SlideShare une entreprise Scribd logo

Attacking REST API

Télécharger en tant que ODP, PDF
S
Siddharth Bezalwar

Vulnerabilities in REST API

Technologie
1  sur  36
REST API
Intro- API ● HTTP API ● Way of sharing data over internet ● Problem: – No standard way of implementing. ● Solution: – REST architecture
REST ● Representational State Transfer. ● Term invented by Roy Fielding ● Standard way for implementing API. ● CRUD is directly mapped to HTTP verb.
REST architecture constraints ● Unifrom Interface – Resource based – Resource manipulation through representation. – Self descriptive messages – Hypermedia as the Engine of Application State(HATEOAS) ● Stateless ● Cacheable
REST architecture constraints ● Client/Server ● Layered ● Code on Demand
REST API ● Collection of resources with 4 aspects – Base URI of a web service, – Content type supported by the web service, – Operations supported by the web service, – API must be hypertext driven.
Sample Request
Interaction- Request HTTP Method Collection Single Entity GET Retrieve all resources https://mysite.com/api/users Retrieve a single specific resource https://mysite.com/api/users/1 HEAD Retrieve all resources (headers only) Retrieve a single specific resource (headers only) POST Create a new resource in a collection https://mysite.com/api/users -- PUT -- Update/Replace a resource https://mysite.com/api/users/1 PATCH -- Update/Modify a resource https://mysite.com/api/users/1 DELETE -- Delete a resource https://mysite.com/api/users/1
Interaction- Request
Interaction - Response ● HTTP response code is used to indicate status of operation requested by client. ● Success Codes: – 200 OK – 201 Created – 202 Accepted (Used for delete requests)
Interaction - Response ● User error codes: – 400 - Bad Request (error/bad data) – 401 - Unauthorized (this area requires authentication) – 404 - Not Found – 405 - Method Not Allowed (wrong HTTP method) – 409 - Conflict (i.e. trying to create the same resource with a PUT request)
Interaction - Response
Attacking REST API
Enumeration
Scenarios ● Documentation/ Programming guide is available. – Check authentication process implemented. – Check URL style used. – Check HTTP headers(Standard and Non standard) – Analyze error codes and description.
Scenarios ● Documentation/ Programming guide is NOT available. – Record and analyze interaction between web application and API by using local proxy. – Check for HTTP headers. – Analyze URL pattern/Post requst body for variables. – Check for structured pattern such as JSON, XML, YAML. – Check for cookie and authorisation headers, try to get idea authentication/authorization process. – Google captured API url, you might get documentation online.
Attacks
Injection
SQL Injection ● Check for parameters used for querying database. – URL parameters, – POST request body – HTTP headers ● Check for false positive, incase of filters
Authentication ● Basic Auth ● HMAC(Hash Based Message Authentication) ● OAuth ● Custom
Basic Auth ● Consider user batman:batman@123 ● Issues: – Base64 encoded – HTTPS required – Sends creds with every request.
HMAC(Hash Based Message Authentication) ● hash_value = base64encode(hmac('sha256', 'password', 'GET+/api/v1/gotham')) ● Try to figure out info used for creating hash value
OAuth ● Issues – Requires HTTPS – Centered around bearer token. – Refresh tokens
General Test cases - Auth ● Repeat invalidated token ● Check token timeout ● Try to obtain token without password field. ● Check for keys or creds in URL.
Cross Site Scripting
Cross Site Scripting ● Server side encoding ● DOM XSS ● Totally dependent on client application.
Access Control
Access Control ● Different HTTP methods. ● Resource identifier, manipulate it ● Non standard HTTP headers, URL parameters which signifies user role. – Ex UserType, IsAdmin ● POST request body
Rate Limit Implementation
Throttling ● Number of requests per access token per time window. ● HTTP response code 429 – Too Many Requests ● Check for – Anonymous user & authenticated user. – Different HTTP methods – Client is temporarily blocked for too many error codes. – Check for HTTP headers related to rate limiting.
Throttling ● Headers used for throttling: – x-rate-limit-limit: Maximum rate limit allowed for an API end point – x-rate-limit-remaining: Number of request remaining for the time window – x-rate-limit-reset: Remaining time before window gets reset. ● Some variations – X-RateLimit-UserLimit – X-RateLimit-UserRemaining – X-RateLimit-UserReset – X-RateLimit-ClientLimit – X-RateLimit-ClientRemaining
SSL ● Check for a self-signed certificate. ● SSL pinning implemented at server side.
Information Disclosure
Information Disclosure ● Development/Hosting platform info ● Stack trace ● Unintended information exposure(Response body)
CSRF
CSRF ● POST, PATCH, PUT, DELETE ● HTTP headers – Ex- X-CSRF, X-CSRF-Token ● User controlled entity – URL param, HTTP Referer headers,etc.

Recommandé

Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
Introduction to REST - API
Introduction to REST - APIIntroduction to REST - API
Introduction to REST - APIChetan Gadodia
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & DevelopmentAshok Pundit
 
Rest API
Rest APIRest API
Rest APIRohana K Amarakoon
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST APINutan Kumar Panda
 
Rest API
Rest APIRest API
Rest APIPhil Aylesworth
 
The never-ending REST API design debate
The never-ending REST API design debateThe never-ending REST API design debate
The never-ending REST API design debateRestlet
 
Deep-Dive: Secure API Management
Deep-Dive: Secure API ManagementDeep-Dive: Secure API Management
Deep-Dive: Secure API ManagementApigee | Google Cloud
 

Recommandé

Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
Introduction to REST - API
Introduction to REST - APIIntroduction to REST - API
Introduction to REST - APIChetan Gadodia
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & DevelopmentAshok Pundit
 
Rest API
Rest APIRest API
Rest APIRohana K Amarakoon
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST APINutan Kumar Panda
 
Rest API
Rest APIRest API
Rest APIPhil Aylesworth
 
The never-ending REST API design debate
The never-ending REST API design debateThe never-ending REST API design debate
The never-ending REST API design debateRestlet
 
Deep-Dive: Secure API Management
Deep-Dive: Secure API ManagementDeep-Dive: Secure API Management
Deep-Dive: Secure API ManagementApigee | Google Cloud
 
How Secure Are Your APIs?
How Secure Are Your APIs?How Secure Are Your APIs?
How Secure Are Your APIs?Apigee | Google Cloud
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
REST-API introduction for developers
REST-API introduction for developersREST-API introduction for developers
REST-API introduction for developersPatrick Savalle
 
What is REST API? REST API Concepts and Examples | Edureka
What is REST API? REST API Concepts and Examples | EdurekaWhat is REST API? REST API Concepts and Examples | Edureka
What is REST API? REST API Concepts and Examples | EdurekaEdureka!
 
REST API and CRUD
REST API and CRUDREST API and CRUD
REST API and CRUDPrem Sanil
 
ASP.NET Web API
ASP.NET Web APIASP.NET Web API
ASP.NET Web APIhabib_786
 
Design Beautiful REST + JSON APIs
Design Beautiful REST + JSON APIsDesign Beautiful REST + JSON APIs
Design Beautiful REST + JSON APIsStormpath
 
Understanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple StepsUnderstanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple StepsTessa Mero
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide Isabelle Mauny
 
Best Practices in Web Service Design
Best Practices in Web Service DesignBest Practices in Web Service Design
Best Practices in Web Service DesignLorna Mitchell
 
RESTful API - Best Practices
RESTful API - Best PracticesRESTful API - Best Practices
RESTful API - Best PracticesTricode (part of Dept)
 
Rest api-basic
Rest api-basicRest api-basic
Rest api-basicAmila Sampath
 
Introduction to the Web API
Introduction to the Web APIIntroduction to the Web API
Introduction to the Web APIBrad Genereaux
 
Api security-testing
Api security-testingApi security-testing
Api security-testingn|u - The Open Security Community
 
What is an API
What is an APIWhat is an API
What is an APIElliott Richmond
 
API for Beginners
API for BeginnersAPI for Beginners
API for BeginnersSébastien Saunier
 
WSO2 Identity Server - Getting Started
WSO2 Identity Server - Getting StartedWSO2 Identity Server - Getting Started
WSO2 Identity Server - Getting StartedIsmaeel Enjreny
 
Web api
Web apiWeb api
Web apiSudhakar Sharma
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
Pragmatic REST APIs
Pragmatic REST APIsPragmatic REST APIs
Pragmatic REST APIsamesar0
 
REST API Recommendations
REST API RecommendationsREST API Recommendations
REST API RecommendationsJeelani Shaik
 

Contenu connexe

Tendances

API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
REST-API introduction for developers
REST-API introduction for developersREST-API introduction for developers
REST-API introduction for developersPatrick Savalle
 
What is REST API? REST API Concepts and Examples | Edureka
What is REST API? REST API Concepts and Examples | EdurekaWhat is REST API? REST API Concepts and Examples | Edureka
What is REST API? REST API Concepts and Examples | EdurekaEdureka!
 
