5

I have been encountering more and more clients needing their API (usually REST) endpoints tested for vulnerabilities and wanted to reach out to see if anyone has some recommendations beyond what I have been doing.

I am very familiar with the REST security cheat sheet from OWASP and have built a number of API's myself so I know to look for HTTP methods, CSRF, Sensitive data disclosure, input validation, SSL configs, etc. but am I missing anything? What techniques is everyone doing to go above and beyond to find an API vulnerability / exploit? Any recommended tools that do the job better than a good old intercepting proxy and curl?

jmbmxer
  • 129
  • 1
  • 2
  • 7
  • 1
    That cheat sheet is pretty good. I've had most results from injection, session management, and insecure direct object references. For SOAP services, SOAPui is pretty good, but I don't know an equivalent for REST. – paj28 Feb 06 '14 at 01:45

2 Answers2

3

My favorite RESTful client is httpie (from Python sources). Easily get it via easy_install httpie or pip install httpie. There are a few REST clients/debuggers as Firefox add-ons (search via addons.mozilla.org).

While at a certain company, I recall using a WebInspect feature called "custom parameters" against RESTful Web Services, such as the REST-WS demo in the Maven Security Web Security Dojo virtual machine or the OWASP GoatDroid Project's use of JAX-RS. If you also have access to the Fortify SecurityScope product, you can use use it to automatically create a WADL which in turn can be consumed by WebInspect RT. When testing large apps (e.g., greater than two million lines of code), this can be especially useful -- voice of experience here.

When you look at the SecToolMarket report, most of the tools that have under 9 input vectors cannot handle RESTful Web Services very well, and even the best ones (Burp Suite Professional, NTOSpider, IBM Appscan, etc) don't have a clear path to testing these interfaces/APIs. This is often why you'd want to use a tool like httpie (or curl) through them as an intercepting proxy, along with the appropriate API documentation (probably preferably in WADL format).

atdre
  • 18,885
  • 6
  • 58
  • 107
  • Netsparker now supports REST API testing -- https://www.netsparker.com/blog/docs-and-faqs/vulnerability-scan-rest-api-web-service-automatic/ -- but you need to upload your appdev team's WADL file or Swagger -- http://apigee.com/about/blog/technology/open-api-initiative-open-governance-swagger-specification -- file to the tool. Swagger has a few alternatives, including IODocs, APIBlueprint, and RAML -- perhaps Netsparker or other tools will support these at a later time – atdre Jun 23 '16 at 17:22
  • https://bbva.github.io/apicheck/ – atdre Oct 13 '20 at 15:58
1

You are missing one important thing:

giving end users training/information on data security

Phishing & Social Engineering are your biggest risk factors in any deployment

Danielle
  • 214
  • 1
  • 5
  • 1
    Totally agree on user training and awareness. The question is really about technical controls and testing suggestions as that is really all I have control over in the pen testing world. – jmbmxer Feb 05 '14 at 22:57