SlideShare a Scribd company logo

Pentesting ReST API

Download as PPTX, PDF
Nutan Kumar Panda, profile picture
Nutan Kumar Panda

The document provides an overview of a presentation on pentesting REST APIs. The presentation will cover basic theory, personal experience, methodology, tools used, test beds, example vulnerabilities, common findings, and include hands-on demos. The presentation will discuss both SOAP and REST APIs, pentesting approaches, tools like Postman and Burp Suite, example test beds like Hackazon and Mutillidae, and common API vulnerabilities like information disclosure, IDOR, and token issues.

Technology
1 of 14
Downloaded 301 times
1
2
Most read
3
4
5
6
7
8
9
10
11
12
Most read
13
14
Most read
PENTESTING REST API null Bangalore Meet
Introduction ■ Nutan Kumar Panda ■ Aka @TheOsintGuy ■ Senior Information Security Engineer ■ Osint Enthusiast ■ Presenter at BH US/ BIU Israel/ GroundZero Summit/ CISO Summit etc ■ Co-Author of book “HackingWeb Intelligence ” ■ Contributor of DataSploit project ■ Active Contributor of null BangaloreChapter
What can you expect? ■ BasicTheory ■ My personal Experience ■ Approach ■ Tools to trade ■ Test beds ■ One Example to think out of the box ■ Some Common Findings ■ Hands on Demos
Web Services ■ SOAP ■ Components – ServiceConsumer – Service Provider – XML (Extensible Markup Language) – SOAP (SimpleObject Access Protocol) – WSDL (Web Services Description Language) – UDDI (Universal Description, Discovery and Integration) ■ http://resources.infosecinstitute.com/web-services- penetration-testing-part-1/ ■ ReST ■ Components – Resources (example.com/users/1) – Verbs (CRUD/ POGPUD) – MediaType (Application/Json) – Status Codes (200,201,404 etc) – Authentication (Oauth) – http://www.slideshare.net/null0x00/o-auth- tokens ■ http://www.slideshare.net/null0x00/pentesting- restful-webservices-v10 http://www.slideshare.net/PraveenKumarKOSCP/introduction-to-web-services-penetration- testing (page 3)
How I Started? https://www.owasp.org/index.php/REST_Security_Cheat_Sheet
Approach ■ Do not jump to testing by getting an end point or set of end points ■ Ask for the documentation ■ Ask for the sample request response/ Postman collection ■ Ask for any particular header needed ■ Ask for token or any specific parameter or values for a parameter (to get in right flow) ■ Ask for the workflows (Sometime workflows are bound you can not direct jump to a web services and test you need some data that u get from other end points) ■ Its not only about fuzzing parameters
Tools to trade ■ ReST Client (Plug in) ■ Postman (App and Plugin) ■ Burp (ZAP/ Charles/ IronWASP or any other interception proxy) ■ Hurl.it (Online rest client) ■ SoapUI (https://www.youtube.com/watch?v=XV7WW0bDy9c) ■ Fuzzapi (https://github.com/lalithr95/Fuzzapi) Just presented just day before at AppSec USA by Abhijeet n Lalith – http://www.slideshare.net/AbhijethDugginapeddi/automated-api-pentesting-using- fuzzapi – If you like this tool just spread the word with #fuzzapi
Test Beds ■ Hackazon – Code: https://github.com/rapid7/hackazon – WebVersion: http://hackazon.webscantest.com/ – There is an apk also: https://github.com/rapid7/hackazon/tree/master/web/app.apk – YoutubeVideo: https://www.youtube.com/watch?v=Yekzm0Olc3Y (Demo starts 24:00) ■ Mutillidae – Code: https://sourceforge.net/projects/mutillidae/ – Video: https://www.youtube.com/watch?v=e6HAQnvuaic ■ DVWS – Code : https://github.com/snoopythesecuritydog/dvws – Tutorial: https://kali.tools/?p=1729
Example POST example.com/users/view/253 { “user”:”adam”, “role”:”tester” }
Common Finding ■ Enumeration ■ Rate limiting not implemented ■ Information Disclosure ■ POST to GET conversion (Method Conversion) ■ IDOR ■ SQLI ■ Authorization Flaws ■ Token related issues (Expiry, reuse, predictable etc)
Demo
Questions
References ■ https://www.soapui.org/testing-dojo/world-of-api-testing/soap-vs--rest- challenges.html ■ http://cybersecology.com/hackazon-review/ ■ http://cybersecology.com/2014/11/googles-firing-range-test-site/ ■ http://www.slideshare.net/SmartBear_Software/getting-started-with-api-security- testing ■ http://www.slideshare.net/ask4answers/rest-api-testing-with-specflow ■ http://www.slideshare.net/stormpath/rest-api-security ■ http://www.slideshare.net/taiseerjoudeh/http-services-security
Thanks

More Related Content

PDF
Api security-testing
n|u - The Open Security Community
 
PPT
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
PDF
Pentesting Rest API's by :- Gaurang Bhatnagar
OWASP Delhi
 
PDF
OWASP API Security Top 10 - API World
42Crunch
 
PDF
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
PPTX
Getting Started with API Security Testing
SmartBear
 
PPTX
Deep dive into ssrf
n|u - The Open Security Community
 
PPTX
SSRF For Bug Bounties
OWASP Nagpur
 
Api security-testing
n|u - The Open Security Community
 
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Pentesting Rest API's by :- Gaurang Bhatnagar
OWASP Delhi
 
OWASP API Security Top 10 - API World
42Crunch
 
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
Getting Started with API Security Testing
SmartBear
 
Deep dive into ssrf
n|u - The Open Security Community
 
SSRF For Bug Bounties
OWASP Nagpur
 

What's hot (20)

PPTX
Attacking thru HTTP Host header
Sergey Belov
 
PPTX
I hunt sys admins 2.0
Will Schroeder
 
PPTX
Rest API Security
Stormpath
 
PPS
Security testing
Tabăra de Testare
 
PPTX
Command injection
penetration Tester
 
PDF
Red Team Methodology - A Naked Look
Jason Lang
 
PPTX
Waf bypassing Techniques
Avinash Thapa
 
PDF
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
PPTX
SSRF exploit the trust relationship
n|u - The Open Security Community
 
PDF
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
PDF
SSRF workshop
Ivan Novikov
 
PPTX
Directory Traversal & File Inclusion Attacks
Raghav Bisht
 
PPTX
Bug Bounty 101
Shahee Mirza
 
PDF
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
PDF
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
PDF
Web Application Penetration Testing
Priyanka Aash
 
PDF
OWASP API Security Top 10 Examples
42Crunch
 
PPTX
Bug bounty
n|u - The Open Security Community
 
PDF
HTTP Request Smuggling via higher HTTP versions
neexemil
 
PPTX
Sql injections - with example
Prateek Chauhan
 
Attacking thru HTTP Host header
Sergey Belov
 
I hunt sys admins 2.0
Will Schroeder
 
Rest API Security
Stormpath
 
Security testing
Tabăra de Testare
 
Command injection
penetration Tester
 
Red Team Methodology - A Naked Look
Jason Lang
 
Waf bypassing Techniques
Avinash Thapa
 
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
SSRF exploit the trust relationship
n|u - The Open Security Community
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
SSRF workshop
Ivan Novikov
 
Directory Traversal & File Inclusion Attacks
Raghav Bisht
 
Bug Bounty 101
Shahee Mirza
 
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
Web Application Penetration Testing
Priyanka Aash
 
OWASP API Security Top 10 Examples
42Crunch
 
Bug bounty
n|u - The Open Security Community
 
HTTP Request Smuggling via higher HTTP versions
neexemil
 
Sql injections - with example
Prateek Chauhan
 
Ad

Viewers also liked (20)

PPTX
Automated API pentesting using fuzzapi
Abhijeth D
 
PDF
Pentesting RESTful WebServices v1.0
n|u - The Open Security Community
 
PDF
Pentesting RESTful webservices
Mohammed A. Imran
 
PDF
Securty Testing For RESTful Applications
Source Conference
 
PDF
API Testing
Bikash Sharma
 
PPTX
REST API testing with SpecFlow
Aiste Stikliute
 
PPTX
HTTP Services & REST API Security
Taiseer Joudeh
 
PPTX
Newbytes NullHyd
n|u - The Open Security Community
 
PPTX
Api testing
Keshav Kashyap
 
PDF
JSON Injection
n|u - The Open Security Community
 
PDF
Api testing
test test
 
PDF
4 Major Advantages of API Testing
QASource
 
PPTX
JSON SQL Injection and the Lessons Learned
Kazuho Oku
 
PPTX
Getting started with CFEngine - Webinar
CFEngine
 
PPT
WCF And ASMX Web Services
Manny Siddiqui MCS, MBA, PMP
 
PDF
Attack chaining for web exploitation #c0c0n2015
Abhijeth D
 
PDF
API TEST
copremesis
 
PDF
OAuth Tokens
n|u - The Open Security Community
 
PDF
API TEST
copremesis
 
PPTX
Hacker's jargons
n|u - The Open Security Community
 
Automated API pentesting using fuzzapi
Abhijeth D
 
Pentesting RESTful WebServices v1.0
n|u - The Open Security Community
 
Pentesting RESTful webservices
Mohammed A. Imran
 
Securty Testing For RESTful Applications
Source Conference
 
API Testing
Bikash Sharma
 
REST API testing with SpecFlow
Aiste Stikliute
 
HTTP Services & REST API Security
Taiseer Joudeh
 
Newbytes NullHyd
n|u - The Open Security Community
 
Api testing
Keshav Kashyap
 
JSON Injection
n|u - The Open Security Community
 
Api testing
test test
 
4 Major Advantages of API Testing
QASource
 
JSON SQL Injection and the Lessons Learned
Kazuho Oku
 
Getting started with CFEngine - Webinar
CFEngine
 
WCF And ASMX Web Services
Manny Siddiqui MCS, MBA, PMP
 
Attack chaining for web exploitation #c0c0n2015
Abhijeth D
 
API TEST
copremesis
 
OAuth Tokens
n|u - The Open Security Community
 
API TEST
copremesis
 
Hacker's jargons
n|u - The Open Security Community
 
Ad

Similar to Pentesting ReST API (20)

PPTX
Scraping the web with Laravel, Dusk, Docker, and PHP
Paul Redmond
 
PPTX
Основы нагрузочного тестирования с инструментом Jmeter
Компьютерная школа Hillel
 
PDF
Silent web app testing by example - BerlinSides 2011
Abraham Aranguren
 
PDF
Node.js Course 2 of 2 - Advanced techniques
Manuel Eusebio de Paz Carmona
 
ODP
Mobile+API
Miguel Paraz
 
PDF
Using the new WordPress REST API
Caldera Labs
 
PDF
Public PaaS Throwdown!
Ronak Mallik
 
PDF
Client-Side Performance Testing
Anand Bagmar
 
PPTX
OWASP Zed Attack Proxy
Fadi Abdulwahab
 
PPTX
SOA Testing
Roopesh Kohad
 
PDF
Microsoft power point automation-opensourcetestingtools_matrix-1
tactqa
 
PDF
Microsoft power point automation-opensourcetestingtools_matrix-1
tactqa
 
PPTX
Introduction to Penetration Testing
Andrew McNicol
 
ODP
Owasp owtf the offensive (web) testing framework + ptes penetration testing e...
Mauro Risonho de Paula Assumpcao
 
PDF
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
PPTX
10 Useful Testing Tools for Open Source Projects @ TuxCon 2015
Peter Sabev
 
