Transcription
Security Testing For RESTfulApplicationsEyal Fingold & Ofer Shezaf, HP Enterprise Security Products Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein issubject to change without notice. Confidentiality label goes here
Agenda What are RESTful services (REST)? Security Issues in REST Challenges in security testing for REST Copyright 2011 Hewlett-Packard Development Company, L.P. The informationcontained herein is subject to change without notice. Confidentiality label goes here
What are RESTful services (REST)Security Issues in RESTChallenges in security testing for RESTWhat is REST?3 Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein issubject to change without notice. Confidentiality label goes here
So What REST?Representational State Transfer (REST) is a style of softwarearchitecture for distributed systems such as the World Wide Web(but not just Web)Is: A style of softwarearchitecture Essentially how the webhave always workedIs Not: A well defined protocol A set of software libraries orframeworks4 Copyright 2011 Hewlett-Packard Development Company, L.P. The informationcontained herein is subject to change without notice. Confidentiality label goes here
The TheoryClient/Server Clients are separated from servers by a uniform interface.Stateless The client–server communication is further constrained by no clientcontext being stored on the server between requests*.Cacheable Responses must therefore, implicitly or explicitly, define themselvesas cacheable or notLayered A client cannot ordinarily tell whether it is connected directly to theend server, or to an intermediary along the way.Uniform A uniform interface between clients and servers simplifies anddecouples the architecture.Code on demand(optional) Servers are able to temporarily extend or customize the functionalityof a client by transferring logic to it that it can execute.* The server can be stateful; this constraint merely requires that server-side state be addressable by URL as a resource.5 Copyright 2011 Hewlett-Packard Development Company, L.P. The informationcontained herein is subject to change without notice. Confidentiality label goes here
So What RESTful services?is a simple web service implemented using HTTP and the principlesof REST.It is a collection of resources, with three defined aspects: URI for the web service, such as http://example.com/resources/ The Internet media type of the data supported by the webservice. This is often JSON, XML or YAML but can be any othervalid Internet media type. The set of operations supported by the web service using HTTPmethods (e.g., POST, GET, PUT or DELETE, HEAD etc ).6 Copyright 2011 Hewlett-Packard Development Company, L.P. The informationcontained herein is subject to change without notice. Confidentiality label goes here
It’s Up and Coming!But what is it?7 Copyright 2011 Hewlett-Packard Development Company, L.P. The informationcontained herein is subject to change without notice. Confidentiality label goes here
The Pitch for RESTWe are tired of SOAP and WSDLWould you like something cleaner than SOAP? Something less impenetrable thanWSDL? Something less confusingly intertwingled than the various WS-* bafflegabstandards? . Say, just what is this Web Services jazz anyhow?Let’s just get return to basicsIt’s all No Problem. It’s all Easy as Pi. REST isn’t some obscure thing that nobodysupports; it’s the way the Web already works, just formalized a bit and with somedo’s and don’ts.(John Cowan) Copyright 2011 Hewlett-Packard Development Company, L.P. The informationcontained herein is subject to change without notice. Confidentiality label goes here
Who Uses REST?9 Copyright 2011 Hewlett-Packard Development Company, L.P. The informationcontained herein is subject to change without notice. Confidentiality label goes here
RESTful services frameworksMore than 35 frameworks covering most platforms:RubyJava.Net (C#, VB)PHPPerlPythonC etc & Mobile, Mobile, Mobile 10 Copyright 2011 Hewlett-Packard Development Company, L.P. The informationcontained herein is subject to change without notice. Confidentiality label goes here
In PracticeHTML 1.1 is essentially a RESTful protocolSOAP Request example:The same request, the REST way:GET /StockPrice HTTP/1.1GET /StockPrice/HPQ HTTP/1.1Host: example.orgHost: example.orgContent-Type: application/soap xml;Accept: text/xmlcharset utf-8 Content-Length: nnnAccept-Charset: utf-8 ?xml version "1.0"? env:Envelopexmlns:env "http://www.w3.org/2003/05/soap-envelope"xmlns:s "http://www.example.org/stock-service" env:Body s:GetStockQuote s:TickerSymbol HPQ /s:TickerSymbol /s:GetStockQuote /env:Body /env:Envelope 11 Copyright 2011 Hewlett-Packard Development Company, L.P. The informationcontained herein is subject to change without notice. Confidentiality label goes here
However It often doesn’t look like your typical Web (1 or 2) applicationParameters in HeadersNone StandardParameters/MethodNone Standard AAA12 Copyright 2011 Hewlett-Packard Development Company, L.P. The informationcontained herein is subject to change without notice. Confidentiality label goes here
