SlideShare ist ein Scribd-Unternehmen logo

Pentesting RESTful webservices

Mohammed A. Imran
Mohammed A. Imran

Pentesting RESTful webservices talks about problems penetration testers face while testing RESTful Webservices and REST based web applications. The presentation also talks about tools and techniques to do pentesting of RESTful webservices.

Technologie
1 von 65
Downloaden Sie, um offline zu lesen
` ces vi sting er ente P bS e lW Tfu ES R MOH IMRAN MED A. AM
Hello MI MOHAMMED A. IMRAN Application Security Engineer, CA Inc Null Hyderabad Lead OWASP Hyderabad Board Member @MohammedAImran Created and Designed using
LET’S TALK ABOUT ... WHAT IS RESTful WEB SERVICES? PROBLEMS WITH REST WS TESTING TOOLS & TECHNIQUES METHODOLOGY TO TEST RESTful WS
DID YOU ? KNOW
THE UGLY TRUTH SOAP Webservices VS RESTful Webservices Google Trends
They also rest on REST APIs
Why REST WebServices ?
Easy & Simple GET /users/313/ VS <?xml version="1.0"?> <soap:Envelope xmlns:soap="http://www.w3.org/2001/12/soap-envelope" soap:encodingStyle="http://www.w3.org/2001/12/soap-encoding"> <soap:Body xmlns:m="http://www.mysite.com/users">   <m:GetUserDetails>     <m:UserID>313</m:UserID>   </m:GetUserDetails> </soap:Body> </soap:Envelope>
Light weight { "login": "MohammedAImran", "type": "User", "site_admin": false, "name": "Mohammed A. Imran", "company": "CA Inc", "email": "morpheus@null.co.in" } <soap:Body xmlns:m="http://www.mysite.com/users">   <m:GetUserDetailsResponse>     <m:UserName>MohammedAImran</m:UserName> <m:Type>user</m:Type> VS <m:SiteAdmin>false</m:SiteAdmin> <m:UserName>Mohammed A.Imran</m:UserName> <m:Company>CA Inc</m:Company> <m:Email> morpheus@null.co.in </m:Email>   </m:GetUserDetailsResponse> </soap:Body> Note: REST can also use XML as media type
Many more reasons to use ... ● Easy to understand & document ● Easy on limited bandwidth ● READS can be cached and hence reduces the bandwidth ● Better browser support since data format mostly is json ● Can be used by mobile devices ● Loosely coupled
But what is REST ?
“ Representational state transfer (REST) is an architectural style consisting of a coordinated set of constraints applied to components, connectors, and data elements, within a distributed hypermedia system.
What ? Let me explain ... REST is an architectural style with some imposed constraints in how data is accessed and represented while developing web services or applications. It uses HTTP 1.1 as inspiration.
In simple terms REST = RFC 2616almost Well,
In simple terms ... REST = HTTP Protocol with constraints
Architecture constraints ● Uniform interface ● Client-server ● Stateless ● Cache-able ● Layered system ● Code on demand(optional)
REST Style consists of ... Resources VERBS Media Types Status Codes
REST Style consists of ... Resource URLs VERBS Media Types Status Codes
Collection RESOURCES INSTANCE RESOURCES RESOURCES Site.com/users/1 Site.com/users NOUN
REST Style consists of ... Resources VERBS Media Types Status Codes
DELETE VERBS POST PUT READ
POST = CREATE some resource Create a new * * POST can be used for both create and update
POST http://mysite.com/users/ { } "login": "MohammedAImran", "id": "313", "name": "Mohammed A. Imran", "company": "CA Inc", "email": "MohammedAbdullahImran@gmail.com"
GET = READsome resource Fetch
GET site.com/users/ { users:[ { "login": "MohammedAImran", "id": "313", "name": "Mohammed A. Imran", "company": "CA Inc", "email": "MohammedAbdullahImran@gmail.com"}, { "login": "Raghunath", "id": "311", "name": " G Raghunath", "company": "X Inc", "email": "raghu@null.co.in"}] }
GET site.com/users/313 { "login": "MohammedAImran", "id": "313", "name": "Mohammed A. Imran", "company": "CA Inc", "email": "MohammedAbdullahImran@gmail.com" }
PUT =UPDATE/MODIFY Update some resource * * PUT can be used for both create and update
DELETE = DELETE Delete a resource
REST Style consists of ... Resources VERBS Media Types Status Codes
HATEOAS Hypermedia As The Engine Of Application State
= + Specifications Parsing Rules Media Types
Media Type Examples Application/json Application/xml Application/imrans+json;v1
REST Style consists of ... Resources VERBS Media Types Status Codes
Status Codes 200 OK 201 Created 204 No Content 304 Not Modified 500 Internal Server Error 501 Not Implemented 400 Bad Request 401 Unauthorized 403 Forbidden 404 Not Found 405 Method Not Allowed 409 Conflict
RESTful WS testing problems
Difficulty in doing REST PT ● Many JSON variables to fuzz and difficult to find which ones are optional and to be fuzzed ● Custom authentication ● Statelessness ● Non common HTTP status codes which tools are used to
Difficulty in doing REST PT ... ● ● ● Not so good automated tool support Every API is different from other and hence need custom tweaking for tools Heavy reliance on Ajax frameworks for creating PUT and DELETE requests as most browsers don’t support them
REST WS testing Methodology
Authentication
Bad practices http://site.com/token/a3b3c2be5f53c8/ https://site.com/token/a3b3c2be5f53c8/
Authentication ... ● REST APIs rely heavily on SSL ● Often basic authentication is coupled with SSL ( Bruteforce ? ) ● Often custom token authentication schemes are built and used ( a sure recipe for disaster) ● Never pass username/password, tokens, keys in URL (use POST instead ) ● Implementing authentication tokens in Headers takes away headache of having a CSRF token
Session Management ● Check all session based attacks on tokens as well ● Session timeout ● Session brute force ● ● Generally tokens are stored in local storage of browsers, make sure you delete the token after log-out and upon browser window close Invalidate the token at server side upon on logout
Authorization ● Privilege escalation (Horizontal and Vertical) ● Make sure there is a tight access control on DELETE, PUT methods ● Use role based authentication ● ● Since usually the consumers of the REST APIs are machines, there are no checks if service is heavily used, could lead to DoS or BruteForce. Protect administrative functionality
CVE-2010-0738
JBOSS JMX Console Vulnerability
NOTE All attacks which are possible on any web application are possible with REST APIs as well.
Input Validation ● SQL Injection ● XSS ● Command Injection ● XPATH Injection However XSS becomes difficult to fuzz because of JSON and you might want to scan with sql injection and xss profiles separately
Output encoding ● If you application has a web interface then might want to use the following headers: X-Content-Type-Options: nosniff – X-Frame-Options: DENY/SAMEORIGIN/ALLOW-FROM JSON Encoding – ●
Cryptography ● ● Use TLS with good key size (384 bits preferably) Use client side certificates possible however not usually seen for APIs ● Use strong hashing algorithms(scrypt/bcrypt/SHA512) ● Use strong encryption mechanisms (AES)
Few notes ... ● ● ● ● Use proxy to determine the attack surface and to understand the application Identify URLs, Resources, status codes and data needed Every part of the http protocol is potential for fuzzing in RESTful APIs (dont forget headers) WAF evasion is possible since json is not well understood by WAFs
Tools & Techniques
Command-line-Fu
cURL Primer cURL -b or - -cookie ”COOKIE HERE” -h or - -header “Authorization: Custom SW1yYW5XYXNIZXJlCg==” -X or - -request PUT/POST/DELETE -i or - -include //include response headers -d or - -data “username=imran&password=Imran” or - -data @filecontaining-data -x or - - proxy 127.0.0.1:8080 -A or - -user-agent ”Firefox 27.0”
cURL Primer ... ● ● ● cURL is great for automation if you know how service works. cURL libraries are available for majority of the languages like php, python and many more... You can perform complex operations and script them pretty fast.
cURL Examples #!/bin/bash users="Imran Jaya Raghu Vinayak" for dirName in $users do curl -i -H “Authorization: Custom SW1yYW5XYXNIZXJlCg==” "http://www.mysite.com/users/$dirName" --proxy 127.0.0.1:8080 done
Graphical Tools
Firefox Add-on
Firefox Add-on ... ● ● If you need graphical interface, browser add-ons provide GUI, however not as powerful as the cURL command. Specialized developer tools ( SOAP UI ) can also be used for testing.
Automated Tools
AppScan Scan http://blog.watchfire.com/wfblog/2012/01/testing-restful-services-with-appscan-standard.html
AppScan Scan...
Thank you ! Want to discuss more ? Catch me on www.twitter.com/MohammedAImran www.linkedin.com/in/MohammedAImran
You might like these as well!
Credits * All icons are taken from The Noun project, credit goes to respective artists * OWASP Cheat sheet series
References http://www.slideshare.net/SOURCEConference/security-testing-for-rest-applications-ofer-shezaf-source-barcelona-nov-2011 https://www.owasp.org/index.php/REST_Security_Cheat_Sheet http://securityreliks.wordpress.com/2010/07/28/testing-restful-services-with-appscan/ http://www-01.ibm.com/support/docview.wss?uid=swg21412832 http://blog.watchfire.com/wfblog/2012/01/testing-restful-services-with-appscan-standard.html

