pentesting rest api
TRANSCRIPT
![Page 1: Pentesting ReST API](https://reader036.vdocuments.us/reader036/viewer/2022083105/587b5c201a28ab38258b4b63/html5/thumbnails/1.jpg)
PENTESTING REST API
null Bangalore Meet
![Page 2: Pentesting ReST API](https://reader036.vdocuments.us/reader036/viewer/2022083105/587b5c201a28ab38258b4b63/html5/thumbnails/2.jpg)
Introduction
■ Nutan Kumar Panda■ Aka @TheOsintGuy■ Senior Information Security Engineer■ Osint Enthusiast■ Presenter at BH US/ BIU Israel/ GroundZero Summit/ CISO Summit etc■ Co-Author of book “Hacking Web Intelligence ”■ Contributor of DataSploit project■ Active Contributor of null Bangalore Chapter
![Page 3: Pentesting ReST API](https://reader036.vdocuments.us/reader036/viewer/2022083105/587b5c201a28ab38258b4b63/html5/thumbnails/3.jpg)
What can you expect?
■ Basic Theory■ My personal Experience■ Approach■ Tools to trade■ Test beds■ One Example to think out of the box■ Some Common Findings■ Hands on Demos
![Page 4: Pentesting ReST API](https://reader036.vdocuments.us/reader036/viewer/2022083105/587b5c201a28ab38258b4b63/html5/thumbnails/4.jpg)
Web Services
■ SOAP■ Components
– Service Consumer
– Service Provider
– XML (Extensible Markup Language)
– SOAP (Simple Object Access Protocol)
– WSDL (Web Services Description Language)
– UDDI (Universal Description, Discovery and Integration)
■ http://resources.infosecinstitute.com/web-services-penetration-testing-part-1/
■ ReST■ Components
– Resources (example.com/users/1)– Verbs (CRUD/ POGPUD)
– Media Type (Application/Json)
– Status Codes (200,201,404 etc)– Authentication (Oauth)– http://www.slideshare.net/null0x00/o-
auth-tokens
■ http://www.slideshare.net/null0x00/pentesting-restful-webservices-v10
http://www.slideshare.net/PraveenKumarKOSCP/introduction-to-web-services-penetration-testing (page 3)
![Page 5: Pentesting ReST API](https://reader036.vdocuments.us/reader036/viewer/2022083105/587b5c201a28ab38258b4b63/html5/thumbnails/5.jpg)
How I Started?
https://www.owasp.org/index.php/REST_Security_Cheat_Sheet
![Page 6: Pentesting ReST API](https://reader036.vdocuments.us/reader036/viewer/2022083105/587b5c201a28ab38258b4b63/html5/thumbnails/6.jpg)
Approach
■ Do not jump to testing by getting an end point or set of end points■ Ask for the documentation■ Ask for the sample request response/ Postman collection■ Ask for any particular header needed■ Ask for token or any specific parameter or values for a parameter (to get in
right flow)■ Ask for the workflows (Sometime workflows are bound you can not direct
jump to a web services and test you need some data that u get from other end points)
■ Its not only about fuzzing parameters
![Page 7: Pentesting ReST API](https://reader036.vdocuments.us/reader036/viewer/2022083105/587b5c201a28ab38258b4b63/html5/thumbnails/7.jpg)
Tools to trade
■ ReST Client (Plug in)■ Postman (App and Plugin)■ Burp (ZAP/ Charles/ IronWASP or any other interception proxy)■ Hurl.it (Online rest client)■ SoapUI (https://www.youtube.com/watch?v=XV7WW0bDy9c)■ Fuzzapi (https://github.com/lalithr95/Fuzzapi) Just presented just day before
at AppSec USA by Abhijeet n Lalith– http://
www.slideshare.net/AbhijethDugginapeddi/automated-api-pentesting-using-fuzzapi
– If you like this tool just spread the word with #fuzzapi
![Page 8: Pentesting ReST API](https://reader036.vdocuments.us/reader036/viewer/2022083105/587b5c201a28ab38258b4b63/html5/thumbnails/8.jpg)
Test Beds
■ Hackazon – Code: https://github.com/rapid7/hackazon– Web Version: http://hackazon.webscantest.com/– There is an apk also: https://github.com/rapid7/hackazon/tree/master/web/app.apk– Youtube Video: https://www.youtube.com/watch?v=Yekzm0Olc3Y (Demo starts 24:00)
■ Mutillidae– Code: https://sourceforge.net/projects/mutillidae/– Video: https://www.youtube.com/watch?v=e6HAQnvuaic
■ DVWS– Code : https://github.com/snoopythesecuritydog/dvws– Tutorial: https://kali.tools/?p=1729
![Page 9: Pentesting ReST API](https://reader036.vdocuments.us/reader036/viewer/2022083105/587b5c201a28ab38258b4b63/html5/thumbnails/9.jpg)
Example
POST example.com/users/view/253
{ “user”:”adam”, “role”:”tester”
}
![Page 10: Pentesting ReST API](https://reader036.vdocuments.us/reader036/viewer/2022083105/587b5c201a28ab38258b4b63/html5/thumbnails/10.jpg)
Common Finding
■ Enumeration■ Rate limiting not implemented■ Information Disclosure■ POST to GET conversion (Method Conversion)■ IDOR■ SQLI■ Authorization Flaws■ Token related issues (Expiry, reuse, predictable etc)
![Page 11: Pentesting ReST API](https://reader036.vdocuments.us/reader036/viewer/2022083105/587b5c201a28ab38258b4b63/html5/thumbnails/11.jpg)
Demo
![Page 12: Pentesting ReST API](https://reader036.vdocuments.us/reader036/viewer/2022083105/587b5c201a28ab38258b4b63/html5/thumbnails/12.jpg)
Questions
![Page 13: Pentesting ReST API](https://reader036.vdocuments.us/reader036/viewer/2022083105/587b5c201a28ab38258b4b63/html5/thumbnails/13.jpg)
References
■ https://www.soapui.org/testing-dojo/world-of-api-testing/soap-vs--rest-challenges.html
■ http://cybersecology.com/hackazon-review/■ http://cybersecology.com/2014/11/googles-firing-range-test-site/■ http://
www.slideshare.net/SmartBear_Software/getting-started-with-api-security-testing
■ http://www.slideshare.net/ask4answers/rest-api-testing-with-specflow■ http://www.slideshare.net/stormpath/rest-api-security■ http://www.slideshare.net/taiseerjoudeh/http-services-security
![Page 14: Pentesting ReST API](https://reader036.vdocuments.us/reader036/viewer/2022083105/587b5c201a28ab38258b4b63/html5/thumbnails/14.jpg)
Thanks