 (pre-draft)
Postman Collection Format v2.0 (pre-draft)Postman Collection Format v2.0 (pre-draft)
Postman Collection Format v2.0 (pre-draft)
Postman
 
Top 5 Ways To Increase API Adoption
Top 5 Ways To Increase API AdoptionTop 5 Ways To Increase API Adoption
Top 5 Ways To Increase API Adoption
ProgrammableWeb
 
Ad

Similar to Securty Testing For RESTful Applications (20)

Owin from spec to application
Owin from spec to applicationOwin from spec to application
Owin from spec to application
damian-h
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
Ksenia Peguero
 
RESTful services
RESTful servicesRESTful services
RESTful services
Pedram Bashiri
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
Felipe Prado
 
Overview of REST - Raihan Ullah
Overview of REST - Raihan UllahOverview of REST - Raihan Ullah
Overview of REST - Raihan Ullah
Cefalo
 
Structured Functional Automated Web Service Testing
Structured Functional Automated Web Service TestingStructured Functional Automated Web Service Testing
Structured Functional Automated Web Service Testing
rdekleijn
 
InterConnect 2015 session 2825 cics_and_the_new soa
InterConnect 2015 session 2825 cics_and_the_new soaInterConnect 2015 session 2825 cics_and_the_new soa
InterConnect 2015 session 2825 cics_and_the_new soa
nick_garrod
 
Middleware in the cloud platform-v2
Middleware in the cloud platform-v2Middleware in the cloud platform-v2
Middleware in the cloud platform-v2
Hammad Rajjoub
 
Serverless: The future of application delivery
Serverless: The future of application deliveryServerless: The future of application delivery
Serverless: The future of application delivery
Doug Vanderweide
 
.NET microservices with Azure Service Fabric
.NET microservices with Azure Service Fabric.NET microservices with Azure Service Fabric
.NET microservices with Azure Service Fabric
Davide Benvegnù
 
15-factor-apps.pdf
15-factor-apps.pdf15-factor-apps.pdf
15-factor-apps.pdf
Nilesh Gule
 
Itp web application development
Itp web application developmentItp web application development
Itp web application development
Shibu S R
 
Real time web apps
Real time web appsReal time web apps
Real time web apps
Sepehr Rasouli
 
Developing and Hosting SOAP Based Services
Developing and Hosting SOAP Based ServicesDeveloping and Hosting SOAP Based Services
Developing and Hosting SOAP Based Services
StephenKardian
 
a
aa
a
Sandeep Kumar
 
MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...
MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...
MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...
Spiffy
 
Overview of Rest Service and ASP.NET WEB API
Overview of Rest Service and ASP.NET WEB APIOverview of Rest Service and ASP.NET WEB API
Overview of Rest Service and ASP.NET WEB API
Pankaj Bajaj
 
REST - Representational state transfer
REST - Representational state transferREST - Representational state transfer
REST - Representational state transfer
Tricode (part of Dept)
 
Moving Windows Applications to the Cloud
Moving Windows Applications to the CloudMoving Windows Applications to the Cloud
Moving Windows Applications to the Cloud
RightScale
 
“Secure Portal” or WebSphere Portal – Security with Everything
“Secure Portal” or WebSphere Portal – Security with Everything“Secure Portal” or WebSphere Portal – Security with Everything
“Secure Portal” or WebSphere Portal – Security with Everything
Dave Hay
 
Owin from spec to application
Owin from spec to applicationOwin from spec to application
Owin from spec to application
damian-h
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
Ksenia Peguero
 
RESTful services
RESTful servicesRESTful services
RESTful services
Pedram Bashiri
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
Felipe Prado
 
Overview of REST - Raihan Ullah
Overview of REST - Raihan UllahOverview of REST - Raihan Ullah
Overview of REST - Raihan Ullah
Cefalo
 
Structured Functional Automated Web Service Testing
Structured Functional Automated Web Service TestingStructured Functional Automated Web Service Testing
Structured Functional Automated Web Service Testing
rdekleijn
 
InterConnect 2015 session 2825 cics_and_the_new soa
InterConnect 2015 session 2825 cics_and_the_new soaInterConnect 2015 session 2825 cics_and_the_new soa
InterConnect 2015 session 2825 cics_and_the_new soa
nick_garrod
 
