Security Testing For RESTful Applications

Similar documents
REST web services. Representational State Transfer Author: Nemanja Kojic

Lecture 11 Web Application Security (part 1)

From the Intranet to Mobile. By Divya Mehra and Stian Thorgersen

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

HP WebInspect Tutorial

How To Protect A Web Application From Attack From A Trusted Environment

Integrating Web Application Security into the IT Curriculum

Progress OpenEdge REST

02267: Software Development of Web Services

Server based signature service. Overview


Designing RESTful Web Applications

vcommander will use SSL and session-based authentication to secure REST web services.

Application Code Development Standards

02267: Software Development of Web Services

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Chapter 1 Web Application (In)security 1

(WAPT) Web Application Penetration Testing

Enabling REST Services with SAP PI. Michael Le Peter Ha

Fairsail REST API: Guide for Developers

Automatic vs. Manual Code Analysis

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

General principles and architecture of Adlib and Adlib API. Petra Otten Manager Customer Support

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Cisco PIX vs. Checkpoint Firewall

DEPLOYMENT GUIDE Version 2.1. Deploying F5 with Microsoft SharePoint 2010

Web Application Development

T320 E-business technologies: foundations and practice

Web Application Security

SAP: Session (Fixation) Attacks and Protections

Web Application Security Assessment and Vulnerability Mitigation Tests

Webmail Using the Hush Encryption Engine

Core Feature Comparison between. XML / SOA Gateways. and. Web Application Firewalls. Jason Macy jmacy@forumsys.com CTO, Forum Systems

Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper

Finding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft

HTTPS HTTP. ProxySG Web Server. Client. ProxySG TechBrief Reverse Proxy with SSL. 1 Technical Brief

Web Application Security

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Gateway Apps - Security Summary SECURITY SUMMARY

Secure Coding SSL, SOAP and REST. Astha Singhal Product Security Engineer salesforce.com

Web Application Firewalls: When Are They Useful? OWASP AppSec Europe May The OWASP Foundation

REST vs. SOAP: Making the Right Architectural Decision

White Paper Secure Reverse Proxy Server and Web Application Firewall

Software design (Cont.)

Implementation of Web Application Firewall

PARTNER INTEGRATION GUIDE. Edition 1.0

IBM SPSS Collaboration and Deployment Services Version 6 Release 0. Single Sign-On Services Developer's Guide

JVA-122. Secure Java Web Development

Mobility Information Series

<Insert Picture Here> Oracle Web Cache 11g Overview

Entrust IdentityGuard Comprehensive

Web Application Vulnerability Testing with Nessus

Creating a Secure Web Service In Informatica Data Services

Cross-domain Identity Management System for Cloud Environment

This document gives an outline of Tim Ward s work on mobile phone systems

Sage Accpac CRM 5.8. Self Service Guide

Workday Mobile Security FAQ

INTRODUCTION TO FIREWALL SECURITY

From centralized to single sign on

Implementation Guide SAP NetWeaver Identity Management Identity Provider

SiteCelerate white paper

Application security testing: Protecting your application and data

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

Application Security Testing

QualysGuard WAS. Getting Started Guide Version 4.1. April 24, 2015

Dell One Identity Cloud Access Manager How to Develop OpenID Connect Apps

elearning for Secure Application Development

How To Test Your Web Site On Wapt On A Pc Or Mac Or Mac (Or Mac) On A Mac Or Ipad Or Ipa (Or Ipa) On Pc Or Ipam (Or Pc Or Pc) On An Ip

A Signing Proxy for Web Services Security. Dr. Ingo Melzer RIC/ED

Symantec Enterprise Firewalls. From the Internet Thomas Jerry Scott

Evolution of the WWW. Communication in the WWW. WWW, HTML, URL and HTTP. HTTP Abstract Message Format. The Client/Server model is used:

Detecting and Defending Against Security Vulnerabilities for Web 2.0 Applications

Creating Web Services Applications with IntelliJ IDEA

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Achieving PCI Compliance Using F5 Products

Last update: February 23, 2004

Application layer Web 2.0

soapui Product Comparison

7.0 Self Service Guide

Web Application Penetration Testing

API-Security Gateway Dirk Krafzig

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

Integrating IBM Cognos 8 BI with 3rd Party Auhtentication Proxies

Using Web Security Scanners to Detect Vulnerabilities in Web Services

Check list for web developers

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

Electronic Ticket and Check-in System for Indico Conferences

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Exploiting Web 2.0 Next Generation Vulnerabilities

Authentication and Single Sign On

Using Sprajax to Test AJAX. OWASP AppSec Seattle Oct The OWASP Foundation

Domain Name System (DNS)

