This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Testing for WS HTTP GET parameters/REST attacks (OWASP-WS-005)"
(→References) |
m (Testing for WS HTTP GET parameters/REST attacks moved to Testing for WS HTTP GET parameters/REST attacks (OWASP-WS-005)) |
||
(3 intermediate revisions by 2 users not shown) | |||
Line 7: | Line 7: | ||
== Description of the Issue == | == Description of the Issue == | ||
− | Given that Web services | + | Given that REST Web services are in effect HTTP-In -> WS-Out, attack patterns, they are very similar to regular HTTP attack vectors, discussed throughout the guide. For example, in the following HTTP request with query string ''"/?viewDetail=detail-10293"'', the HTTP GET parameter is ''"detail-10293"''. |
==Black Box Testing and example== | ==Black Box Testing and example== | ||
Line 15: | Line 15: | ||
<nowiki>https://www.ws.com/accountinfo?accountnumber=12039475&userId=asi9485jfuhe92</nowiki> | <nowiki>https://www.ws.com/accountinfo?accountnumber=12039475&userId=asi9485jfuhe92</nowiki> | ||
− | The | + | The response would be similar to: |
<?xml version="1.0" encoding="ISO-8859-1"?> | <?xml version="1.0" encoding="ISO-8859-1"?> | ||
Line 26: | Line 26: | ||
Try vectors such as: | Try vectors such as: | ||
− | <nowiki>https://www.ws.com/accountinfo?accountnumber=12039475'</nowiki>''' exec master..xp_cmdshell 'net user Vxr pass /Add''' &userId=asi9485jfuhe92 | + | |
+ | <nowiki>https://www.ws.com/accountinfo?accountnumber=12039475'</nowiki>''' exec master..xp_cmdshell 'net user Vxr pass /Add'''&userId=asi9485jfuhe92 | ||
==Grey Box Testing and example== | ==Grey Box Testing and example== | ||
− | Upon the reception of | + | Upon the reception of an HTTP request the code should do the following: |
Check: | Check: | ||
# Maximum and minimum length | # Maximum and minimum length | ||
# Validate payload | # Validate payload | ||
− | # If possible implement the following data validation stratigies: "exact match", "known good" and "known bad", in this order. | + | # If possible, implement the following data validation stratigies: "exact match", "known good" and "known bad", in this order. |
# Validate parameter names and existence. | # Validate parameter names and existence. | ||
Latest revision as of 23:51, 15 December 2008
OWASP Testing Guide v3 Table of Contents
This article is part of the OWASP Testing Guide v3. The entire OWASP Testing Guide v3 can be downloaded here.
OWASP at the moment is working at the OWASP Testing Guide v4: you can browse the Guide here
Brief Summary
Many XML applications are invoked by passing them parameters using HTTP GET queries. These are sometimes known as “REST-style" Web Services (REST = Representational State Transfer). These Web Services can be attacked by passing malicious content on the HTTP GET string (e.g., extra long parameters (2048 chars), SQL statements/injection (or OS Injection parameters).
Description of the Issue
Given that REST Web services are in effect HTTP-In -> WS-Out, attack patterns, they are very similar to regular HTTP attack vectors, discussed throughout the guide. For example, in the following HTTP request with query string "/?viewDetail=detail-10293", the HTTP GET parameter is "detail-10293".
Black Box Testing and example
Say we had a Web Service which accepts the following HTTP GET query string:
https://www.ws.com/accountinfo?accountnumber=12039475&userId=asi9485jfuhe92
The response would be similar to:
<?xml version="1.0" encoding="ISO-8859-1"?> <Account="12039475"> <balance>€100</balance> <body>Bank of Bannana account info</body> </Account>
Testing the data validation on this REST web service is similar to generic application testing:
Try vectors such as:
https://www.ws.com/accountinfo?accountnumber=12039475' exec master..xp_cmdshell 'net user Vxr pass /Add&userId=asi9485jfuhe92
Grey Box Testing and example
Upon the reception of an HTTP request the code should do the following:
Check:
- Maximum and minimum length
- Validate payload
- If possible, implement the following data validation stratigies: "exact match", "known good" and "known bad", in this order.
- Validate parameter names and existence.
References
Withepapers
- The OWASP Fuzz vectors list