Testing for WS HTTP GET parameters/REST attacks (OWASP-WS-005)

From OWASP
Revision as of 05:58, 2 November 2006 by EoinKeary (Talk | contribs)

Jump to: navigation, search

HTTP GET parameters.

Contents

Brief Summary

Many XML applications are invoked by passing them parameters using HTTP GET queries. These are sometimes known as “REST-style" Web Services. These Web Services can be attacked by passing malicious content on the HTTP GET string (e.g. Extra long parameters (2048 chars), SQL statements/injection or OS Injection parameters). REST = Representational State Transfer).


Description of the Issue

Given that Web services REST are in effect HTTP-In -> WS-OUT at attack patterns are very similar to regular HTTP attack vectors, discussed throughout the guide.

Example: The HTTP request with query string /viewDetail=detail-10293, the HTTP GET parameter is detail- 10293.

Black Box Testing

Grey Box Testing

References