Empfohlen

REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & DevelopmentAshok Pundit
 
Rest API
Rest APIRest API
Rest APIRohana K Amarakoon
 
REST API and CRUD
REST API and CRUDREST API and CRUD
REST API and CRUDPrem Sanil
 
REST-API introduction for developers
REST-API introduction for developersREST-API introduction for developers
REST-API introduction for developersPatrick Savalle
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST APINutan Kumar Panda
 
REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspectiveSecuRing
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir
 
Owasp zap
Owasp zapOwasp zap
Owasp zapColdFusionConference
 

Empfohlen

REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & DevelopmentAshok Pundit
 
Rest API
Rest APIRest API
Rest APIRohana K Amarakoon
 
REST API and CRUD
REST API and CRUDREST API and CRUD
REST API and CRUDPrem Sanil
 
REST-API introduction for developers
REST-API introduction for developersREST-API introduction for developers
REST-API introduction for developersPatrick Savalle
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST APINutan Kumar Panda
 
REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspectiveSecuRing
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir
 
Owasp zap
Owasp zapOwasp zap
Owasp zapColdFusionConference
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameThe Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameAbhinav Mishra
 
Apache tomcat
Apache tomcatApache tomcat
Apache tomcatShashwat Shriparv
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide Isabelle Mauny
 
Soap vs rest
Soap vs restSoap vs rest
Soap vs restAntonio Severien
 
An Overview of Web Services: SOAP and REST
An Overview of Web Services: SOAP and REST An Overview of Web Services: SOAP and REST
An Overview of Web Services: SOAP and REST Ram Awadh Prasad, PMP
 
Introduction to the Web API
Introduction to the Web APIIntroduction to the Web API
Introduction to the Web APIBrad Genereaux
 
Introduction to REST - API
Introduction to REST - APIIntroduction to REST - API
Introduction to REST - APIChetan Gadodia
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - BeginnersHimanshu Kumar Das
 
Model View Controller (MVC)
Model View Controller (MVC)Model View Controller (MVC)
Model View Controller (MVC)Javier Antonio Humarán Peñuñuri
 
Understanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple StepsUnderstanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple StepsTessa Mero
 
