Difference between revisions of "Testing for WS HTTP GET parameters/REST attacks (OWASP-WS-005)"

From OWASP
Jump to: navigation, search
(Grey Box Testing)
Line 1: Line 1:
 +
[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]<br>
 +
{{Template:OWASP Testing Guide v2}}
 +
 
'''HTTP GET parameters.'''  
 
'''HTTP GET parameters.'''  
  
Line 46: Line 49:
 
The OWASP Fuzz vectors list:
 
The OWASP Fuzz vectors list:
 
[http://www.owasp.org/index.php/OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectors]
 
[http://www.owasp.org/index.php/OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectors]
 +
 +
 +
{{Category:OWASP Testing Project AoC}}

Revision as of 16:21, 12 November 2006

[Up]
OWASP Testing Guide v2 Table of Contents

Contents


HTTP GET parameters.

Brief Summary

Many XML applications are invoked by passing them parameters using HTTP GET queries. These are sometimes known as “REST-style" Web Services. These Web Services can be attacked by passing malicious content on the HTTP GET string (e.g. Extra long parameters (2048 chars), SQL statements/injection or OS Injection parameters). REST = Representational State Transfer).


Description of the Issue

Given that Web services REST are in effect HTTP-In -> WS-OUT at attack patterns are very similar to regular HTTP attack vectors, discussed throughout the guide.

Example: The HTTP request with query string /viewDetail=detail-10293, the HTTP GET parameter is detail- 10293.

Black Box Testing

Say we had a Web Service which accepts the following HTTP GET query string: https://www.ws.com/accountinfo?accountnumber=12039475&userId=asi9485jfuhe92

The resultant response would be similar to:

<?xml version="1.0" encoding="ISO-8859-1"?>
<Account="12039475">
<balance>€100</balance>
<body>Bank of Bannana account info</body>
</Account>

Testing the data validation on this REST web service is similar to generic application testing:

Try vectors such as: https://www.ws.com/accountinfo?accountnumber=12039475' exec master..xp_cmdshell 'net user Vxr pass /Add &userId=asi9485jfuhe92


Grey Box Testing

Upon the reception of a HTTP request the code should do the following:

Check:

  1. max length and minimum length
  2. Validate payload:
  3. If possible implement the following data validation stratigies; "exact match", "known good" and "known bad" in that order.
  4. Validate parameter names and existance.

References

The OWASP Fuzz vectors list: [1]



OWASP Testing Guide v2

Here is the OWASP Testing Guide v2 Table of Contents