The document discusses various types of malicious hacking attacks on APIs, including SQL injection, XPath injection, code injection, log injection, XML external entity injection, cross-site scripting (XSS), denial-of-service (DoS) attacks, checking user permissions, malformed XML, XML bombs, malicious attachments, fuzzing scans, and custom scripting. It provides brief descriptions of each attack type and references additional resources on API security best practices.
2. @GillerMichael
Security Scans Overview - Injection
SQL Injection:
tries to exploit bad database integration coding
XPath Injection:
tries to exploit bad XML processing inside your
target service
3. @GillerMichael
Security Scans Overview - Injection
Code Injection:
Watch out for those eval() functions!
Log Injection
Could be used to stir up false alarms
XML External Entity Injection
Vulnerabilities in XML parsing
4. @GillerMichael
Security Scans Overview - XSS
Cross Site Scripting (XSS):
enables attackers to inject client-side script into Web
pages viewed by other users.
Used to bypass same origin policy
Could be used to plant a Trojan horse, get full access to
user cookies and history, etc
5. @GillerMichael
Security Scans Overview - DoS
Denial-of-Service (DoS) attack is an attempt
to make a machine or network resource
unavailable to its intended users
– E.g. CyberBunker launched an all-out assault, on a
spam-fighting company Spamhaus
6. @GillerMichael
Security Scans Overview
Check user permissions:
Make sure that your users can only access the
information they need to access
Watch out for sequential IDs
7. @GillerMichael
Security Scans Overview (Cont.)
Malformed XML:
tries to exploit bad handling of invalid XML on your
server or in your service
XML Bomb :
tries to exploit bad handling of malicious XML
request (be careful)
Malicious Attachment:
tries to exploit bad handling of attached files
8. @GillerMichael
Security Scans Overview (Cont.)
Fuzzing Scan:
generates random input for specified request
parameters for a specified number of requests
Custom Script:
allows you to use a script for generating custom
parameter fuzzing values
9. References:
@GillerMichael
• SoapUI team had a great informational “Better Safe Than Sony”
webinar discussing security. You can watch it here:
http://www.soapui.org/soapUI-News/watch-yesterdays-
webinar.html
• Open Web Application Security Project (OWASP) published top
10 most common types of attacks here:
https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet
• Here’s the attacks particular to REST:
https://www.owasp.org/index.php/REST_Security_Cheat_Sheet
Notes de l'éditeur
Injection attack is by far the most likely and common type of attack hackers are likely to attempt to explore vulnerabilities in your API. This slide talks about different classes of attacks people may send against your API parameters.
To test how your APIs behave against these attacks, you can use SoapUI’s Security feature as shown here - http://www.soapui.org/Security/getting-started.html
Injection attack is by far the most likely and common type of attack hackers are likely to attempt to explore vulnerabilities in your API. This slide talks about different classes of attacks people may send against your API parameters.
To test how your APIs behave against these attacks, you can use SoapUI’s Security feature as shown here - http://www.soapui.org/Security/getting-started.html
Cross-site scripting (XSS) enables attackers to inject client-side script into your applications so that XSS script can be viewed by other users. XSS may be used by attackers to bypass access controls such as the same origin policy.
This type of security attack is becoming more and more popular in recent years.
Prevent this with SoapUI’s Cross Side Scripting test - http://www.soapui.org/Security/cross-site-scripting.html
You can mimic denial-of-service (DoS) by creating a load test. Either in SoapUI (http://www.soapui.org/Getting-Started/load-testing.html) or in our integration with LoadUI (http://www.loadui.com/Load-Testing-soapUI-Tests/getting-started-with-soapui-integration.html)
This can be tested with a functional test case where you can string steps together.
E.g.: Login as User 1, Post data, Logout User 1. Login as User 2, try to get User 1’s data, check that you cannot
To string API calls together, see - http://www.soapui.org/Working-with-soapUI/point-and-click-testing.html
These can be tested with SoapUI security tests:
Malformed XML: http://www.soapui.org/Security/malformed-xml.html
XML Bomb: http://www.soapui.org/Security/xml-bomb.html
Malicious Attachment: http://www.soapui.org/Security/malicious-attachment.html
These can be tested with SoapUI security tests:
Fuzzing Scan: http://www.soapui.org/Security/fuzzing-scan.html
Custom Scan: http://www.soapui.org/Security/script-custom-scan.html
(If you can think of Security Tests outside of configurable offered scans, you can still use the framework to compose your own vulnerability checks)