SB
Uploaded bySiddharth Bezalwar
ODP, PPTX484 views

Attacking REST API

This document discusses REST APIs and how to attack them. It begins by explaining what REST APIs are and how they map CRUD operations to HTTP verbs like GET, POST, PUT, DELETE. It then covers REST architecture constraints like using resources and representations. The document outlines how to interact with APIs through requests and responses. It provides examples of enumeration, injection, authentication vulnerabilities and how to test authorization, rate limiting, SSL and information disclosure. It concludes with discussing cross-site request forgery attacks on REST APIs.

Embed presentation

Download as ODP, PPTX
REST API
Intro- API ● HTTP API ● Way of sharing data over internet ● Problem: – No standard way of implementing. ● Solution: – REST architecture
REST ● Representational State Transfer. ● Term invented by Roy Fielding ● Standard way for implementing API. ● CRUD is directly mapped to HTTP verb.
REST architecture constraints ● Unifrom Interface – Resource based – Resource manipulation through representation. – Self descriptive messages – Hypermedia as the Engine of Application State(HATEOAS) ● Stateless ● Cacheable
REST architecture constraints ● Client/Server ● Layered ● Code on Demand
REST API ● Collection of resources with 4 aspects – Base URI of a web service, – Content type supported by the web service, – Operations supported by the web service, – API must be hypertext driven.
Sample Request
Interaction- Request HTTP Method Collection Single Entity GET Retrieve all resources https://mysite.com/api/users Retrieve a single specific resource https://mysite.com/api/users/1 HEAD Retrieve all resources (headers only) Retrieve a single specific resource (headers only) POST Create a new resource in a collection https://mysite.com/api/users -- PUT -- Update/Replace a resource https://mysite.com/api/users/1 PATCH -- Update/Modify a resource https://mysite.com/api/users/1 DELETE -- Delete a resource https://mysite.com/api/users/1
Interaction- Request
Interaction - Response ● HTTP response code is used to indicate status of operation requested by client. ● Success Codes: – 200 OK – 201 Created – 202 Accepted (Used for delete requests)
Interaction - Response ● User error codes: – 400 - Bad Request (error/bad data) – 401 - Unauthorized (this area requires authentication) – 404 - Not Found – 405 - Method Not Allowed (wrong HTTP method) – 409 - Conflict (i.e. trying to create the same resource with a PUT request)
Interaction - Response
Attacking REST API
Enumeration
Scenarios ● Documentation/ Programming guide is available. – Check authentication process implemented. – Check URL style used. – Check HTTP headers(Standard and Non standard) – Analyze error codes and description.
Scenarios ● Documentation/ Programming guide is NOT available. – Record and analyze interaction between web application and API by using local proxy. – Check for HTTP headers. – Analyze URL pattern/Post requst body for variables. – Check for structured pattern such as JSON, XML, YAML. – Check for cookie and authorisation headers, try to get idea authentication/authorization process. – Google captured API url, you might get documentation online.
Attacks
Injection
SQL Injection ● Check for parameters used for querying database. – URL parameters, – POST request body – HTTP headers ● Check for false positive, incase of filters
Authentication ● Basic Auth ● HMAC(Hash Based Message Authentication) ● OAuth ● Custom
Basic Auth ● Consider user batman:batman@123 ● Issues: – Base64 encoded – HTTPS required – Sends creds with every request.
HMAC(Hash Based Message Authentication) ● hash_value = base64encode(hmac('sha256', 'password', 'GET+/api/v1/gotham')) ● Try to figure out info used for creating hash value
OAuth ● Issues – Requires HTTPS – Centered around bearer token. – Refresh tokens
General Test cases - Auth ● Repeat invalidated token ● Check token timeout ● Try to obtain token without password field. ● Check for keys or creds in URL.
Cross Site Scripting
Cross Site Scripting ● Server side encoding ● DOM XSS ● Totally dependent on client application.
Access Control
Access Control ● Different HTTP methods. ● Resource identifier, manipulate it ● Non standard HTTP headers, URL parameters which signifies user role. – Ex UserType, IsAdmin ● POST request body
Rate Limit Implementation
Throttling ● Number of requests per access token per time window. ● HTTP response code 429 – Too Many Requests ● Check for – Anonymous user & authenticated user. – Different HTTP methods – Client is temporarily blocked for too many error codes. – Check for HTTP headers related to rate limiting.
Throttling ● Headers used for throttling: – x-rate-limit-limit: Maximum rate limit allowed for an API end point – x-rate-limit-remaining: Number of request remaining for the time window – x-rate-limit-reset: Remaining time before window gets reset. ● Some variations – X-RateLimit-UserLimit – X-RateLimit-UserRemaining – X-RateLimit-UserReset – X-RateLimit-ClientLimit – X-RateLimit-ClientRemaining
SSL ● Check for a self-signed certificate. ● SSL pinning implemented at server side.
Information Disclosure
Information Disclosure ● Development/Hosting platform info ● Stack trace ● Unintended information exposure(Response body)
CSRF
CSRF ● POST, PATCH, PUT, DELETE ● HTTP headers – Ex- X-CSRF, X-CSRF-Token ● User controlled entity – URL param, HTTP Referer headers,etc.