What are RESTful services (REST)Security Issues in RESTChallenges in security testing for RESTREST Security1 Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein issubject to change without notice. Confidentiality label goes here
REST Security Overview No standard security mechanism similar toSOAP Web Services (WS-*) Most session management methods are notREST oriented:– REST is supposed to be stateless.– However often standard Web practices are used. (Over)relying on:– SSL– HTTP Authentication (Basic!, Digest or customheaders) SSO– Web app calling REST services Copyright 2011 Hewlett-Packard Development Company, L.P. The informationcontained herein is subject to change without notice. Confidentiality label goes here
Are There Any RESTful specific Vulnerabilities?Well, it seems the most common attack vector is a REST one .the attacker may be able to exploit the URLpublished as a Get method that actually performsupdates (instead of merely retrieving data). Thismay result in malicious or inadvertent altering ofdata on the server. Copyright 2011 Hewlett-Packard Development Company, L.P. The informationcontained herein is subject to change without notice. Confidentiality label goes here
More SeriouslyDesign pattern relatedvulnerabilities Restful Privilege Elevation Utilizing REST's Trust in theSystem Resource to RegisterMan in the Middle Session ID in the URL Related to commonlyuse implementationmethodSomewhat linked toRESTAny Other WebApplication Vulnerability XSRF It is just a web applicationafter all JSON hijacking arrayvulnerabilityNothing to Call Home About Copyright 2011 Hewlett-Packard Development Company, L.P. The informationcontained herein is subject to change without notice. Confidentiality label goes here16
What are RESTful services (REST)Security Issues in RESTChallenges in security testing for RESTTesting Challenges1 Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein issubject to change without notice. Confidentiality label goes here
Parameters Embedded in URLsSusceptible to Injection and Manipulation18 Copyright 2011 Hewlett-Packard Development Company, L.P. The informationcontained herein is subject to change without notice. Confidentiality label goes here
And Other Strange Locations Parameters in request headers Matrix parameters JSON/XML as a structured valueto other parameters19 Copyright 2011 Hewlett-Packard Development Company, L.P. The informationcontained herein is subject to change without notice. Confidentiality label goes here
The Attack Surface IssueREST APIs are Challenging to Map Larger than actually used in application:– URIs, Methods, Parameters Poorly documented:– WADL is only a proposed standard and hardly everused. Many different ways to express parameters. Especially difficult for automated pentesting.20 Copyright 2011 Hewlett-Packard Development Company, L.P. The informationcontained herein is subject to change without notice. Confidentiality label goes here
Solutions Manual Definition of the Attack Surface Analyze Documentation & Configuration Automated Discovery of Rules21 Copyright 2011 Hewlett-Packard Development Company, L.P. The informationcontained herein is subject to change without notice. Confidentiality label goes here
Manual Definition of the Attack SurfaceTwo use cases: Define the entire API –complete but difficult.Possible, especially aspart of a rigorous QA(SoapUI example on right). Define templates foridentifying and handlingREST during crawl.– Critical for JS frameworks.22 Copyright 2011 Hewlett-Packard Development Company, L.P. The informationcontained herein is subject to change without notice. Confidentiality label goes here
Analyze Documentation & ConfigurationInformal documentation: Highly unstructured Requires heuristic, training andtrial and error.Web Servers and applicationsconfiguration: Easier to use but a limitedsolution.23 Copyright 2011 Hewlett-Packard Development Company, L.P. The informationcontained herein is subject to change without notice. Confidentiality label goes here
Automated Discovery of Rules Irregular 404 codes– Including site specific ones. Pattern analysis:– Matrix parameters– JSON or XML as values to parameters Irregular headers And .– Need to wait till year end .24 Copyright 2011 Hewlett-Packard Development Company, L.P. The informationcontained herein is subject to change without notice. Confidentiality label goes here
Thank You!25 Copyright 2011 Hewlett-Packard Development Company, L.P. The informationcontained herein is subject to change without notice. Confidentiality label goes here
REST Security Overview No standard security mechanism similar to SOAP Web Services (WS-*) Most session management methods are not REST oriented: –REST is supposed to be stateless. –However often standard Web practices are used. (Over)relying on: –SSL –HTTP Authentication (Basic!, Digest or custom headers) SSO