Middleware in the cloud platform-v2
Middleware in the cloud platform-v2Middleware in the cloud platform-v2
Middleware in the cloud platform-v2
Hammad Rajjoub
 
Serverless: The future of application delivery
Serverless: The future of application deliveryServerless: The future of application delivery
Serverless: The future of application delivery
Doug Vanderweide
 
.NET microservices with Azure Service Fabric
.NET microservices with Azure Service Fabric.NET microservices with Azure Service Fabric
.NET microservices with Azure Service Fabric
Davide Benvegnù
 
15-factor-apps.pdf
15-factor-apps.pdf15-factor-apps.pdf
15-factor-apps.pdf
Nilesh Gule
 
Itp web application development
Itp web application developmentItp web application development
Itp web application development
Shibu S R
 
Real time web apps
Real time web appsReal time web apps
Real time web apps
Sepehr Rasouli
 
Developing and Hosting SOAP Based Services
Developing and Hosting SOAP Based ServicesDeveloping and Hosting SOAP Based Services
Developing and Hosting SOAP Based Services
StephenKardian
 
a
aa
a
Sandeep Kumar
 
MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...
MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...
MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...
Spiffy
 
Overview of Rest Service and ASP.NET WEB API
Overview of Rest Service and ASP.NET WEB APIOverview of Rest Service and ASP.NET WEB API
Overview of Rest Service and ASP.NET WEB API
Pankaj Bajaj
 
REST - Representational state transfer
REST - Representational state transferREST - Representational state transfer
REST - Representational state transfer
Tricode (part of Dept)
 
Moving Windows Applications to the Cloud
Moving Windows Applications to the CloudMoving Windows Applications to the Cloud
Moving Windows Applications to the Cloud
RightScale
 
“Secure Portal” or WebSphere Portal – Security with Everything
“Secure Portal” or WebSphere Portal – Security with Everything“Secure Portal” or WebSphere Portal – Security with Everything
“Secure Portal” or WebSphere Portal – Security with Everything
Dave Hay
 
Ad

More from Source Conference (20)

Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
Source Conference
 
iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on Android
Source Conference
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUIC
Source Conference
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and Bobs
Source Conference
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus Derivatives
Source Conference
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
Source Conference
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration Testers
Source Conference
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on Rails
Source Conference
 
Esteganografia
EsteganografiaEsteganografia
Esteganografia
Source Conference
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
Source Conference
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done It
Source Conference
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of Anonymous
Source Conference
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
Source Conference
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary planting
Source Conference
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Source Conference
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?
Source Conference
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime Law
Source Conference
 
JSF Security
JSF SecurityJSF Security
JSF Security
Source Conference
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security Spend
Source Conference
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitation
Source Conference
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
Source Conference
 
iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on Android
Source Conference
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUIC
Source Conference
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and Bobs
Source Conference
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus Derivatives
Source Conference
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
Source Conference
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration Testers
Source Conference
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on Rails
Source Conference
 
Esteganografia
EsteganografiaEsteganografia
Esteganografia
Source Conference
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
Source Conference
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done It
Source Conference
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of Anonymous
Source Conference
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
Source Conference
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary planting
Source Conference
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Source Conference
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?
Source Conference
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime Law
Source Conference
 
JSF Security
JSF SecurityJSF Security
JSF Security
Source Conference
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security Spend
Source Conference
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitation
Source Conference
 

Recently uploaded (20)

soulmaite review - Find Real AI soulmate review
soulmaite review - Find Real AI soulmate reviewsoulmaite review - Find Real AI soulmate review
soulmaite review - Find Real AI soulmate review
Soulmaite
 
Data Virtualization: Bringing the Power of FME to Any Application
Data Virtualization: Bringing the Power of FME to Any ApplicationData Virtualization: Bringing the Power of FME to Any Application
Data Virtualization: Bringing the Power of FME to Any Application
Safe Software
 
Securiport - A Border Security Company
Securiport - A Border Security CompanySecuriport - A Border Security Company
Securiport - A Border Security Company
Securiport
 
If You Use Databricks, You Definitely Need FME
If You Use Databricks, You Definitely Need FMEIf You Use Databricks, You Definitely Need FME
If You Use Databricks, You Definitely Need FME
Safe Software
 
Jira Administration Training – Day 1 : Introduction
Jira Administration Training – Day 1 : IntroductionJira Administration Training – Day 1 : Introduction
Jira Administration Training – Day 1 : Introduction
Ravi Teja
 
The case for on-premises AI
The case for on-premises AIThe case for on-premises AI
The case for on-premises AI
Principled Technologies
 
Azure vs AWS Which Cloud Platform Is Best for Your Business in 2025
Azure vs AWS Which Cloud Platform Is Best for Your Business in 2025Azure vs AWS Which Cloud Platform Is Best for Your Business in 2025
Azure vs AWS Which Cloud Platform Is Best for Your Business in 2025
Infrassist Technologies Pvt. Ltd.
 
Extend-Microsoft365-with-Copilot-agents.pptx
Extend-Microsoft365-with-Copilot-agents.pptxExtend-Microsoft365-with-Copilot-agents.pptx
Extend-Microsoft365-with-Copilot-agents.pptx
hoang971
 
Scaling GenAI Inference From Prototype to Production: Real-World Lessons in S...
Scaling GenAI Inference From Prototype to Production: Real-World Lessons in S...Scaling GenAI Inference From Prototype to Production: Real-World Lessons in S...
Scaling GenAI Inference From Prototype to Production: Real-World Lessons in S...
Anish Kumar
 
Palo Alto Networks Cybersecurity Foundation
Palo Alto Networks Cybersecurity FoundationPalo Alto Networks Cybersecurity Foundation
Palo Alto Networks Cybersecurity Foundation
VICTOR MAESTRE RAMIREZ
 
7 Salesforce Data Cloud Best Practices.pdf
7 Salesforce Data Cloud Best Practices.pdf7 Salesforce Data Cloud Best Practices.pdf
7 Salesforce Data Cloud Best Practices.pdf
Minuscule Technologies
 
MCP vs A2A vs ACP: Choosing the Right Protocol | Bluebash
MCP vs A2A vs ACP: Choosing the Right Protocol | BluebashMCP vs A2A vs ACP: Choosing the Right Protocol | Bluebash
MCP vs A2A vs ACP: Choosing the Right Protocol | Bluebash
Bluebash
 
Domino IQ – What to Expect, First Steps and Use Cases
Domino IQ – What to Expect, First Steps and Use CasesDomino IQ – What to Expect, First Steps and Use Cases
Domino IQ – What to Expect, First Steps and Use Cases
panagenda
 
Improving Developer Productivity With DORA, SPACE, and DevEx
Improving Developer Productivity With DORA, SPACE, and DevExImproving Developer Productivity With DORA, SPACE, and DevEx
Improving Developer Productivity With DORA, SPACE, and DevEx
Justin Reock
 
TimeSeries Machine Learning - PyData London 2025
TimeSeries Machine Learning - PyData London 2025TimeSeries Machine Learning - PyData London 2025
TimeSeries Machine Learning - PyData London 2025
Suyash Joshi
 
LSNIF: Locally-Subdivided Neural Intersection Function
LSNIF: Locally-Subdivided Neural Intersection FunctionLSNIF: Locally-Subdivided Neural Intersection Function
LSNIF: Locally-Subdivided Neural Intersection Function
Takahiro Harada
 
Your startup on AWS - How to architect and maintain a Lean and Mean account
Your startup on AWS - How to architect and maintain a Lean and Mean accountYour startup on AWS - How to architect and maintain a Lean and Mean account
Your startup on AWS - How to architect and maintain a Lean and Mean account
angelo60207
 
Oracle Cloud Infrastructure AI Foundations
Oracle Cloud Infrastructure AI FoundationsOracle Cloud Infrastructure AI Foundations
Oracle Cloud Infrastructure AI Foundations
VICTOR MAESTRE RAMIREZ
 
Jeremy Millul - A Talented Software Developer
Jeremy Millul - A Talented Software DeveloperJeremy Millul - A Talented Software Developer
Jeremy Millul - A Talented Software Developer
Jeremy Millul
 
