![]() Most of the DAST tools needs training mode to test the REST APIs because APIs are using complex JSON, XML or gwt structure which against the normal query string parameter. Testing REST API is very challenging task. Request 1 Response 1 Resulting Profile page in web browser To test REST API using AppSpider (DAST) Though, injected script will execute in the browser. But, application will not execute the script as it is not using any HTML component. In result, we got an echo in response from server. We injected a script tag in “first_name” parameter value. User profile page is vulnerable to Cross site scripting attack. Request 1 Response 1 Request 2 Response 2 Cross Site Scripting To balance a query we injected two single quotes ('') and user profile was submitted successfully. As a result sql query got unbalanced and application threw an error with 500 (Internal Server Error) with stack trace as shown in Request and Response and. To identify blind sql injection, first we injected a single quote ('). This api is using PUT method to update user’s profile. Hackazon application has user’s profile updation REST api, which is vulnerable to blind sql injection. Request 1 Response 1 Request 2 Response 2 Request 3 Response 3 Results Hence, we can conclude that this parameter is vulnerable to blind sql injection. As highlighted, we are getting 10 seconds of delay in the response. In second request, we injected 10 seconds of delay. It will cause the 5 seconds of delay from the server. In the first request, we have injected (SELECT * FROM (SELECT(SLEEP(5)))a)#. Following example demonstrates the time based blind sql injection in the REST API. The “per_page” parameter is vulnerable to Blind SQL injection. This request has two parameters “page” and “per_page”. Following screenshot shows that application is using REST API to fetch the orders from application. Hackazon mobile application has used REST APIs in some the forms. Based on the collected requests, attack surface will be determined such as constant ids, id passing as part of URL, tokens, methods, etc. To start with the manual or automated scanning it is important to collect full requests using a proxy tool as application based on REST API may not be provide actual attack surface. To capture REST traffic, user can use ZAP Proxy tool.īelow, you can see the proxy setup both in the ZAP Proxy and Android Emulator.Īfter setting up the proxy, users can start browsing the application to capture the REST data. User can install android application in the Android Emulator and setup a proxy. Hackazon application has REST API module integrated in the android application. ![]() REST APIs are vulnerable to common and well known OWASP attacks such as injection, CSRF, Cross site script, XMLExternalEntity, etc. The parameters are not standard, it may be part of URL or may be a constant header. To perform successful attacks on the REST API, we have to collect information about the endpoint, good data, messages and parameters. REST API is different than UI based application. REST API is a collection of URLs, in which HTTP calls to URI and in response, it serves JSON or XML data.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |