Difference between revisions of "Testing for WS HTTP GET parameters/REST attacks (OWASP-WS-005)"

Latest revision as of 23:51, 15 December 2008

OWASP Testing Guide v3 Table of Contents

This article is part of the OWASP Testing Guide v3. The entire OWASP Testing Guide v3 can be downloaded here.

OWASP at the moment is working at the OWASP Testing Guide v4: you can browse the Guide here

1 Brief Summary
2 Description of the Issue
3 Black Box Testing and example
4 Grey Box Testing and example
5 References

Brief Summary

Many XML applications are invoked by passing them parameters using HTTP GET queries. These are sometimes known as “REST-style" Web Services (REST = Representational State Transfer). These Web Services can be attacked by passing malicious content on the HTTP GET string (e.g., extra long parameters (2048 chars), SQL statements/injection (or OS Injection parameters).

Description of the Issue

Given that REST Web services are in effect HTTP-In -> WS-Out, attack patterns, they are very similar to regular HTTP attack vectors, discussed throughout the guide. For example, in the following HTTP request with query string "/?viewDetail=detail-10293", the HTTP GET parameter is "detail-10293".

Black Box Testing and example

Say we had a Web Service which accepts the following HTTP GET query string:

https://www.ws.com/accountinfo?accountnumber=12039475&userId=asi9485jfuhe92

The response would be similar to:

<?xml version="1.0" encoding="ISO-8859-1"?>
<Account="12039475">
<balance>€100</balance>
<body>Bank of Bannana account info</body>
</Account>

Testing the data validation on this REST web service is similar to generic application testing:

Try vectors such as:

https://www.ws.com/accountinfo?accountnumber=12039475' exec master..xp_cmdshell 'net user Vxr pass /Add&userId=asi9485jfuhe92

Grey Box Testing and example

Upon the reception of an HTTP request the code should do the following:

Check:

Maximum and minimum length
Validate payload
If possible, implement the following data validation stratigies: "exact match", "known good" and "known bad", in this order.
Validate parameter names and existence.

References

Withepapers

The OWASP Fuzz vectors list

@@ Line 1: / Line 1: @@
-[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]<br>
+{{Template:OWASP Testing Guide v3}}
-{{Template:OWASP Testing Guide v2}}
-'''HTTP GET parameters.'''
+==Brief Summary==
-===Brief Summary===
 Many XML applications are invoked by passing them parameters using HTTP GET queries.
-These are sometimes known as “REST-style" Web Services. These Web Services can be attacked by  passing malicious content on the HTTP GET string (e.g. Extra long parameters (2048 chars), SQL statements/injection or OS Injection parameters).
+These are sometimes known as “REST-style" Web Services (REST = Representational State Transfer). These Web Services can be attacked by  passing malicious content on the HTTP GET string (e.g., extra long parameters (2048 chars), SQL statements/injection (or OS Injection parameters).
-REST = Representational State Transfer).
+== Description of the Issue ==
+Given that REST Web services are in effect HTTP-In -> WS-Out, attack patterns, they are very similar to regular HTTP attack vectors, discussed throughout the guide. For example, in the following HTTP request with query string ''"/?viewDetail=detail-10293"'', the HTTP GET parameter is ''"detail-10293"''.
-=== Description of the Issue ===
+==Black Box Testing and example==
-Given that Web services REST are in effect HTTP-In -> WS-OUT at attack patterns are very similar to regular HTTP attack vectors, discussed throughout the guide.
-'''Example:'''
+Say we had a Web Service which accepts the following HTTP GET query string:
-The HTTP request with query string /viewDetail=detail-10293, the HTTP GET parameter is ''detail- 10293''.
-===Black Box Testing===
-Say we had a Web Service which accepts the following HTTP GET query string:
+ <nowiki>https://www.ws.com/accountinfo?accountnumber=12039475&userId=asi9485jfuhe92</nowiki>
-https://www.ws.com/accountinfo?accountnumber=12039475&userId=asi9485jfuhe92
-The resultant response would be similar to:
+The response would be similar to:
   <?xml version="1.0" encoding="ISO-8859-1"?>
@@ Line 33: / Line 26: @@
 Try vectors such as:
-<nowiki>https://www.ws.com/accountinfo?accountnumber=12039475'</nowiki>''' exec master..xp_cmdshell 'net user Vxr pass /Add''' &userId=asi9485jfuhe92
+ <nowiki>https://www.ws.com/accountinfo?accountnumber=12039475'</nowiki>''' exec master..xp_cmdshell 'net user Vxr pass /Add'''&userId=asi9485jfuhe92
-===Grey Box Testing===
-Upon the reception of a HTTP request the code should do the following:
+==Grey Box Testing and example==
+Upon the reception of an HTTP request the code should do the following:
 Check:
-# max length and minimum length
+# Maximum and minimum length
-# Validate payload:
+# Validate payload
-# If possible implement the following data validation stratigies; "exact match", "known good" and "known bad" in that order.
+# If possible, implement the following data validation stratigies: "exact match", "known good" and "known bad", in this order.
-# Validate parameter names and existance.
+# Validate parameter names and existence.
-===References===
-The OWASP Fuzz vectors list:
-[http://www.owasp.org/index.php/OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectors]
-{{Category:OWASP Testing Project AoC}}
+==References==
+'''Withepapers'''
+* The OWASP [[OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectors|Fuzz vectors]] list

Difference between revisions of "Testing for WS HTTP GET parameters/REST attacks (OWASP-WS-005)"

Latest revision as of 23:51, 15 December 2008

Brief Summary

Description of the Issue

Black Box Testing and example

Grey Box Testing and example

References

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools