Scan of Rest API Spike

Get Started. It's Free
or sign up with your email address
Scan of Rest API Spike by Mind Map: Scan of Rest API Spike

1. Scan based on a definition Document

1.1. Input

1.1.1. Swagger Already handled in DAVM for website Need to be re-adapted to handle rest APIs Methods Parameters

1.1.2. WADL Do we really need this along with the Swagger spec ???

1.2. Authentication

1.2.1. Typical web applications use form/cookie or server-based authentication while REST APIs use a variety of other authentication methods such as certificate, API_KEY or authentication token. Basic HTTP We could include a specific section "Basic http authentication" (something similar to Specific authentication parameters in websites inventory view) OAuth We should find a way to fetch the access token ??? maybe with a proxy?

2. No definition Document is Provided

2.1. Proxify user requests

2.1.1. The header signing authentication is problematic (since it can go through an external provider)

2.1.2. Header signing see RFC: draft-cavage-http-signatures-03 - Signing HTTP Messages Unless the user provide his private key information so we can sign the crawler http messages

2.1.3. OAuth we can sniff the access token when proxifying user requests

2.1.4. Shared secrets Authentication??

2.2. Automaticaly detect the API during the scan

2.2.1. Do we have some URL rewrite mechanisms in the current crawler ??

3. Gui view

3.1. On asset inventory view

3.1.1. new tab for rest API servers Or same as websites ??

3.1.2. some specific authentication information

4. List of tests that can be performed on XML/JSON

4.1. SQL injections??

4.1.1. Specific plugin for Rest requests (build the http request in a file then call sqlmap with -r argument) Create a new story for this


4.2.1. can be used only for Soap backends, can we adapt it to REST??

4.2.2. can be adapted to Rest backends, if we can input XML instead of JSON, to be checked

4.3. JSON injection?

4.4. NoSqlInjections

4.4.1. seems difficult to integrate in DAVM, need to ran a mangodb instance on the attacker side Really complicated to be automated in the security scanner