REST API and CRUD
REST API and CRUDREST API and CRUD
REST API and CRUDPrem Sanil
 
ASP.NET Web API
ASP.NET Web APIASP.NET Web API
ASP.NET Web APIhabib_786
 
Design Beautiful REST + JSON APIs
Design Beautiful REST + JSON APIsDesign Beautiful REST + JSON APIs
Design Beautiful REST + JSON APIsStormpath
 
Understanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple StepsUnderstanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple StepsTessa Mero
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide Isabelle Mauny
 
Best Practices in Web Service Design
Best Practices in Web Service DesignBest Practices in Web Service Design
Best Practices in Web Service DesignLorna Mitchell
 
Introduction to the Web API
Introduction to the Web APIIntroduction to the Web API
Introduction to the Web APIBrad Genereaux
 
WSO2 Identity Server - Getting Started
WSO2 Identity Server - Getting StartedWSO2 Identity Server - Getting Started
WSO2 Identity Server - Getting StartedIsmaeel Enjreny
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 

Tendances (20)

How Secure Are Your APIs?
How Secure Are Your APIs?How Secure Are Your APIs?
How Secure Are Your APIs?
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
REST-API introduction for developers
REST-API introduction for developersREST-API introduction for developers
REST-API introduction for developers
 
What is REST API? REST API Concepts and Examples | Edureka
What is REST API? REST API Concepts and Examples | EdurekaWhat is REST API? REST API Concepts and Examples | Edureka
What is REST API? REST API Concepts and Examples | Edureka
 
REST API and CRUD
REST API and CRUDREST API and CRUD
REST API and CRUD
 
ASP.NET Web API
ASP.NET Web APIASP.NET Web API
ASP.NET Web API
 
Design Beautiful REST + JSON APIs
Design Beautiful REST + JSON APIsDesign Beautiful REST + JSON APIs
Design Beautiful REST + JSON APIs
 
Understanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple StepsUnderstanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple Steps
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
 
Best Practices in Web Service Design
Best Practices in Web Service DesignBest Practices in Web Service Design
Best Practices in Web Service Design
 
RESTful API - Best Practices
RESTful API - Best PracticesRESTful API - Best Practices
RESTful API - Best Practices
 
Rest api-basic
Rest api-basicRest api-basic
Rest api-basic
 
Introduction to the Web API
Introduction to the Web APIIntroduction to the Web API
Introduction to the Web API
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
What is an API
What is an APIWhat is an API
What is an API
 
API for Beginners
API for BeginnersAPI for Beginners
API for Beginners
 
WSO2 Identity Server - Getting Started
WSO2 Identity Server - Getting StartedWSO2 Identity Server - Getting Started
WSO2 Identity Server - Getting Started
 
Web api
Web apiWeb api
Web api
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
 

Similaire à Attacking REST API

Pragmatic REST APIs
Pragmatic REST APIsPragmatic REST APIs
Pragmatic REST APIsamesar0
 
REST API Recommendations
REST API RecommendationsREST API Recommendations
REST API RecommendationsJeelani Shaik
 
ASP.NET Mvc 4 web api
ASP.NET Mvc 4 web apiASP.NET Mvc 4 web api
ASP.NET Mvc 4 web apiTiago Knoch
 
Restful webservice
Restful webserviceRestful webservice
Restful webserviceDong Ngoc
 
CNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesCNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesSam Bowne
 
CNIT 129S - Ch 3: Web Application Technologies
CNIT 129S - Ch 3: Web Application TechnologiesCNIT 129S - Ch 3: Web Application Technologies
CNIT 129S - Ch 3: Web Application TechnologiesSam Bowne
 
Леонід Кузьмін “Сам собі паблішер. Від сайту ігрової студії до універсального...
Леонід Кузьмін “Сам собі паблішер. Від сайту ігрової студії до універсального...Леонід Кузьмін “Сам собі паблішер. Від сайту ігрової студії до універсального...
Леонід Кузьмін “Сам собі паблішер. Від сайту ігрової студії до універсального...Lviv Startup Club
 
Rest WebAPI with OData
Rest WebAPI with ODataRest WebAPI with OData
Rest WebAPI with ODataMahek Merchant
 
REST & RESTful Web Service
REST & RESTful Web ServiceREST & RESTful Web Service
REST & RESTful Web ServiceHoan Vu Tran
 
Ch 3: Web Application Technologies
Ch 3: Web Application TechnologiesCh 3: Web Application Technologies
Ch 3: Web Application TechnologiesSam Bowne
 
Api design and development
Api design and developmentApi design and development
Api design and developmentoquidave
 
Hyper text transport protocol
Hyper text transport protocolHyper text transport protocol
Hyper text transport protocolHarshithaAllu
 
Restful web services with java
Restful web services with javaRestful web services with java
Restful web services with javaVinay Gopinath
 
The never-ending REST API design debate -- Devoxx France 2016
The never-ending REST API design debate -- Devoxx France 2016The never-ending REST API design debate -- Devoxx France 2016
The never-ending REST API design debate -- Devoxx France 2016Restlet
 
Do not automate GUI testing
Do not automate GUI testingDo not automate GUI testing
Do not automate GUI testingAtila Inovecký
 

Similaire à Attacking REST API (20)

Pragmatic REST APIs
Pragmatic REST APIsPragmatic REST APIs
Pragmatic REST APIs
 
REST API Recommendations
REST API RecommendationsREST API Recommendations
REST API Recommendations
 
ASP.NET Mvc 4 web api
ASP.NET Mvc 4 web apiASP.NET Mvc 4 web api
ASP.NET Mvc 4 web api
 
Restful webservice
Restful webserviceRestful webservice
Restful webservice
 
CNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesCNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application Technologies
 
CNIT 129S - Ch 3: Web Application Technologies
CNIT 129S - Ch 3: Web Application TechnologiesCNIT 129S - Ch 3: Web Application Technologies
CNIT 129S - Ch 3: Web Application Technologies
 
Леонід Кузьмін “Сам собі паблішер. Від сайту ігрової студії до універсального...
Леонід Кузьмін “Сам собі паблішер. Від сайту ігрової студії до універсального...Леонід Кузьмін “Сам собі паблішер. Від сайту ігрової студії до універсального...
Леонід Кузьмін “Сам собі паблішер. Від сайту ігрової студії до універсального...
 
Rest WebAPI with OData
Rest WebAPI with ODataRest WebAPI with OData
Rest WebAPI with OData
 
REST & RESTful Web Service
REST & RESTful Web ServiceREST & RESTful Web Service
REST & RESTful Web Service
 
Web technologies: HTTP
Web technologies: HTTPWeb technologies: HTTP
Web technologies: HTTP
 
Ch 3: Web Application Technologies
Ch 3: Web Application TechnologiesCh 3: Web Application Technologies
Ch 3: Web Application Technologies
 
REST API Basics
REST API BasicsREST API Basics
REST API Basics
 
Api design and development
Api design and developmentApi design and development
Api design and development
 
Basics of the Web Platform
Basics of the Web PlatformBasics of the Web Platform
Basics of the Web Platform
 
Hyper text transport protocol
Hyper text transport protocolHyper text transport protocol
Hyper text transport protocol
 
APITalkMeetupSharable
APITalkMeetupSharableAPITalkMeetupSharable
APITalkMeetupSharable
 
Restful web services with java
Restful web services with javaRestful web services with java
Restful web services with java
 
Rest with Spring
Rest with SpringRest with Spring
Rest with Spring
 
The never-ending REST API design debate -- Devoxx France 2016
The never-ending REST API design debate -- Devoxx France 2016The never-ending REST API design debate -- Devoxx France 2016
The never-ending REST API design debate -- Devoxx France 2016
 
Do not automate GUI testing
Do not automate GUI testingDo not automate GUI testing
Do not automate GUI testing
 

Dernier

Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 

Dernier (20)

Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

Attacking REST API

  • 2. Intro- API ● HTTP API ● Way of sharing data over internet ● Problem: – No standard way of implementing. ● Solution: – REST architecture
  • 3. REST ● Representational State Transfer. ● Term invented by Roy Fielding ● Standard way for implementing API. ● CRUD is directly mapped to HTTP verb.
  • 4. REST architecture constraints ● Unifrom Interface – Resource based – Resource manipulation through representation. – Self descriptive messages – Hypermedia as the Engine of Application State(HATEOAS) ● Stateless ● Cacheable
  • 5. REST architecture constraints ● Client/Server ● Layered ● Code on Demand
  • 6. REST API ● Collection of resources with 4 aspects – Base URI of a web service, – Content type supported by the web service, – Operations supported by the web service, – API must be hypertext driven.
  • 8. Interaction- Request HTTP Method Collection Single Entity GET Retrieve all resources https://mysite.com/api/users Retrieve a single specific resource https://mysite.com/api/users/1 HEAD Retrieve all resources (headers only) Retrieve a single specific resource (headers only) POST Create a new resource in a collection https://mysite.com/api/users -- PUT -- Update/Replace a resource https://mysite.com/api/users/1 PATCH -- Update/Modify a resource https://mysite.com/api/users/1 DELETE -- Delete a resource https://mysite.com/api/users/1
  • 10. Interaction - Response ● HTTP response code is used to indicate status of operation requested by client. ● Success Codes: – 200 OK – 201 Created – 202 Accepted (Used for delete requests)
  • 11. Interaction - Response ● User error codes: – 400 - Bad Request (error/bad data) – 401 - Unauthorized (this area requires authentication) – 404 - Not Found – 405 - Method Not Allowed (wrong HTTP method) – 409 - Conflict (i.e. trying to create the same resource with a PUT request)
  • 15. Scenarios ● Documentation/ Programming guide is available. – Check authentication process implemented. – Check URL style used. – Check HTTP headers(Standard and Non standard) – Analyze error codes and description.
  • 16. Scenarios ● Documentation/ Programming guide is NOT available. – Record and analyze interaction between web application and API by using local proxy. – Check for HTTP headers. – Analyze URL pattern/Post requst body for variables. – Check for structured pattern such as JSON, XML, YAML. – Check for cookie and authorisation headers, try to get idea authentication/authorization process. – Google captured API url, you might get documentation online.
  • 19. SQL Injection ● Check for parameters used for querying database. – URL parameters, – POST request body – HTTP headers ● Check for false positive, incase of filters
  • 20. Authentication ● Basic Auth ● HMAC(Hash Based Message Authentication) ● OAuth ● Custom
  • 21. Basic Auth ● Consider user batman:batman@123 ● Issues: – Base64 encoded – HTTPS required – Sends creds with every request.
  • 22. HMAC(Hash Based Message Authentication) ● hash_value = base64encode(hmac('sha256', 'password', 'GET+/api/v1/gotham')) ● Try to figure out info used for creating hash value
  • 23. OAuth ● Issues – Requires HTTPS – Centered around bearer token. – Refresh tokens
  • 24. General Test cases - Auth ● Repeat invalidated token ● Check token timeout ● Try to obtain token without password field. ● Check for keys or creds in URL.
  • 26. Cross Site Scripting ● Server side encoding ● DOM XSS ● Totally dependent on client application.
  • 28. Access Control ● Different HTTP methods. ● Resource identifier, manipulate it ● Non standard HTTP headers, URL parameters which signifies user role. – Ex UserType, IsAdmin ● POST request body
  • 30. Throttling ● Number of requests per access token per time window. ● HTTP response code 429 – Too Many Requests ● Check for – Anonymous user & authenticated user. – Different HTTP methods – Client is temporarily blocked for too many error codes. – Check for HTTP headers related to rate limiting.
  • 31. Throttling ● Headers used for throttling: – x-rate-limit-limit: Maximum rate limit allowed for an API end point – x-rate-limit-remaining: Number of request remaining for the time window – x-rate-limit-reset: Remaining time before window gets reset. ● Some variations – X-RateLimit-UserLimit – X-RateLimit-UserRemaining – X-RateLimit-UserReset – X-RateLimit-ClientLimit – X-RateLimit-ClientRemaining
  • 32. SSL ● Check for a self-signed certificate. ● SSL pinning implemented at server side.
  • 34. Information Disclosure ● Development/Hosting platform info ● Stack trace ● Unintended information exposure(Response body)
  • 35. CSRF
  • 36. CSRF ● POST, PATCH, PUT, DELETE ● HTTP headers – Ex- X-CSRF, X-CSRF-Token ● User controlled entity – URL param, HTTP Referer headers,etc.