Soap Vs Rest
Soap Vs RestSoap Vs Rest
Soap Vs Restsreekveturi
 
RESTful services
RESTful servicesRESTful services
RESTful servicesgouthamrv
 
Restful web services ppt
Restful web services pptRestful web services ppt
Restful web services pptOECLIB Odisha Electronics Control Library
 
Intro to WebSockets
Intro to WebSocketsIntro to WebSockets
Intro to WebSocketsGaurav Oberoi
 
Api testing
Api testingApi testing
Api testingKeshav Kashyap
 
API for Beginners
API for BeginnersAPI for Beginners
API for BeginnersGustavo De Vita
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Laravel introduction
Laravel introductionLaravel introduction
Laravel introductionSimon Funk
 
Java EE Introduction
Java EE IntroductionJava EE Introduction
Java EE Introductionejlp12
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Automated API pentesting using fuzzapi
Automated API pentesting using fuzzapiAutomated API pentesting using fuzzapi
Automated API pentesting using fuzzapiAbhijeth D
 
Pentesting RESTful WebServices v1.0
Pentesting RESTful WebServices v1.0Pentesting RESTful WebServices v1.0
Pentesting RESTful WebServices v1.0n|u - The Open Security Community
 

Weitere ähnliche Inhalte

Was ist angesagt?

The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameThe Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameAbhinav Mishra
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide Isabelle Mauny
 
An Overview of Web Services: SOAP and REST
An Overview of Web Services: SOAP and REST An Overview of Web Services: SOAP and REST
An Overview of Web Services: SOAP and REST Ram Awadh Prasad, PMP
 
Introduction to the Web API
Introduction to the Web APIIntroduction to the Web API
Introduction to the Web APIBrad Genereaux
 
Introduction to REST - API
Introduction to REST - APIIntroduction to REST - API
Introduction to REST - APIChetan Gadodia
 
Understanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple StepsUnderstanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple StepsTessa Mero
 
RESTful services
RESTful servicesRESTful services
RESTful servicesgouthamrv
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Laravel introduction
Laravel introductionLaravel introduction
Laravel introductionSimon Funk
 
Java EE Introduction
Java EE IntroductionJava EE Introduction
Java EE Introductionejlp12
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 

Was ist angesagt? (20)

The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameThe Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
 
Apache tomcat
Apache tomcatApache tomcat
Apache tomcat
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
 
Soap vs rest
Soap vs restSoap vs rest
Soap vs rest
 
An Overview of Web Services: SOAP and REST
An Overview of Web Services: SOAP and REST An Overview of Web Services: SOAP and REST
An Overview of Web Services: SOAP and REST
 
Introduction to the Web API
Introduction to the Web APIIntroduction to the Web API
Introduction to the Web API
 
Introduction to REST - API
Introduction to REST - APIIntroduction to REST - API
Introduction to REST - API
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - Beginners
 
Model View Controller (MVC)
Model View Controller (MVC)Model View Controller (MVC)
Model View Controller (MVC)
 
Understanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple StepsUnderstanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple Steps
 
Soap Vs Rest
Soap Vs RestSoap Vs Rest
Soap Vs Rest
 
RESTful services
RESTful servicesRESTful services
RESTful services
 
Restful web services ppt
Restful web services pptRestful web services ppt
Restful web services ppt
 
Intro to WebSockets
Intro to WebSocketsIntro to WebSockets
Intro to WebSockets
 
Api testing
Api testingApi testing
Api testing
 
API for Beginners
API for BeginnersAPI for Beginners
API for Beginners
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Laravel introduction
Laravel introductionLaravel introduction
Laravel introduction
 
Java EE Introduction
Java EE IntroductionJava EE Introduction
Java EE Introduction
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 