More Related Content

PPTX
Rest API Security
byStormpath
 
PPTX
Oauth 2.0 security
byvinoth kumar
 
PDF
Pentesting RESTful webservices
byMohammed A. Imran
 
PDF
The never-ending REST API design debate
byRestlet
 
PDF
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
byCA API Management
 
PPTX
Secure Your REST API (The Right Way)
byStormpath
 
PPTX
Secure RESTful API Automation With JavaScript
byJonathan LeBlanc
 
PDF
Securty Testing For RESTful Applications
bySource Conference
 
Rest API Security
byStormpath
 
Oauth 2.0 security
byvinoth kumar
 
Pentesting RESTful webservices
byMohammed A. Imran
 
The never-ending REST API design debate
byRestlet
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
byCA API Management
 
Secure Your REST API (The Right Way)
byStormpath
 
Secure RESTful API Automation With JavaScript
byJonathan LeBlanc
 
Securty Testing For RESTful Applications
bySource Conference
 

What's hot

PDF
RESTful Web Services
byChristopher Bartling
 
PDF
Best Practices in Web Service Design
byLorna Mitchell
 
PPSX
Rest api standards and best practices
byAnkita Mahajan
 
PPTX
Oauth2 and OWSM OAuth2 support
byGaurav Sharma
 
PDF
Building Beautiful REST APIs with ASP.NET Core
byStormpath
 
PPTX
Rest API
byRohana K Amarakoon
 
PPTX
RESTful API Automation with JavaScript
byJonathan LeBlanc
 
PPTX
API Security - Null meet
byvinoth kumar
 
PDF
In graph we trust: Microservices, GraphQL and security challenges
byMohammed A. Imran
 
PPTX
OAuth2 + API Security
byAmila Paranawithana
 
PPTX
JSON SQL Injection and the Lessons Learned
byKazuho Oku
 
PDF
The never-ending REST API design debate -- Devoxx France 2016
byRestlet
 
PPTX
Restful webservices
byLuqman Shareef
 
PDF
Together Cheerfully to Walk with Hypermedia
byVladimir Tsukur
 
PPTX
Best Practices in Building an API Security Ecosystem
byPrabath Siriwardena
 
PPTX
Securing RESTful APIs using OAuth 2 and OpenID Connect
byJonathan LeBlanc
 
PDF
OAuth - Open API Authentication
byleahculver
 
PDF
Building an API Security Ecosystem
byPrabath Siriwardena
 
PDF
Stateless authentication for microservices - GR8Conf 2015
byAlvaro Sanchez-Mariscal
 
RESTful Web Services
byChristopher Bartling
 
Best Practices in Web Service Design
byLorna Mitchell
 
Rest api standards and best practices
byAnkita Mahajan
 
Oauth2 and OWSM OAuth2 support
byGaurav Sharma
 
Building Beautiful REST APIs with ASP.NET Core
byStormpath
 
Rest API
byRohana K Amarakoon
 
RESTful API Automation with JavaScript
byJonathan LeBlanc
 
API Security - Null meet
byvinoth kumar
 
In graph we trust: Microservices, GraphQL and security challenges
byMohammed A. Imran
 
OAuth2 + API Security
byAmila Paranawithana
 
JSON SQL Injection and the Lessons Learned
byKazuho Oku
 
The never-ending REST API design debate -- Devoxx France 2016
byRestlet
 
Restful webservices
byLuqman Shareef
 
Together Cheerfully to Walk with Hypermedia
byVladimir Tsukur
 
Best Practices in Building an API Security Ecosystem
byPrabath Siriwardena
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
byJonathan LeBlanc
 
