Today we are discussing about RESTful web services penetration testing, web services are the technologies used for data transmission between client and server in real time, according to W3C web services glossary a web service is a software system designed to support interoperable machine-to-machine interaction over a network, or we can simply term it as connection between client and server or between two applications for data transmission. Majorly two types of services used in the development environment REST and SOAP with content formats of JSON, XML, plain text, JPEG, PDF etc.
In this post we are concentrating on the RESTful web services with a specific content type of JavaScript Object Notation or JSON, penetration testing methodologies of these type applications remains same as the other web applications with some small changes in the attack vectors, below we can see different types attacks or test cases which are used to test the REST applications.
1. SQL Injection:
SQL Injections are the attacks where a malicious user injects a code to break the defined SQL query to fetch data from the database. In REST services SQL Injection is one of the major test-case which is executed on the user-controlled variables or entry points, many times this vulnerability can be confirmed by blind SQL injection type. In below figure the username parameter is injected with encoded SQL query to fetch the user details which can be seen in the response.
Below screen-shot shows the response of the same request in the browser to see the all user details in the application.
2. Cross Site Scripting:
Cross Site Scripting vulnerability arises when an attacker entered input is rendered in the browser in an unsafe manner, even-though this vulnerability is very less seen in REST web services still the parameters which are handling with the string data type is the suitable entry point, in below figure it can be seen that the Tool-ID parameter is injected with payload and its rendering is seen in the immediate response, using this vulnerability an attacker can do virtual defacement or cookie stealing etc on the application.
The response requested in the browser to know the rendering of the injected code, can be seen in below figure.
3. Cross-Site Request Forgery:
Cross-site request forgery is an attack where an attacker sends the request to server pretending to be a user to perform operations in the application this attack arises when application solely depends on the cookies to validate the user on the server side. In JSON services we can perform this attack by using the request, below shown a sample request of JSON.
POST /site/getuserdetails HTTP/1.1
Host: 192.168.0.111
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:44.0) Gecko/20100101 Firefox/55.0
Content-Type: application/json;
Cookie: sessonid=we124kiu78gftkogh0784;
{“userid”:”1″,”username”:”test@test.com”}
For the above request we can see that the application is only using the session id as parameter to validate the user at server end an attacker can form the cross-site request to get the user details as shown below
<html>
<form action=”192.168.0.111/site/getuserdetails” enctype=”application/json” method=”POST”>
<input name='{“userid”:”1″,”username”:”test@test.com”}’ type=’hidden’>
<input type=submit>
</form>
</html>
This request will fetch the user details by executing the cross-site request.
4. Username Enumeration:
In REST service based application an attacker can have a possibilities to enumerate username, Forgot Password or User Login functionality are the suitable entry points to execute this type of attack, most of the application uses default usernames for the operations like Admin, Customer care, userXXX etc or admin@companyname.com, customercare@companyname.com, userXXX@companyname.com etc. The basic application level reconnaissance or walkthrough can give a hint to perform this type of attack.
5. XML External Entity Injection Attack:
XML External Entity Injection attack arises when an application process user entered XML data in the request without disabling reference to external resources. Applications rarely required the reference to the external resources, by default the XML parser is enabled to support the external reference in the application these entities can reference the file system or other sensitive information in the application. Below shown the JSON request for getting the user details from the application
POST /site/getuserdetails HTTP/1.1
Host: 192.168.0.111
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:44.0) Gecko/20100101 Firefox/55.0
Accept: application/json
Content-Type: application/xml;
Cookie: sessonid=we124kiu78gftkogh0784;
{“userid”:”1″,”username”:”test”}
In the above request, it can be seen that the application accepts the XML content type for which an attacker can form the payload as shown below.
<?xml version=”1.0″ encoding=”UTF-8″ ?>
<!DOCTYPE api [<!ENTITY xxe SYSTEM “file:///etc/passwd” >]>
<root>
<userid>1</userid>
<username>test</username>
</root>
If the XML parses the request then the attack gets executed with a response of the password file information.
6. Brute Force:
Brute Force is also one of the attack types which can be executed on vulnerable REST application, many times Login Page in the application is vulnerable to this type of attack and the attack involves with the guessing of username and passwords using wordlists.
Hardening REST web services:
Hardening of REST web services involves the securing the application for the attacks below mentioned the some of best practices to secure the application.
1. Authentication and Authorization:
- The Authentication mechanism in the REST services includes the Basic and Digest, these two types of authentication has their own limitation which designer must be aware of before implementing and must have a proper server-side validation of user for application operations.
- HTTP Methods must be implemented with a proper session token or API Key to perform the operation on the server end. Different HTTP methods like GET, POST, PUT and DELETE are validated before it advances to the server.
- For Cross-Site Request Forgery attacks application must be implemented with a unique token or using of X-CSRF-Guard Header is the best practice, and for Insecure Direct Object Reference attacks, primary key and foreign keys are checked properly before executing the request.
2. Input Validation:
Input Validation of user-controlled data must be sanitized properly and using of whitelist based data validation is more preferred, and also it involves the,
- Using of Secure parsing methodologies for the XML based inputs in the application to avoid the attacks like XML External Entity injection.
- While using HTTP Methods POST and PUT validate the content type of the request on the server side.
- Validate the different response types like application/json, application/xml in the content type header.
- Use Framework provided validation for the application many frameworks provide automatic validation such as Jersey etc.
3. Data Encoding:
In REST Services use of encoding is adopted while transmitting data,
- JSON encoding preferred for the user-supplied data to prevent the arbitrary remote code execution and other attack types this can be done by using the JSON serializer.
- XML encoding is another type of mechanism used to check the XML content sent to the browser is parse-able and does not contain XML injection.
- Using of security headers is encouraged.
4. HTTP Status Code:
HTTP defines the status code in every response in REST application do not use only 200 for success and 404 for error, there is a list of codes defined for HTTP using of these in REST API is enforced.
- 201 Created – Resource created.
- 202 Accepted – Accepted for processing.
- 400 Bad Request – Malformed request having a message body format error.
- 401 Unauthorized – Wrong or no Authentication.
- 403 Forbidden – Authentication succeeded but the user doesn’t have permission to access the resource
- 405 Method Not Allowed – Unexpected HTTP method.
5. Cryptography:
- The Transport Layer Security (TLS) is properly implemented to avoid the network level attacks.
- Web application must be secured with encryption methodologies in storing and accessing the data.
References:
https://www.owasp.org/index.php/REST_Security_Cheat_Sheet
About Author:
Prakash Dhatti, is an information security enthusiast working as information security consultant @ISECURION and interested in the application and network security.
Great Write-Up Prakash, Keep it up!!!
Great Writeup Prakash, keep it up!!!
Hi Prakash,
Thanks for this insightful blog.
What is you opinion on testing RESTful APIs using owasp/zap2docker-weekly zap-api-scan.py script?
Have you ever tried it?
I’ve been following you since you’ve started your blog.This is top notch information and I’m really happy to connect with your great work.
Superb information from this article and I have to tell you, your blog giving the best and useful information.
Thank you for awesome blog.it helped me a lot 🙂
Thanks Sophia.
I simply wanted to write down a quick word to say thanks to you for those wonderful tips and hints you are showing on this site.
Really interesting and original examples. Very well done!