PDF
Modern Tools for API Testing, Debugging and Monitoring
Neil Mansilla
 
PDF
Expressive Microservice Framework Blastoff
Adam Culp
 
PDF
Developing Brilliant and Powerful APIs in Ruby & Python
SmartBear
 
PDF
Great APIs - Future of Your Progress App
Gabriel Lucaciu
 
Scraping the web with Laravel, Dusk, Docker, and PHP
Paul Redmond
 
Основы нагрузочного тестирования с инструментом Jmeter
Компьютерная школа Hillel
 
Silent web app testing by example - BerlinSides 2011
Abraham Aranguren
 
Node.js Course 2 of 2 - Advanced techniques
Manuel Eusebio de Paz Carmona
 
Mobile+API
Miguel Paraz
 
Using the new WordPress REST API
Caldera Labs
 
Public PaaS Throwdown!
Ronak Mallik
 
Client-Side Performance Testing
Anand Bagmar
 
OWASP Zed Attack Proxy
Fadi Abdulwahab
 
SOA Testing
Roopesh Kohad
 
Microsoft power point automation-opensourcetestingtools_matrix-1
tactqa
 
Microsoft power point automation-opensourcetestingtools_matrix-1
tactqa
 
Introduction to Penetration Testing
Andrew McNicol
 
Owasp owtf the offensive (web) testing framework + ptes penetration testing e...
Mauro Risonho de Paula Assumpcao
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
10 Useful Testing Tools for Open Source Projects @ TuxCon 2015
Peter Sabev
 
Modern Tools for API Testing, Debugging and Monitoring
Neil Mansilla
 
Expressive Microservice Framework Blastoff
Adam Culp
 
Developing Brilliant and Powerful APIs in Ruby & Python
SmartBear
 
Great APIs - Future of Your Progress App
Gabriel Lucaciu
 

More from Nutan Kumar Panda (15)

PPTX
Dark Arts Of Social Engineering
Nutan Kumar Panda
 
PPTX
OSINT Black Magic: Listen who whispers your name in the dark!!!
Nutan Kumar Panda
 
PPTX
Rapid Android Application Security Testing
Nutan Kumar Panda
 
PDF
Win 8 password cracking
Nutan Kumar Panda
 
DOCX
Backtrack Manual Part10
Nutan Kumar Panda
 
DOCX
Backtrack Manual Part9
Nutan Kumar Panda
 
DOCX
Backtrack Manual Part8
Nutan Kumar Panda
 
DOCX
Backtrack Manual Part7
Nutan Kumar Panda
 
DOCX
Backtrack Manual Part6
Nutan Kumar Panda
 
DOCX
Backtrack Manual Part5
Nutan Kumar Panda
 
DOCX
Backtrack Manual Part4
Nutan Kumar Panda
 
DOCX
Backtrack Manual Part3
Nutan Kumar Panda
 
DOCX
Backtrack Manual Part2
Nutan Kumar Panda
 
DOCX
Backtrack manual Part1
Nutan Kumar Panda
 
DOCX
Google Hack
Nutan Kumar Panda
 
Dark Arts Of Social Engineering
Nutan Kumar Panda
 
OSINT Black Magic: Listen who whispers your name in the dark!!!
Nutan Kumar Panda
 
Rapid Android Application Security Testing
Nutan Kumar Panda
 
Win 8 password cracking
Nutan Kumar Panda
 
Backtrack Manual Part10
Nutan Kumar Panda
 
Backtrack Manual Part9
Nutan Kumar Panda
 
Backtrack Manual Part8
Nutan Kumar Panda
 
Backtrack Manual Part7
Nutan Kumar Panda
 
Backtrack Manual Part6
Nutan Kumar Panda
 
Backtrack Manual Part5
Nutan Kumar Panda
 
Backtrack Manual Part4
Nutan Kumar Panda
 
Backtrack Manual Part3
Nutan Kumar Panda
 
Backtrack Manual Part2
Nutan Kumar Panda
 
Backtrack manual Part1
Nutan Kumar Panda
 
Google Hack
Nutan Kumar Panda
 

Recently uploaded (20)

PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
A Presentation on Artificial Intelligence
memembruh336
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Encapsulation theory and applications.pdf
gurumoop
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Approach and Philosophy of On baking technology
30anthuong17
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 