Adobe Systems Incorporated

Is your mainframe less secure than your file server? Malcolm Trigg Solutions Consultant 24 th February 2016

Literature Review Service Frameworks and Architectural Design Patterns in Web Development

Transcription:

Security Testing For RESTful Applications Ofer Shezaf, HP Enterprise Security Products ofr@hp.com

What I do for a living? Product Manager, Security Solutions, HP ArcSight Led security research and product management at Breach Security & HP Fortify I am passionate about security after hours as well: OWASP leader and founder of the Israeli chapter Leads the Web Application Firewall Evaluation Criteria project Wrote the ModSecurity Core Rule Set Fun fact: the closest airport to my house is in Damascus, Syria 2

In this Presentation About RESTful Web Services RESTful WS in the Wild Security of RESTful WS Pen-testing RESTful WS Automated security testing of RESTful WS 3

About RESTful Web Services About RESTful Web Services RESTful WS in the Wild Security of RESTful WS Pen-testing RESTful WS Automated security testing of RESTful WS

Web Services Employing web technology (i.e. HTTP) for machine to machine communication Used for: Inter application communication Web 2.0 and Mashups Think client applications Phone applications 5

SOAP Web Services: example Highly defined Parameters are sent as a well formed XML Isn t this a rather complex way to send a single parameter? 6

SOAP Web Services Commonly used protocol set for Web Services The theory: Structures and well defined Robust Secure (?*) However: Complex and heavy, especially for phone and Web 2.0 Not the HTTP way: Designed to work on any protocol including SMTP * See WS-Attacks.org for an alternative view 7

The REST design pattern Essentially what the Web always was Client/Server Stateless Cacheable Layered Uniform Code on demand Clients are separated from servers by a uniform interface. The client server communication is further constrained by no client context being stored on the server between requests*. Responses must therefore, implicitly or explicitly, define themselves as cacheable or not A client cannot ordinarily tell whether it is connected directly to the end server, or to an intermediary along the way. A uniform interface between clients and servers simplifies and decouples the architecture. Servers are able to temporarily extend or customize the functionality of a client by transferring logic to it that it can execute. 8 8 * The server can be stateful; this constraint merely requires that server-side state be addressable by URL as a resource.

RESTful Web Services Are: A common practice for using REST design patterns for Web Services Are Not: A well defined protocol A set of software libraries or frameworks 9

RESTful Web Services: example Isn t this much simpler? GET /InStock/HP 10

Common RESTful WS Practices Use of HTTP methods to indicate action CRUD: Create (PUT), Read (GET), Update (POST), Delete (DELETE) GET /InStock/HP 11

Common RESTful WS Practices None standard parameters specifications As part of the URL None standard request parameters In headers Serialized as JSON in a parameter value of request body GET /InStock/HP 12

Common RESTful WS Practices Structured parameters and responses JSON and XML both widely used Parameter: In the request body Embedded in the value of a single parameter Response usually in the response body http://api.geonames.org/earthquakesjson?north=44.1&south=-9.9&east=-22.4& west=55.2&username=demo {"earthquakes": [ {"eqid":"c0001xgp","magnitude":8.8,"lng":142.369,"src ":"us","datetime":"2011-03-11 04:46:23","depth":24.4,"lat":38.322}, {"eqid":"2007hear","magnitude":8.4,"lng":101.3815,"sr c":"us","datetime":"2007-09-12 09:10:26","depth":30,"lat":- 4.5172}, {"eqid":"2007aqbk","magnitude":8,"lng":156.9567,"src ":"us","datetime":"2007-04-01 18:39:56","depth":10,"lat":- 8.4528},... 13

Common RESTful WS Practices Custom authentication and session management Commonly use security token/tickets While pure REST calls for URL based tokens, this is not secure and headers are often used. 14

RESTful services Documentation No common documentation format similar to WSDL. WADL (Web Application Definition Languages) is a standard proposal: Not approved Not widely used 15

RESTful WS in the Wild About RESTful Web Services RESTful WS in the Wild Security of RESTful WS Pen-testing RESTful WS Automated security testing of RESTful WS

It s Up and Coming! 17

Everybody uses REST 18

Security of RESTful WS About RESTful Web Services RESTful WS in the Wild Security of RESTful WS Pen-testing RESTful WS Automated security testing of RESTful WS

You Already Know This Part REST is just Web REST Security is just Web application security 20

Key issues to keep in mind No standard security mechanism similar to SOAP Web Services (WS-*) Proprietary authentication and session management. Some common design flaws associated with REST: Overreliance on SSL Session IDs used in the URL Using basic HTTP Authentication Bad implementation of SSO 21

