RESTful services, web security blind spot
(last updated April 2013)
As a light weight alternative to web services, RESTful services are fast becoming a leading technology for developing mobile applications and web 2.0 sites.
At first glance, RESTful web services seem very different than web services and suspiciously similar to regular web technology. The similarity of RESTful web services to regular web leads to the notion that RESTful web services can be tested and secured in the same way.
However, this is a misconception. RESTful services share many of the security challenges of other web services technologies, but lack a formal structure to compensate for that. Specifically, testing RESTful web services is very challenging as common pen testing attack surface detection and fuzzing techniques do not work.
In a talk about the subject I describe:
- RESTful web services and their use,
- The complexities in protecting them and common attack vectors specific to REST services.
- The challenges of security testing for RESTful services
- Novel approaches for automated testing of RESTful services.
The talk was first given at the OWASP Israel annual conference in September 2012. I continuously update it to reflect advances in research. The talk was subsequently given at Source Barcelona 2011 and Source Seattle 2012 and at an OWASP Netherlands chapter meeting in 2013.