OAuth - Open API Authentication
byleahculver
 
Building an API Security Ecosystem
byPrabath Siriwardena
 
Stateless authentication for microservices - GR8Conf 2015
byAlvaro Sanchez-Mariscal
 

Similar to Attacking REST API

PPTX
API Testing Using REST Assured with TestNG
bySiddharth Sharma
 
PDF
Api fundamentals
byAgileDenver
 
PPTX
Best Practices for Architecting a Pragmatic Web API.
byMario Cardinal
 
PPTX
API
byMasters Academy
 
PDF
Api FUNdamentals #MHA2017
byJoEllen Carter
 
PPTX
Rest Webservice
byViyaan Jhiingade
 
PPTX
rest-api-basics.pptx
byAgungSutikno1
 
PDF
REST APIS web development for backend familiarity
byARTUROGOMEZGARCIA2
 
PPTX
Http and REST APIs.
byRahul Tanwani
 
PPTX
rest-api-basics.pptx
byFikiRieza2
 
PDF
REST API Recommendations
byJeelani Shaik
 
PPTX
Rest WebAPI with OData
byMahek Merchant
 
PPTX
Api crash
byJames Wong
 
PPTX
Api crash
byHoang Nguyen
 
PPTX
Api crash
byLuis Goldster
 
PPTX
Rest APIs Training
byShekhar Kumar
 
PPTX
RESTful Services
byJason Gerard
 
PPTX
REST Methodologies
byjrodbx
 
PDF
What is REST?
bySaeid Zebardast
 
PPTX
REST-Api Design & Develop
bySabbir Rupom
 
API Testing Using REST Assured with TestNG
bySiddharth Sharma
 
Api fundamentals
byAgileDenver
 
Best Practices for Architecting a Pragmatic Web API.
byMario Cardinal
 
API
byMasters Academy
 
Api FUNdamentals #MHA2017
byJoEllen Carter
 
Rest Webservice
byViyaan Jhiingade
 
rest-api-basics.pptx
byAgungSutikno1
 
REST APIS web development for backend familiarity
byARTUROGOMEZGARCIA2
 
Http and REST APIs.
byRahul Tanwani
 
rest-api-basics.pptx
byFikiRieza2
 
REST API Recommendations
byJeelani Shaik
 
Rest WebAPI with OData
byMahek Merchant
 
Api crash
byJames Wong
 
Api crash
byHoang Nguyen
 
Api crash
byLuis Goldster
 
Rest APIs Training
byShekhar Kumar
 
RESTful Services
byJason Gerard
 
REST Methodologies
byjrodbx
 
What is REST?
bySaeid Zebardast
 
REST-Api Design & Develop
bySabbir Rupom
 

Recently uploaded

PPTX
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PPTX
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
PDF
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
PDF
AI Meets Integration: Delivering AI-Ready Data in Real Time.pdf
byPrecisely
 
PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
DOCX
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
PPTX
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
PPTX
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
PDF
Cybersecurity: Safeguarding Digital Assets
byYasir Naveed Riaz
 
PPTX
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PDF
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
API-First Architecture in Financial Systems
bycyy111112
 
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
AI Meets Integration: Delivering AI-Ready Data in Real Time.pdf
byPrecisely
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
Cybersecurity: Safeguarding Digital Assets
byYasir Naveed Riaz
 
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
The year in review - MarvelClient in 2025
bypanagenda
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 

