REST (Representational State Transfer) is an architectural style that can be used to communicate with web services. REST has a lot in common with protocols such as SOAP. It is used as a communication mechanism between two applications, or between an application and an online service. Many mobile web applications communicate with a RESTful API at the backend in order to communicate with the online service.
Differences Between a Web Service and a REST API
Many web services rely on complex communication mechanisms such as SOAP, RPC and CORBA. REST uses the standard HTTP methods for all four CRUD (Create, Read, Update, Delete) operations.
Commonly Used HTTP Methods (Verbs) in REST API
This table lists the commonly used HTTP methods in REST.
Create a resource
Retrieve a resource
Change the state of a resource or update it
Remove or delete a resource
The Challenges of Scanning REST API Interfaces
Unlike RPC and others, REST can be easily consumed and understood by users because of its simple structure. For example, many REST-based web services can provide a response in JSON or XML format. But this same benefit is what makes it very difficult for an automated web vulnerability scanner to crawl and attack.
Lack of Standards for REST
There is no consistent standard for REST API, as there is for WSDL and other similar protocols. Most RESTful web services have their own documentation, useful for developers but useless to automated web vulnerability scanners.
A number of projects aim to standardize the REST API:
Using Parameters in URLs
Another challenge automated scanners encounter when scanning RESTful web services for vulnerabilities is that REST APIs use parameters in URLs.
For example in the HTTP GET request below, 123 is a parameter and not a directory in the web application:
Scanning a RESTful Web Service for Vulnerabilities
There are three ways to scan a RESTful API. Each is outlined below:
- Import a Swagger or WADL definition file manually
- Netsparker can automatically discover a RESTful API during crawling and scan it
- Manually import RAW HTTP request(s)
How to Import the SWAGGER, WADL or WordPress Definition Files Manually
When you import a Swagger, WADL or WordPress REST API definition file, the Netsparker web application security scanner will parse the definition file and create a link for every resource available in the API. To import a Swagger, WADL or WordPress REST API definition file you should:
- Open Netsparker Standard.
- From the Start a New Website or Web Service Scan dialogue box, click Imported Links. The Imported Links options are displayed.
- From the Import From File dropdown, select OpenAPI (formerly Swagger), Web Application Description Language or WordPress REST API. The Import Links dialog is displayed.
- Select the definition file.
- Click Save.
Once the scanner imports all the links and parameters you can see them in the list of Imported Links as seen in the below screenshot.
During the import, URL Rewrite rules will automatically be generated, so that every parameter in the RESTful API is scanned.
When importing a RESTful web service definition file in Netsparker Enterprise the URL Rewrite rules are not shown in the Start a New Scan dialogue, but they will be reported in the Knowledge Base node once the scan is finished.
Authentication and RESTful Web Services
Similar to when scanning other web applications and services, authentication can be configured during the scan from the Authentication section.
How to Automate the Discovery of the RESTful API During Crawling
The Netsparker web application security scanner will automatically import, crawl and scan a REST web service, if it is identified during a scan. Once the scanner identifies the definition file, it will automatically generate the URL Rewrite rules so it can scan all the parameters in the web service.
When the scanner identifies a RESTful API web service during a crawl it will also report it in the Knowledge Base nodes.
How to Import RAW HTTP Request(s) Manually
Note that when using this method the scanner won't automatically generate the URL rewrite rules, hence you have to configure them manually for the scanner to find all the parameters.
In cases where the Swagger or WADL definition files are not available, or the RESTful API cannot be identified during the crawl of a web application, you can import the API's links via RAW HTTP files.
You can capture the HTTP requests via a third party proxy tool such as Fiddler and import them before starting the scan. Below is a list of supported proxy files:
- Burp log files (*.xml)
- Fiddler session archives (*.saz)
- HTTP archive files (*.har)
- Paros log files (*.txt)
The procedure for importing these tools manually is the same as that for importing SWAGGER or WALD. For further information, see How to Import the SWAGGER, WADL or WordPress REST API Definition Files Manually.