This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Testing for WS HTTP GET parameters/REST attacks (OWASP-WS-005)"
(→References) |
|||
Line 36: | Line 36: | ||
===References=== | ===References=== | ||
+ | The OWASP Fuzz vectors list: | ||
+ | [http://www.owasp.org/index.php/OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectors] |
Revision as of 13:55, 2 November 2006
HTTP GET parameters.
Brief Summary
Many XML applications are invoked by passing them parameters using HTTP GET queries. These are sometimes known as “REST-style" Web Services. These Web Services can be attacked by passing malicious content on the HTTP GET string (e.g. Extra long parameters (2048 chars), SQL statements/injection or OS Injection parameters). REST = Representational State Transfer).
Description of the Issue
Given that Web services REST are in effect HTTP-In -> WS-OUT at attack patterns are very similar to regular HTTP attack vectors, discussed throughout the guide.
Example: The HTTP request with query string /viewDetail=detail-10293, the HTTP GET parameter is detail- 10293.
Black Box Testing
Say we had a Web Service which accepts the following HTTP GET query string: https://www.ws.com/accountinfo?accountnumber=12039475&userId=asi9485jfuhe92
The resultant response would be similar to:
<?xml version="1.0" encoding="ISO-8859-1"?> <Account="12039475"> <balance>€100</balance> <body>Bank of Bannana account info</body> </Account>
Testing the data validation on this REST web service is similar to generic application testing:
Try vectors such as: https://www.ws.com/accountinfo?accountnumber=12039475' exec master..xp_cmdshell 'net user Vxr pass /Add &userId=asi9485jfuhe92
Grey Box Testing
References
The OWASP Fuzz vectors list: [1]