i RESTful web services penetation testing – All things in moderation

RESTful web services penetation testing

The fundermetals of RESTful API

  • RESTful is an architectural style called REST (Representational State Transfer) advocates that web applications should use HTTP as it was originally envisioned. Lookups should use GET requests. PUT, POST, and DELETE requests should be used for creation, mutation, and deletion.
  • API stand for application program interface is a set of routines, protocols, and tools for building software applications. An API specifies how software components should interact. Additionally, APIs are used when programming graphical user interface (GUI) components.
  • Architecture constraints
    • Uniform interface
    • Client-server
    • Stateless
    • Cache-able
    • Layered system
    • Code on-demand
  • Features of RESTful services
    • Give every “thing” an ID
    • Link things together
    • Use standard methods( GET, PUT, POST, DELETE)
    • Resources can have multiple representations
    • Communicate indenpendently
  • Properties of RESTful services
    • Resources
    • Verbs
    • Media types
    • Status codes
  • Example:

  • An real example connect to a RESTful web services :
curl -X GET "http://petstore.swagger.io/v2/user/foo%20bar" -H  "accept: application/json"  


code: 200 OK  
Reponse body:  
  "id": 0,
  "username": "foo bar",
  "firstName": "foo",
  "lastName": "bar",
  "email": "[email protected]",
  "password": "123456",
  "phone": "0123456789",
  "userStatus": 1
Reponse header:  
 content-type: application/json 

The challenge of security testing RESTful web services

  • Inspecting the applicaton does not reveal the attack surface, i.e the URL and parameter structure used by the RESTful web service.
  • The parameters are none standard making it hard to determine what is just part of URL or a constant header adn what is parameter worth fuzzing.
  • As a machine interface the number of parameters used can be very large, for example a JSON structure may include dozens of prameters. Fuzzing each one significantly lengthen the time required for testing.
  • Custom authentication mechanisms require reverse engineering and make popular tools not useful as they cannot track a login session.

RESTful web services penetation testing


  • Determine the attack surface through documentation – RESTful pen testing might be better off if some level of white box testing is allowed and you can get information about the service. This information will ensure fuller coverage of the attack surface. Such information to look for
    • Formal service description
    • A developer guide for using the service may be less detailed but will commonly be found, and might even be considered “black box”
    • Application source or configuration
  • Collect full requests using a proxy – while always an important pen testing step, this is more important for REST based applications as the application UI may not give clues on the actual attack surface. Note that the proxy must be able to collect full requests and not just URLs as REST services utilize more than just GET parameters

  • Analyze collected requests to determine the attack surface

    • Look for non-standard parameters
  • Verify non-standard parameters

  • **Analyzing collected requests to optimize fuzzing – after idenfifying potetial parameters to fuzz, analyze the collected values for each to determine **

  • Emulate the authentication mechanism used.

Common testing

  • Enumeration
  • Rate limiting not implemented
  • Information Disclosure
  • POST to GET conversion(Method conversion)
  • IDOR( insecure direct object reference)
  • SQLI
  • Authorization Flaws
  • Token related issues(Expiry, reuse, predictable etc)

An example IDOR resful api:

Insecure direct object references (IDOR)


  • CURl ( commandline tool) – the example usage like above
  • REST client(Firefox addon)

  • Postman(Chrome addons)


https://www.owasp.org/index.php/REST_Security_Cheat_Sheet – A great article guide improving RESTful API security.


pentesting rest api

Leave a Reply