Attacking REST API

  • 1.
  • 2.
    Intro- API ● HTTPAPI ● Way of sharing data over internet ● Problem: – No standard way of implementing. ● Solution: – REST architecture
  • 3.
    REST ● Representational StateTransfer. ● Term invented by Roy Fielding ● Standard way for implementing API. ● CRUD is directly mapped to HTTP verb.
  • 4.
    REST architecture constraints ●Unifrom Interface – Resource based – Resource manipulation through representation. – Self descriptive messages – Hypermedia as the Engine of Application State(HATEOAS) ● Stateless ● Cacheable
  • 5.
    REST architecture constraints ●Client/Server ● Layered ● Code on Demand
  • 6.
    REST API ● Collectionof resources with 4 aspects – Base URI of a web service, – Content type supported by the web service, – Operations supported by the web service, – API must be hypertext driven.
  • 7.
  • 8.
    Interaction- Request HTTP Method Collection SingleEntity GET Retrieve all resources https://mysite.com/api/users Retrieve a single specific resource https://mysite.com/api/users/1 HEAD Retrieve all resources (headers only) Retrieve a single specific resource (headers only) POST Create a new resource in a collection https://mysite.com/api/users -- PUT -- Update/Replace a resource https://mysite.com/api/users/1 PATCH -- Update/Modify a resource https://mysite.com/api/users/1 DELETE -- Delete a resource https://mysite.com/api/users/1
  • 9.
  • 10.
    Interaction - Response ●HTTP response code is used to indicate status of operation requested by client. ● Success Codes: – 200 OK – 201 Created – 202 Accepted (Used for delete requests)
  • 11.
    Interaction - Response ●User error codes: – 400 - Bad Request (error/bad data) – 401 - Unauthorized (this area requires authentication) – 404 - Not Found – 405 - Method Not Allowed (wrong HTTP method) – 409 - Conflict (i.e. trying to create the same resource with a PUT request)
  • 12.
  • 13.
  • 14.
  • 15.
    Scenarios ● Documentation/ Programmingguide is available. – Check authentication process implemented. – Check URL style used. – Check HTTP headers(Standard and Non standard) – Analyze error codes and description.
  • 16.
    Scenarios ● Documentation/ Programmingguide is NOT available. – Record and analyze interaction between web application and API by using local proxy. – Check for HTTP headers. – Analyze URL pattern/Post requst body for variables. – Check for structured pattern such as JSON, XML, YAML. – Check for cookie and authorisation headers, try to get idea authentication/authorization process. – Google captured API url, you might get documentation online.
  • 17.
  • 18.
  • 19.
    SQL Injection ● Checkfor parameters used for querying database. – URL parameters, – POST request body – HTTP headers ● Check for false positive, incase of filters
  • 20.
    Authentication ● Basic Auth ●HMAC(Hash Based Message Authentication) ● OAuth ● Custom
  • 21.
    Basic Auth ● Consideruser batman:batman@123 ● Issues: – Base64 encoded – HTTPS required – Sends creds with every request.
  • 22.
    HMAC(Hash Based Message Authentication) ●hash_value = base64encode(hmac('sha256', 'password', 'GET+/api/v1/gotham')) ● Try to figure out info used for creating hash value
  • 23.
    OAuth ● Issues – RequiresHTTPS – Centered around bearer token. – Refresh tokens
  • 24.
    General Test cases- Auth ● Repeat invalidated token ● Check token timeout ● Try to obtain token without password field. ● Check for keys or creds in URL.
  • 25.
  • 26.
    Cross Site Scripting ●Server side encoding ● DOM XSS ● Totally dependent on client application.
  • 27.
  • 28.
    Access Control ● DifferentHTTP methods. ● Resource identifier, manipulate it ● Non standard HTTP headers, URL parameters which signifies user role. – Ex UserType, IsAdmin ● POST request body
  • 29.
  • 30.
    Throttling ● Number ofrequests per access token per time window. ● HTTP response code 429 – Too Many Requests ● Check for – Anonymous user & authenticated user. – Different HTTP methods – Client is temporarily blocked for too many error codes. – Check for HTTP headers related to rate limiting.
  • 31.
    Throttling ● Headers usedfor throttling: – x-rate-limit-limit: Maximum rate limit allowed for an API end point – x-rate-limit-remaining: Number of request remaining for the time window – x-rate-limit-reset: Remaining time before window gets reset. ● Some variations – X-RateLimit-UserLimit – X-RateLimit-UserRemaining – X-RateLimit-UserReset – X-RateLimit-ClientLimit – X-RateLimit-ClientRemaining
  • 32.
    SSL ● Check fora self-signed certificate. ● SSL pinning implemented at server side.
  • 33.
  • 34.
    Information Disclosure ● Development/Hostingplatform info ● Stack trace ● Unintended information exposure(Response body)
  • 35.
  • 36.
    CSRF ● POST, PATCH,PUT, DELETE ● HTTP headers – Ex- X-CSRF, X-CSRF-Token ● User controlled entity – URL param, HTTP Referer headers,etc.