This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Testing for WS HTTP GET parameters/REST attacks (OWASP-WS-005)"
Line 2: | Line 2: | ||
{{Template:OWASP Testing Guide v2}} | {{Template:OWASP Testing Guide v2}} | ||
− | + | ==Brief Summary== | |
− | |||
− | |||
Many XML applications are invoked by passing them parameters using HTTP GET queries. | Many XML applications are invoked by passing them parameters using HTTP GET queries. | ||
− | These are sometimes known as “REST-style" Web Services. These Web Services can be attacked by passing malicious content on the HTTP GET string (e.g. | + | These are sometimes known as “REST-style" Web Services (REST = Representational State Transfer). These Web Services can be attacked by passing malicious content on the HTTP GET string (e.g. extra long parameters (2048 chars), SQL statements/injection (or OS Injection parameters). |
− | |||
+ | == Description of the Issue == | ||
+ | Given that Web services REST are in effect HTTP-In -> WS-OUT at attack patterns are very similar to regular HTTP attack vectors, discussed throughout the guide. For example, in the following HTTP request with query string ''/viewDetail=detail-10293'', the HTTP GET parameter is ''detail- 10293''. | ||
− | === | + | ==Black Box Testing and example== |
− | |||
− | + | Say we had a Web Service which accepts the following HTTP GET query string: | |
− | |||
− | |||
− | |||
− | + | <nowiki>https://www.ws.com/accountinfo?accountnumber=12039475&userId=asi9485jfuhe92</nowiki> | |
− | https://www.ws.com/accountinfo?accountnumber=12039475&userId=asi9485jfuhe92 | ||
The resultant response would be similar to: | The resultant response would be similar to: | ||
Line 33: | Line 27: | ||
Try vectors such as: | Try vectors such as: | ||
− | <nowiki>https://www.ws.com/accountinfo?accountnumber=12039475'</nowiki>''' exec master..xp_cmdshell 'net user Vxr pass /Add''' &userId=asi9485jfuhe92 | + | <nowiki>https://www.ws.com/accountinfo?accountnumber=12039475'</nowiki>''' exec master..xp_cmdshell 'net user Vxr pass /Add''' &userId=asi9485jfuhe92 |
− | + | ==Grey Box Testing and example== | |
Upon the reception of a HTTP request the code should do the following: | Upon the reception of a HTTP request the code should do the following: | ||
Line 47: | Line 41: | ||
===References=== | ===References=== | ||
− | The OWASP Fuzz vectors list | + | '''Withepapers''' |
− | + | * The OWASP Fuzz vectors list - http://www.owasp.org/index.php/OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectors | |
{{Category:OWASP Testing Project AoC}} | {{Category:OWASP Testing Project AoC}} |
Revision as of 14:41, 15 November 2006
[Up]
OWASP Testing Guide v2 Table of Contents
Brief Summary
Many XML applications are invoked by passing them parameters using HTTP GET queries. These are sometimes known as “REST-style" Web Services (REST = Representational State Transfer). These Web Services can be attacked by passing malicious content on the HTTP GET string (e.g. extra long parameters (2048 chars), SQL statements/injection (or OS Injection parameters).
Description of the Issue
Given that Web services REST are in effect HTTP-In -> WS-OUT at attack patterns are very similar to regular HTTP attack vectors, discussed throughout the guide. For example, in the following HTTP request with query string /viewDetail=detail-10293, the HTTP GET parameter is detail- 10293.
Black Box Testing and example
Say we had a Web Service which accepts the following HTTP GET query string:
https://www.ws.com/accountinfo?accountnumber=12039475&userId=asi9485jfuhe92
The resultant response would be similar to:
<?xml version="1.0" encoding="ISO-8859-1"?> <Account="12039475"> <balance>€100</balance> <body>Bank of Bannana account info</body> </Account>
Testing the data validation on this REST web service is similar to generic application testing:
Try vectors such as:
https://www.ws.com/accountinfo?accountnumber=12039475' exec master..xp_cmdshell 'net user Vxr pass /Add &userId=asi9485jfuhe92
Grey Box Testing and example
Upon the reception of a HTTP request the code should do the following:
Check:
- max length and minimum length
- Validate payload:
- If possible implement the following data validation stratigies; "exact match", "known good" and "known bad" in that order.
- Validate parameter names and existance.
References
Withepapers
- The OWASP Fuzz vectors list - http://www.owasp.org/index.php/OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectors
OWASP Testing Guide v2
Here is the OWASP Testing Guide v2 Table of Contents