Andere mochten auch

Automated API pentesting using fuzzapi
Automated API pentesting using fuzzapiAutomated API pentesting using fuzzapi
Automated API pentesting using fuzzapiAbhijeth D
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSource Conference
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security TestingSmartBear
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Stormpath
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
RESTful services on IBM Domino/XWork (ICON UK 21-22 Sept. 2015)
RESTful services on IBM Domino/XWork (ICON UK 21-22 Sept. 2015)RESTful services on IBM Domino/XWork (ICON UK 21-22 Sept. 2015)
RESTful services on IBM Domino/XWork (ICON UK 21-22 Sept. 2015)John Dalsgaard
 
OMA Strategy on Open API Standardization
OMA Strategy on Open API StandardizationOMA Strategy on Open API Standardization
OMA Strategy on Open API StandardizationMusa Unmehopa
 
Building a RESTful API on Heroku for Your Force.com App
Building a RESTful API on Heroku for Your Force.com AppBuilding a RESTful API on Heroku for Your Force.com App
Building a RESTful API on Heroku for Your Force.com AppSalesforce Developers
 
ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge
ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challengeITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge
ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challengeITCamp
 
How to Launch a Web Security Service in an Hour
How to Launch a Web Security Service in an HourHow to Launch a Web Security Service in an Hour
How to Launch a Web Security Service in an HourCyren, Inc
 
Pyscho-Strategies for Social Engineering
Pyscho-Strategies for Social EngineeringPyscho-Strategies for Social Engineering
Pyscho-Strategies for Social EngineeringIshan Girdhar
 
Burp suite
Burp suiteBurp suite
Burp suiteAmmar WK
 
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsCusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsAugust Detlefsen
 
Windows Azure Versioning Strategies
Windows Azure Versioning StrategiesWindows Azure Versioning Strategies
Windows Azure Versioning StrategiesPavel Revenkov
 
Wcf security session 1
Wcf security session 1Wcf security session 1
Wcf security session 1Anil Kumar M
 
Burp plugin development for java n00bs (44 con)
Burp plugin development for java n00bs (44 con)Burp plugin development for java n00bs (44 con)
Burp plugin development for java n00bs (44 con)Marc Wickenden
 

Andere mochten auch (20)

Automated API pentesting using fuzzapi
Automated API pentesting using fuzzapiAutomated API pentesting using fuzzapi
Automated API pentesting using fuzzapi
 
Pentesting RESTful WebServices v1.0
Pentesting RESTful WebServices v1.0Pentesting RESTful WebServices v1.0
Pentesting RESTful WebServices v1.0
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful Applications
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security Testing
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
 
RESTful services on IBM Domino/XWork (ICON UK 21-22 Sept. 2015)
RESTful services on IBM Domino/XWork (ICON UK 21-22 Sept. 2015)RESTful services on IBM Domino/XWork (ICON UK 21-22 Sept. 2015)
RESTful services on IBM Domino/XWork (ICON UK 21-22 Sept. 2015)
 
pwnd.sh
pwnd.shpwnd.sh
pwnd.sh
 
OMA Strategy on Open API Standardization
OMA Strategy on Open API StandardizationOMA Strategy on Open API Standardization
OMA Strategy on Open API Standardization
 
Building a RESTful API on Heroku for Your Force.com App
Building a RESTful API on Heroku for Your Force.com AppBuilding a RESTful API on Heroku for Your Force.com App
Building a RESTful API on Heroku for Your Force.com App
 
ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge
ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challengeITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge
ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge
 
Paypal-IPN
Paypal-IPNPaypal-IPN
Paypal-IPN
 
How to Launch a Web Security Service in an Hour
How to Launch a Web Security Service in an HourHow to Launch a Web Security Service in an Hour
How to Launch a Web Security Service in an Hour
 
Pyscho-Strategies for Social Engineering
Pyscho-Strategies for Social EngineeringPyscho-Strategies for Social Engineering
Pyscho-Strategies for Social Engineering
 
Burp suite
Burp suiteBurp suite
Burp suite
 
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsCusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
 