Pentesting ReST API

  • 2. Introduction ■ Nutan Kumar Panda ■ Aka @TheOsintGuy ■ Senior Information Security Engineer ■ Osint Enthusiast ■ Presenter at BH US/ BIU Israel/ GroundZero Summit/ CISO Summit etc ■ Co-Author of book “HackingWeb Intelligence ” ■ Contributor of DataSploit project ■ Active Contributor of null BangaloreChapter
  • 3. What can you expect? ■ BasicTheory ■ My personal Experience ■ Approach ■ Tools to trade ■ Test beds ■ One Example to think out of the box ■ Some Common Findings ■ Hands on Demos
  • 4. Web Services ■ SOAP ■ Components – ServiceConsumer – Service Provider – XML (Extensible Markup Language) – SOAP (SimpleObject Access Protocol) – WSDL (Web Services Description Language) – UDDI (Universal Description, Discovery and Integration) ■ http://resources.infosecinstitute.com/web-services- penetration-testing-part-1/ ■ ReST ■ Components – Resources (example.com/users/1) – Verbs (CRUD/ POGPUD) – MediaType (Application/Json) – Status Codes (200,201,404 etc) – Authentication (Oauth) – http://www.slideshare.net/null0x00/o-auth- tokens ■ http://www.slideshare.net/null0x00/pentesting- restful-webservices-v10 http://www.slideshare.net/PraveenKumarKOSCP/introduction-to-web-services-penetration- testing (page 3)
  • 6. Approach ■ Do not jump to testing by getting an end point or set of end points ■ Ask for the documentation ■ Ask for the sample request response/ Postman collection ■ Ask for any particular header needed ■ Ask for token or any specific parameter or values for a parameter (to get in right flow) ■ Ask for the workflows (Sometime workflows are bound you can not direct jump to a web services and test you need some data that u get from other end points) ■ Its not only about fuzzing parameters
  • 7. Tools to trade ■ ReST Client (Plug in) ■ Postman (App and Plugin) ■ Burp (ZAP/ Charles/ IronWASP or any other interception proxy) ■ Hurl.it (Online rest client) ■ SoapUI (https://www.youtube.com/watch?v=XV7WW0bDy9c) ■ Fuzzapi (https://github.com/lalithr95/Fuzzapi) Just presented just day before at AppSec USA by Abhijeet n Lalith – http://www.slideshare.net/AbhijethDugginapeddi/automated-api-pentesting-using- fuzzapi – If you like this tool just spread the word with #fuzzapi
  • 8. Test Beds ■ Hackazon – Code: https://github.com/rapid7/hackazon – WebVersion: http://hackazon.webscantest.com/ – There is an apk also: https://github.com/rapid7/hackazon/tree/master/web/app.apk – YoutubeVideo: https://www.youtube.com/watch?v=Yekzm0Olc3Y (Demo starts 24:00) ■ Mutillidae – Code: https://sourceforge.net/projects/mutillidae/ – Video: https://www.youtube.com/watch?v=e6HAQnvuaic ■ DVWS – Code : https://github.com/snoopythesecuritydog/dvws – Tutorial: https://kali.tools/?p=1729
  • 10. Common Finding ■ Enumeration ■ Rate limiting not implemented ■ Information Disclosure ■ POST to GET conversion (Method Conversion) ■ IDOR ■ SQLI ■ Authorization Flaws ■ Token related issues (Expiry, reuse, predictable etc)
  • 11. Demo
  • 13. References ■ https://www.soapui.org/testing-dojo/world-of-api-testing/soap-vs--rest- challenges.html ■ http://cybersecology.com/hackazon-review/ ■ http://cybersecology.com/2014/11/googles-firing-range-test-site/ ■ http://www.slideshare.net/SmartBear_Software/getting-started-with-api-security- testing ■ http://www.slideshare.net/ask4answers/rest-api-testing-with-specflow ■ http://www.slideshare.net/stormpath/rest-api-security ■ http://www.slideshare.net/taiseerjoudeh/http-services-security