Attack considerations
Targeting HTTP-based APIs is really no different than traditional web applications. We have to follow the same basic procedure:
- Identify injection points
- Send unexpected input and observe how the API behaves
- Look for the usual suspects: SQLi, XXE, XSS, command injection, LFI, and RFI
We can use all the tips and tricks we already know to find these issues, with some exceptions.
XSS vulnerabilities in a typical web application are easy to prove. You send the input, the input is reflected to the client as HTML or JavaScript, the browser renders the content, and the code executes.
With web services, the response is typically not rendered, primarily due to the Content-Type
header set by the response. This is usually JSON or XML, which most browsers will not render as HTML. I say "most" because, unfortunately, some older browsers may still render the content, ignoring the content type stated by the server, and guessing based on the data in the response.
The following...