This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Testing for WS HTTP GET parameters/REST attacks (OWASP-WS-005)"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 
'''HTTP GET parameters.'''  
 
'''HTTP GET parameters.'''  
  
 +
===Brief Summary===
  
 
Many XML applications are invoked by passing them parameters using HTTP GET queries.
 
Many XML applications are invoked by passing them parameters using HTTP GET queries.
 +
These are sometimes known as “REST-style" Web Services. These Web Services can be attacked by  passing malicious content on the HTTP GET string (e.g. Extra long parameters (2048 chars), SQL statements/injection or OS Injection parameters).
 +
REST = Representational State Transfer).
 +
 +
 +
=== Description of the Issue ===
 +
Given that Web services REST are in effect HTTP-In -> WS-OUT at attack patterns are very similar to regular HTTP attack vectors, discussed throughout the guide.
 +
 +
'''Example:'''
 +
The HTTP request with query string /viewDetail=detail-10293, the HTTP GET parameter is ''detail- 10293''.
  
Example:
+
===Black Box Testing===
The HTTP request with query string /viewDetail=detail-10293, the HTTP GET parameter is detail- 10293).
 
  
These are sometimes known as “REST-style" Web Services. These Web Services can be attacked by  passing malicious content on the HTTP GET string (e.g. Extra long parameters (2048 chars), SQL statements/injection or OS Injection parameters).
+
===Grey Box Testing===
(REST = Representational State Transfer).
+
 
 +
===References===

Revision as of 10:58, 2 November 2006

HTTP GET parameters.

Brief Summary

Many XML applications are invoked by passing them parameters using HTTP GET queries. These are sometimes known as “REST-style" Web Services. These Web Services can be attacked by passing malicious content on the HTTP GET string (e.g. Extra long parameters (2048 chars), SQL statements/injection or OS Injection parameters). REST = Representational State Transfer).


Description of the Issue

Given that Web services REST are in effect HTTP-In -> WS-OUT at attack patterns are very similar to regular HTTP attack vectors, discussed throughout the guide.

Example: The HTTP request with query string /viewDetail=detail-10293, the HTTP GET parameter is detail- 10293.

Black Box Testing

Grey Box Testing

References

Retrieved from "https://wiki.owasp.org/index.php?title=Testing_for_WS_HTTP_GET_parameters/REST_attacks_(OWASP-WS-005)&oldid=11412"