Testing for WS HTTP GET parameters/REST attacks (OWASP-WS-005)

Revision as of 12:59, 19 August 2008 by Marco (talk | contribs) (Brief Summary)

Jump to: navigation, search

OWASP Testing Guide v2 Table of Contents

Brief Summary

Many XML applications are invoked by passing them parameters using HTTP GET queries. These are sometimes known as “REST-style" Web Services (REST = Representational State Transfer). These Web Services can be attacked by passing malicious content on the HTTP GET string (e.g., extra long parameters (2048 chars), SQL statements/injection (or OS Injection parameters).

Description of the Issue

Given that Web services REST are in effect HTTP-In -> WS-OUT at attack patterns are very similar to regular HTTP attack vectors, discussed throughout the guide. For example, in the following HTTP request with query string "/viewDetail=detail-10293", the HTTP GET parameter is "detail- 10293".

Black Box Testing and example

Say we had a Web Service which accepts the following HTTP GET query string:


The resultant response would be similar to:

<?xml version="1.0" encoding="ISO-8859-1"?>
<body>Bank of Bannana account info</body>

Testing the data validation on this REST web service is similar to generic application testing:

Try vectors such as:

https://www.ws.com/accountinfo?accountnumber=12039475' exec master..xp_cmdshell 'net user Vxr pass /Add &userId=asi9485jfuhe92

Grey Box Testing and example

Upon the reception of a HTTP request the code should do the following:


  1. max length and minimum length
  2. Validate payload:
  3. If possible implement the following data validation stratigies; "exact match", "known good" and "known bad" in that order.
  4. Validate parameter names and existance.



OWASP Testing Guide v2

Here is the OWASP Testing Guide v2 Table of Contents