PainTESTING(Penetrationtesting) RESTful Web Services

Abstract

Over the years web services have become an integral part of web and mobile applications. From critical business applications like SAP to mobile applications used by millions, web services are becoming more of an attack vector than ever before. I found this through my research and I also know some peers working in the information security space, most of the pen testers consider web services as secondary attack vectors when it comes to web applications. I also found that developers just like any other web applications, do not really focus much on implementing proper security controls in web services. With the help of this paper, we shall try to establish the need of Security/Penetration testing of micro services such as web services specifically restful apis with the help of some open source and commercial tools with special attention on methodology and approach prepared specifically for penetration testing of Restful web services, keeping the devscops principle in practice.

This paper briefly talks about

1. What are web services? SOAP/REST

2. State of web service security

3. Need for automating Pentesting for Restful api

4. Methodology/Tools

5. Conclusion

About RESTful web services

SOAP (Simple Object Access Protocol) and REST (Representational State Transfer) are both web service communication protocols. SOAP was long the standard approach to web service interfaces, although it’s been dominated by REST in recent years, with REST now representing more than 70% of public APIs according to Stormpath. Rest is nothing but a simple web service communication protocol well it’s not even a protocol. It’s an approach that leverages the HTTP protocol, in which Data is uniquely referenced by URL and can be acted upon using HTTP operations (get, put delete, post) and the acronym stands for representation state transfer For example to read data about a customer you could use an HTTP get operation with the URL http://www.example.com/customers/1. If you want to delete that customer, simply use the HTTP delete operation with the same URL.

 REST allows a greater variety of data formats, whereas SOAP only allows XML.

 Coupled with JSON (which typically works better with data and offers faster parsing), REST is generally considered easier to work with.

 Thanks to JSON, REST offers better support for browser clients.

 REST provides superior performance, particularly through caching for information that’s not altered and not dynamic.

 REST is generally faster and uses less bandwidth

 It is the protocol used most often for major services such as Yahoo, EBay, Amazon, and even Google.

How vulnerable are web service/API?

Most web service communicate over HTTP protocol and are essentially still web application without a GUI. They suffer from the same vulnerabilities as their presentation oriented counterparts. The top web application vulnerabilities, like those outlined in the OWASP top 10, still applies to web services. The goal of this paper however, is not to discuss the vulnerabilities but to outline the approach and tools which can be used against it and also help in automating the entire penetration testing process. Common vulnerabilities in restful API’s-

• API Leakage

• SQLi/XSS

• Rate Limiting

• IDOR

• Information Disclosure

• Post to Get conversion

• Authorization and Authentication

Why automate penetration testing of rest APIs?

RESTful application program interfaces (APIs) are a key ingredient to building powerful, scalable web-based applications. But they can also open the door to web-based attacks, while also baffling traditional penetration testing tools and processes So why does traditional web application testing with scanners and penetration testing struggle with REST? Let’s look at some of the reasons below.

1. It is hard to determine the attack surface (URL space). In traditional HTTP applications, web application scanners can crawl through the entire URL space by iteratively fetching linked URLs in page sources. However, REST APIs expose resources and transactional operations on them, and most apps make use of only a subset of these, so determining the entire URL space and attack surface is not easy.

2. There is a lack of out-of-band API metadata to use as a guide When testing web services, scanners typically make use of Web Service Definition Language (WSDL) to determine the URLs and parameters, which makes fuzz testing easy. However, REST principals discourage such out-of-band schemas metadata.

3. It is hard to determine navigation paths and user input locations Determining URL spaces is further complicated by the fact that REST often uses URL paths for input parameters, which could be injected with malicious data. For example: https://www.example.com/api/phonebook/UserID/12345 The parameter name (UserID) and value (12345) are in the URL Path. This is a common practice in REST but this completely throws off automated test tools. They have no way of knowing what to do with such elements – whether to consider them as “directories” or to fuzz test them as parameters.

4. Dynamically Generated URLs REST-based services often use AJAX as a common design pattern, especially for interactive front ends. This generates URLs dynamically on the clients. Simply parsing the response content to find URLs and injection points is not enough. Vulnerability Scanners (as well as the big search engines) have a hard time crawling through such content.

5. Lengthy Test Cycles For longer inputs, REST-based applications often use POST requests with JSON or XML data containing several key value pairs. Testing all of these could be voluminous and require a significantly longer time for fuzz testing. In the next part of this series, we will see how using web application security helps mitigate not only these but several other issues relating to REST security. Hence, the need to focus of vulnerability scanning tools which can completely automate the entire penetration testing process. Among the plethora of tools that are out there, FUZZAPI is one such tools which takes the leap in terms of the different kind of vulnerabilities it can uncover with limited operational parameters.

FUZZ API

Fuzzapi is an API Fuzzer that will help Developers/Pen Testers to fuzz APIs and find few commonly found vulnerabilities. The

tool can be integrated into the build pipeline to allow developers to identify vulnerabilities prior to Pen Testing. Also, Pen testers can also use this tool against various APIs during their testing which will allow them to automate few tasks.

How to Setup-

Tool Interface-

Tool Results-

Conclusion

With the introduction of Lean, Agile, Scrum and DevOps, a shift- left paradigm exists which requires the operational aspects of software support to move earlier in the Supply Chain using collaborative methods. Critical tools and processes are also being migrated closer to enabling platforms, such as the Public Cloud, to make it easier to address these operational concerns earlier within the Software Supply Chain. This makes it possible to remove gating processes that cause bottlenecks and reduce speed to innovation. Restful APIs are vulnerable now more than ever. It’s time to start adapting to devsecops. It’s time start pentesting RestAPIs.

References & Appendix

1. https://www.slideshare.net/AbhijethDugginapeddi/automate d-api-pentesting-using-fuzzapi

2. https://www.owasp.org/index.php/REST_Security_Cheat_S heet

Author Biography With over 5 years of experience in Information security, I’m currently responsible for vulnerability assessment and penetration testing at QA InfoTech as a Lead Software Engineer, Security Testing. I have developed two utilities in python on android appsec, one which automates the reverse engineer process and the other which automates the code review process, both of which I presented last year at STC 2016.I have written various whitepapers and articles on web and mobile application security testing. I was also invited as a Guest lecturer on android application security testing at Adobe, Noida last year.

THANK YOU!