Pen-testing RESTful WS About RESTful Web Services RESTful WS in the Wild Security of RESTful WS Pen-testing RESTful WS Automated security testing of RESTful WS

Challenges Detecting Attack Surface Inspecting the application does not reveal application attack surface None Web applications Not all Web Service functionality actually used by application Requests are often dynamically created, Web 2.0 style. 23

Challenges Mega fuzzing None Standard Parameters Serialized JSON/XML paramters A very large number of parameters to fuzz 24

Challenges Session management Custom authentication and session management requires adjustment in every pen test. Need to follow custom SSO processes and session management breaks common cookie sharing practices. 25

Solutions Use Documentation Determine: Available services Use of HTTP methods Use of parameters Potential Sources: WADL Programing guides Configuration information Application source 26

Solutions Use Documentation Determine: Available services Use of HTTP methods Use of parameters Potential Sources: WADL Programing guides Configuration information Application source 27

Solutions Use a proxy Determining attack surface when no documentation exists Extremely helpful for: None web applications Dynamically generated requests Useful also when documentation exists to determine initial fuzzing values 28

Solutions Guessing parameters Look for none standard headers Determine if URL segments have a pattern Numerical values Well known templates such as date Look for structures in parameter values JSON, XML, YAML or other URLs with not extension 29

Automated security testing of RESTful WS About RESTful Web Services RESTful WS in the Wild Security of RESTful WS Pen-testing RESTful WS Automated security testing of RESTful WS

How does automated pen-testing work? Crawling Determining attack surface Historically only links based Today employ JavaScript emulation to get dynamic requests Prerequisites Understanding request generation (i.e. links) Understanding parameters Attacking Sending known attack vectors Fuzzing parameters Session based Understanding session management 31

RESTful WS Challenges Finding attack surface by crawling Determining what elements of the request to attack Optimizing fuzzing time while still addressing all potential parameters Getting initial values for fuzzing Custom authentication and session management breaks common cookie sharing practices 32

One: define rules Define parameter structure for URL Use rules when crawling and attacking Rule can be: User defined Imported documentation, WADL or configuration files Proxy discovered attack surface, potentially during crawl. Or Get smart! WebInspect 9.2 REST rule editor 33

Two: ask the server A server module communicating with the scanner can: Identify rewrites Send configuration and debug information Provide file and method structure Monitor server based session information Java or.net Virtual Machine Target Program <Rule> Monitor Event Program Point Handlers <Event Handler> Action Log Fortify Run Time Architecture 34

Three: Look for highly varying URL segments http://www.44tips.com:80/svc/grid.asmx/getcontentitems http://www.44tips.com:80/js/templates/new/controlpanelsearch.htm?v=2 http://www.44tips.com:80/svc/grid.asmx/getrelatedlistitems http://www.44tips.com:80/svc/grid.asmx/getcontentitems http://www.44tips.com:80/js/templates/publishsetdialog.htm http://www.44tips.com:80/svc/grid.asmx/getusercollectioninfo http://www.44tips.com:80/svc/grid.asmx/getusersetthumburls http://www.44tips.com:80/svc/grid.asmx/iscollectiontitleunique http://www.44tips.com:80/svc/grid.asmx/insertcollection http://www.44tips.com:80/svc/grid.asmx/getcontentitems http://www.44tips.com:80/svc/grid.asmx/getusersetthumburls http://www.44tips.com:80/svc/grid.asmx/getrelatedlistitems http://www.44tips.com:80/svc/grid.asmx/getrelatedlistitems http://www.44tips.com:80/svc/grid.asmx/getusercollectioninfo http://www.44tips.com:80/c/k1collection/sem_schilt/i72665/sem_schilt http://www.44tips.com:80/c/k1collection/sem_schilt/i72662/mirko_cro_cop _vs Semmy_Schilt Video_Game_ http://www.44tips.com:80/c/k1collection/sem_schilt/i72661/josh_barnett_ vs Semmy_Schilt_II_Part_1 http://www.44tips.com:80/c/k1collection/sem_schilt/i72660/_part_2 Fedo r_vs_semmy_schilt PRIDE_21 23_06_2002_ http://www.44tips.com:80/c/k1collection/sem_schilt/i72659/fedor_emelian enko_vs_semmy_schilt Part_4_4_ svc/grid.asmx/{param} c/k1collection/sem_schilt/{param1}/{param2} {param1}/{param2}/{param3}/{param4}/{param5} 35

Four: examine response codes 404 analysis Examine if folder access returns 404 everything beyond the folder is a parameter 36

Thank You! Ofer Shezaf, ofr@hp.com 37

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information