Difference between revisions of "Testing for WS HTTP GET parameters/REST attacks (OWASP-WS-005)"

From OWASP
Jump to: navigation, search
Line 2: Line 2:
  
  
Many XML applications are invoked by passing them parameters using HTTP GET queries  
+
Many XML applications are invoked by passing them parameters using HTTP GET queries.
 +
 
 
Example:  
 
Example:  
 
The HTTP request with query string /viewDetail=detail-10293, the HTTP GET parameter is detail- 10293).  
 
The HTTP request with query string /viewDetail=detail-10293, the HTTP GET parameter is detail- 10293).  
 +
 
These are sometimes known as “REST-style" Web Services. These Web Services can be attacked by  passing malicious content on the HTTP GET string (e.g. Extra long parameters (2048 chars), SQL statements/injection or OS Injection parameters).
 
These are sometimes known as “REST-style" Web Services. These Web Services can be attacked by  passing malicious content on the HTTP GET string (e.g. Extra long parameters (2048 chars), SQL statements/injection or OS Injection parameters).
 +
(REST = Representational State Transfer).

Revision as of 05:46, 26 October 2006

HTTP GET parameters.


Many XML applications are invoked by passing them parameters using HTTP GET queries.

Example: The HTTP request with query string /viewDetail=detail-10293, the HTTP GET parameter is detail- 10293).

These are sometimes known as “REST-style" Web Services. These Web Services can be attacked by passing malicious content on the HTTP GET string (e.g. Extra long parameters (2048 chars), SQL statements/injection or OS Injection parameters). (REST = Representational State Transfer).