ISOIEC 42005 Revolutionalises AI Impact Assessment.pptx
ISOIEC 42005 Revolutionalises AI Impact Assessment.pptxISOIEC 42005 Revolutionalises AI Impact Assessment.pptx
ISOIEC 42005 Revolutionalises AI Impact Assessment.pptx
AyilurRamnath1
 
soulmaite review - Find Real AI soulmate review
soulmaite review - Find Real AI soulmate reviewsoulmaite review - Find Real AI soulmate review
soulmaite review - Find Real AI soulmate review
Soulmaite
 
Data Virtualization: Bringing the Power of FME to Any Application
Data Virtualization: Bringing the Power of FME to Any ApplicationData Virtualization: Bringing the Power of FME to Any Application
Data Virtualization: Bringing the Power of FME to Any Application
Safe Software
 
Securiport - A Border Security Company
Securiport - A Border Security CompanySecuriport - A Border Security Company
Securiport - A Border Security Company
Securiport
 
If You Use Databricks, You Definitely Need FME
If You Use Databricks, You Definitely Need FMEIf You Use Databricks, You Definitely Need FME
If You Use Databricks, You Definitely Need FME
Safe Software
 
Jira Administration Training – Day 1 : Introduction
Jira Administration Training – Day 1 : IntroductionJira Administration Training – Day 1 : Introduction
Jira Administration Training – Day 1 : Introduction
Ravi Teja
 
The case for on-premises AI
The case for on-premises AIThe case for on-premises AI
The case for on-premises AI
Principled Technologies
 
Azure vs AWS Which Cloud Platform Is Best for Your Business in 2025
Azure vs AWS Which Cloud Platform Is Best for Your Business in 2025Azure vs AWS Which Cloud Platform Is Best for Your Business in 2025
Azure vs AWS Which Cloud Platform Is Best for Your Business in 2025
Infrassist Technologies Pvt. Ltd.
 
Extend-Microsoft365-with-Copilot-agents.pptx
Extend-Microsoft365-with-Copilot-agents.pptxExtend-Microsoft365-with-Copilot-agents.pptx
Extend-Microsoft365-with-Copilot-agents.pptx
hoang971
 
Scaling GenAI Inference From Prototype to Production: Real-World Lessons in S...
Scaling GenAI Inference From Prototype to Production: Real-World Lessons in S...Scaling GenAI Inference From Prototype to Production: Real-World Lessons in S...
Scaling GenAI Inference From Prototype to Production: Real-World Lessons in S...
Anish Kumar
 
Palo Alto Networks Cybersecurity Foundation
Palo Alto Networks Cybersecurity FoundationPalo Alto Networks Cybersecurity Foundation
Palo Alto Networks Cybersecurity Foundation
VICTOR MAESTRE RAMIREZ
 
7 Salesforce Data Cloud Best Practices.pdf
7 Salesforce Data Cloud Best Practices.pdf7 Salesforce Data Cloud Best Practices.pdf
7 Salesforce Data Cloud Best Practices.pdf
Minuscule Technologies
 
MCP vs A2A vs ACP: Choosing the Right Protocol | Bluebash
MCP vs A2A vs ACP: Choosing the Right Protocol | BluebashMCP vs A2A vs ACP: Choosing the Right Protocol | Bluebash
MCP vs A2A vs ACP: Choosing the Right Protocol | Bluebash
Bluebash
 
Domino IQ – What to Expect, First Steps and Use Cases
Domino IQ – What to Expect, First Steps and Use CasesDomino IQ – What to Expect, First Steps and Use Cases
Domino IQ – What to Expect, First Steps and Use Cases
panagenda
 
Improving Developer Productivity With DORA, SPACE, and DevEx
Improving Developer Productivity With DORA, SPACE, and DevExImproving Developer Productivity With DORA, SPACE, and DevEx
Improving Developer Productivity With DORA, SPACE, and DevEx
Justin Reock
 
TimeSeries Machine Learning - PyData London 2025
TimeSeries Machine Learning - PyData London 2025TimeSeries Machine Learning - PyData London 2025
TimeSeries Machine Learning - PyData London 2025
Suyash Joshi
 
LSNIF: Locally-Subdivided Neural Intersection Function
LSNIF: Locally-Subdivided Neural Intersection FunctionLSNIF: Locally-Subdivided Neural Intersection Function
LSNIF: Locally-Subdivided Neural Intersection Function
Takahiro Harada
 
Your startup on AWS - How to architect and maintain a Lean and Mean account
Your startup on AWS - How to architect and maintain a Lean and Mean accountYour startup on AWS - How to architect and maintain a Lean and Mean account
Your startup on AWS - How to architect and maintain a Lean and Mean account
angelo60207
 
Oracle Cloud Infrastructure AI Foundations
Oracle Cloud Infrastructure AI FoundationsOracle Cloud Infrastructure AI Foundations
Oracle Cloud Infrastructure AI Foundations
VICTOR MAESTRE RAMIREZ
 
Jeremy Millul - A Talented Software Developer
Jeremy Millul - A Talented Software DeveloperJeremy Millul - A Talented Software Developer
Jeremy Millul - A Talented Software Developer
Jeremy Millul
 
ISOIEC 42005 Revolutionalises AI Impact Assessment.pptx
ISOIEC 42005 Revolutionalises AI Impact Assessment.pptxISOIEC 42005 Revolutionalises AI Impact Assessment.pptx
ISOIEC 42005 Revolutionalises AI Impact Assessment.pptx
AyilurRamnath1
 

Securty Testing For RESTful Applications

  • 1. Security Testing For RESTful Applications Ofer Shezaf, HP Enterprise Security Products [email protected] ©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
  • 2. About Myself Currently, chief architect for Risk and Vulnerability Management at HP. I create security Security research and Product Management at Breach Security, a Web Application Firewalls products vendor. Electric Cars security… Director, Web Application Security Consortium. I am an application Founded the OWASP Israeli chapter. security veteran ModSecurity Core Rule Set Project, WASC Web Hacking Incident Database. Read my blog at http://www.xiom.com I really try to learn what information Be ready to some philosophy of science and cognitive psychology security is I live in Kibbutz Yiftah, Israel
  • 3. In this Presentation About RESTful Web Services RESTful WS in the Wild Security of RESTful WS Pen-testing RESTful WS Automated security testing of RESTful WS Research Test Remediate
  • 4. About RESTful Web Services About RESTful Web Services RESTful WS in the Wild Security of RESTful WS Pen-testing RESTful WS Automated security testing of RESTful WS 4
  • 5. Web Services • Employing web technology (i.e. HTTP) for machine to machine communication. • Used for: – Inter application communication – Web 2.0 and Mashups – Think client applications – Phone applications
  • 6. SOAP Web Services: Example GET /InStock/GetStockPrice?StockName=HP 6
  • 7. SOAP Web Services Commonly used protocol set for Web Services The theory: However: • Structures and well • Complex and heavy defined • Especially for phone • Robust and Web 2.0 • Secure • Not the HTTP way • Designed to work on any protocol including SMTP 7
  • 8. The REST design pattern Essentially what the Web always was Client/Server • Clients are separated from servers by a uniform interface. • The client–server communication is further constrained by no client Stateless context being stored on the server between requests*. • Responses must therefore, implicitly or explicitly, define themselves as Cacheable cacheable or not • A client cannot ordinarily tell whether it is connected directly to the end Layered server, or to an intermediary along the way. • A uniform interface between clients and servers simplifies and Uniform decouples the architecture. Code on demand • Servers are able to temporarily extend or customize the functionality of (optional) a client by transferring logic to it that it can execute. * The server can be stateful; this constraint merely requires that server-side state be addressable by URL as a resource. 8
  • 9. RESTful Web Services Are: • A common practice for using REST design patterns for Web Services Are Not: • A well defined protocol • A set of software libraries or frameworks 9
  • 10. Common RESTful WS Practices GET /InStock/HP Use of HTTP • CRUD: Create (PUT), Read (GET), Update (POST), methods to indicate Delete (DELETE) action Embedding • As part of the URL parameters in the • In headers request • Serialized as JSON in a parameter value of request body Structured output • Using JSON or XML for information serialization Custom • Use of the security token concept authentication and • Often use headers session management 10