Windows Azure Versioning Strategies
Windows Azure Versioning StrategiesWindows Azure Versioning Strategies
Windows Azure Versioning Strategies
 
Wcf security session 1
Wcf security session 1Wcf security session 1
Wcf security session 1
 
Burp plugin development for java n00bs (44 con)
Burp plugin development for java n00bs (44 con)Burp plugin development for java n00bs (44 con)
Burp plugin development for java n00bs (44 con)
 
Web Service Security
Web Service SecurityWeb Service Security
Web Service Security
 

Ähnlich wie Pentesting RESTful webservices

2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application SecurityRob Ragan
 
Security Best Practices for Bot Builders
Security Best Practices for Bot BuildersSecurity Best Practices for Bot Builders
Security Best Practices for Bot BuildersMax Feldman
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeAman Kohli
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhibhumika2108
 
Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Aaron Hnatiw
 
Technical Architecture of RASP Technology
Technical Architecture of RASP TechnologyTechnical Architecture of RASP Technology
Technical Architecture of RASP TechnologyPriyanka Aash
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Hacking 101 (Session 2)
Hacking 101 (Session 2)Hacking 101 (Session 2)
Hacking 101 (Session 2)Nitroxis Sprl
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionDaniel Owens
 

Ähnlich wie Pentesting RESTful webservices (20)

Web Security
Web SecurityWeb Security
Web Security
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps Security
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Rails Security
Rails SecurityRails Security
Rails Security
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 
Security Best Practices for Bot Builders
Security Best Practices for Bot BuildersSecurity Best Practices for Bot Builders
Security Best Practices for Bot Builders
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on Purpose
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
 
Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017
 
Technical Architecture of RASP Technology
Technical Architecture of RASP TechnologyTechnical Architecture of RASP Technology
Technical Architecture of RASP Technology
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
Hacking 101 (Session 2)
Hacking 101 (Session 2)Hacking 101 (Session 2)
Hacking 101 (Session 2)
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
 
API SECURITY
API SECURITYAPI SECURITY
API SECURITY
 

Mehr von Mohammed A. Imran

Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsAutomating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsMohammed A. Imran
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessMohammed A. Imran
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaMohammed A. Imran
 
Scale security for a dollar or less
Scale security for a dollar or lessScale security for a dollar or less
Scale security for a dollar or lessMohammed A. Imran
 
In graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesIn graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesMohammed A. Imran
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
Null Singapore 2015 accomplishments
Null Singapore 2015 accomplishmentsNull Singapore 2015 accomplishments
Null Singapore 2015 accomplishmentsMohammed A. Imran
 
Exploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null SingaporeExploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null SingaporeMohammed A. Imran
 
Null Singapore Introduction
Null Singapore Introduction Null Singapore Introduction
Null Singapore Introduction Mohammed A. Imran
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defensesMohammed A. Imran
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applicationsMohammed A. Imran
 
About Null open security community
About Null open security communityAbout Null open security community
About Null open security communityMohammed A. Imran
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesMohammed A. Imran
 

Mehr von Mohammed A. Imran (15)

Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsAutomating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or less
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
 
Scale security for a dollar or less
Scale security for a dollar or lessScale security for a dollar or less
Scale security for a dollar or less
 
In graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesIn graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challenges
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
 
Null Singapore 2015 accomplishments
Null Singapore 2015 accomplishmentsNull Singapore 2015 accomplishments
Null Singapore 2015 accomplishments
 
Exploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null SingaporeExploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null Singapore
 
Null Singapore Introduction
Null Singapore Introduction Null Singapore Introduction
Null Singapore Introduction
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
 
Assembly language part I
Assembly language part IAssembly language part I
Assembly language part I
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applications
 
About Null open security community
About Null open security communityAbout Null open security community
About Null open security community
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilities
 

Kürzlich hochgeladen

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 

Kürzlich hochgeladen (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 

Pentesting RESTful webservices