Difference between revisions of "Testing for WS HTTP GET parameters/REST attacks (OWASP-WS-005)"

From OWASP
Jump to: navigation, search
(References)
(Grey Box Testing)
Line 34: Line 34:
  
 
===Grey Box Testing===
 
===Grey Box Testing===
 +
 +
Upon the reception of a HTTP request the code should do the following:
 +
 +
Check:
 +
# max length and minimum length
 +
# Validate payload:
 +
# If possible implement the following data validation stratigies; "exact match", "known good" and "known bad" in that order.
 +
# Validate parameter names and existance.
  
 
===References===
 
===References===
 
The OWASP Fuzz vectors list:
 
The OWASP Fuzz vectors list:
 
[http://www.owasp.org/index.php/OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectors]
 
[http://www.owasp.org/index.php/OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectors]

Revision as of 08:21, 3 November 2006

HTTP GET parameters.

Contents

Brief Summary

Many XML applications are invoked by passing them parameters using HTTP GET queries. These are sometimes known as “REST-style" Web Services. These Web Services can be attacked by passing malicious content on the HTTP GET string (e.g. Extra long parameters (2048 chars), SQL statements/injection or OS Injection parameters). REST = Representational State Transfer).


Description of the Issue

Given that Web services REST are in effect HTTP-In -> WS-OUT at attack patterns are very similar to regular HTTP attack vectors, discussed throughout the guide.

Example: The HTTP request with query string /viewDetail=detail-10293, the HTTP GET parameter is detail- 10293.

Black Box Testing

Say we had a Web Service which accepts the following HTTP GET query string: https://www.ws.com/accountinfo?accountnumber=12039475&userId=asi9485jfuhe92

The resultant response would be similar to:

<?xml version="1.0" encoding="ISO-8859-1"?>
<Account="12039475">
<balance>€100</balance>
<body>Bank of Bannana account info</body>
</Account>

Testing the data validation on this REST web service is similar to generic application testing:

Try vectors such as: https://www.ws.com/accountinfo?accountnumber=12039475' exec master..xp_cmdshell 'net user Vxr pass /Add &userId=asi9485jfuhe92


Grey Box Testing

Upon the reception of a HTTP request the code should do the following:

Check:

  1. max length and minimum length
  2. Validate payload:
  3. If possible implement the following data validation stratigies; "exact match", "known good" and "known bad" in that order.
  4. Validate parameter names and existance.

References

The OWASP Fuzz vectors list: [1]