  • 11. RESTful WS Example More http://api.geonames.org/earthquakesJSON?north=44.1&south=- 9.9&east=-22.4&west=55.2&username=demo {"earthquakes": [ {"eqid":"c0001xgp","magnitude":8.8,"lng":142.369,"src":"us","datetime":"2011 -03-11 04:46:23","depth":24.4,"lat":38.322}, {"eqid":"2007hear","magnitude":8.4,"lng":101.3815,"src":"us","datetime":"200 7-09-12 09:10:26","depth":30,"lat":-4.5172}, {"eqid":"2007aqbk","magnitude":8,"lng":156.9567,"src":"us","datetime":"2007- 04-01 18:39:56","depth":10,"lat":-8.4528}, {"eqid":"2007hec6","magnitude":7.8,"lng":100.9638,"src":"us","datetime":"200 7-09-12 21:49:01","depth":10,"lat":-2.5265}, {"eqid":"a00043nx","magnitude":7.7,"lng":100.1139,"src":"us","datetime":"201 0-10-25 12:42:22","depth":20.6,"lat":-3.4841}, ... 11
  • 12. More Examples It often doesn’t look like your typical Web (1 or 2) application Parameters in Headers None Standard Parameters/Method None Standard Authentication and Authorization 12
  • 13. RESTful services Documentation • No common documentation format similar to WSDL. • WADL (Web Application Definition Languages) is a standard proposal: – Not approved – Not widely used 13
  • 14. RESTful Web Services in the Wild About RESTful Web Services RESTful WS in the Wild Security of RESTful WS Pen-testing RESTful WS Automated security testing of RESTful WS 1 4
  • 15. It’s Up and Coming! 15
  • 17. RESTful Web Services Security About RESTful Web Services RESTful WS in the Wild Security of RESTful WS Pen-testing RESTful WS Automated security testing of RESTful WS 1 7
  • 18. You Already Know This Part REST is just Web REST Security is just Web application security
  • 19. Key issues to keep in mind Some common design flaws associated with No standard security REST: Proprietary mechanism similar to • Overreliance on SSL authentication and SOAP Web Services • Session IDs used in the URL session management. (WS-*) • Using basic HTTP Authentication • Bad implementation of SSO 19
  • 20. Pen Testing RESTful Web Services About RESTful Web Services RESTful WS in the Wild Security of RESTful WS Pen-testing RESTful WS Automated security testing of RESTful WS 2 0
  • 21. Challenges Inspecting the application does not reveal application attack surface: • None Web applications • Not all Web Service functionality actually used by application • Requests are often dynamically created, Web 2.0 style. Fuzzing standard parameters not sufficient anymore • Uses none standard parameters. • Serialized inputs as JSON or XML Guidelines for fuzzing are missing • Determining initial values for fuzzing is hard for unused features • Potentially large number of parameters is inhibitive in terms of time and requires selection Custom authentication and session management breaks common cookie sharing practices. 21
  • 22. Use Documentation Determine: Programing Guides Available services Use of HTTP methods Use of parameters Potential Sources: WADL Apache Mod_rewrite configuration Programing guides Configuration information Application source 22
  • 24. Use a Proxy Determining attack surface when no documentation exists Useful also when documentation exists to determine initial fuzzing values Extremely helpful for: • None web applications • Dynamically generated requests 24
  • 25. Determining Parameters Look for none standard headers Determine if URL segments have a pattern • Numerical values • Well known templates Look for structures in parameter values • JSON, XML, YAML or other Look for irregular 404 responses • Including site specific “file not found” messages. Brute force • Change methods • Attack any URL segment 25
  • 26. Automated RESTful Pen Testing About RESTful Web Services RESTful WS in the Wild Security of RESTful WS Pen-testing RESTful WS Automated security testing of RESTful WS 2 6
  • 27. How Does Automated Pen-Testing works? • Determining attack surface Crawling • Historically only links based • Today employ JavaScript emulation to get dynamic requests • Parameter based: • Sending known attack vectors Attacking • Fuzzing parameters • Comparing behavior for different users or before and after login Pre- • Understanding request generation (i.e. links) • Understanding parameters requisites • Understanding session management
  • 28. RESTful WS Challenges Finding attack surface by crawling Determining what elements of the request to attack Optimizing attacking time while still addressing all potential parameters. Getting initial values for fuzzing Custom authentication and session management breaks common cookie sharing practices. 28
  • 29. Defining Rules • Define parameter structure for URLs. • Enable tool to use documentation & proxy discovered attack surface. • Automated discovery of rules: – Automated import of documentation sources. – Applying parameter determination techniques. 29