RESTful services, web security blind spot

Submitted by Ofer Shezaf on 20 November 2011 - 1:40am
Share/Save

(last updated April 2013)

As a light weight alternative to web services, RESTful services are fast becoming a leading technology for developing mobile applications and web 2.0 sites. 

At first glance, RESTful web services seem very different than web services and suspiciously similar to regular web technology. The similarity of RESTful web services to regular web leads to the notion that RESTful web services can be tested and secured in the same way. 

However, this is a misconception. RESTful services share many of the security challenges of other web services technologies, but lack a formal structure to compensate for that. Specifically, testing RESTful web services is very challenging as common pen testing attack surface detection and fuzzing techniques do not work.

In a talk about the subject I describe:

  • RESTful web services and their use, 
  • The complexities in protecting them and common attack vectors specific to REST services. 
  • The challenges of security testing for RESTful services 
  • Novel approaches for automated testing of RESTful services.

The talk was first given at the OWASP Israel annual conference in September 2012. I continuously update it to reflect advances in research. The talk was subsequently given at Source Barcelona 2011 and Source Seattle 2012 and at an OWASP Netherlands chapter meeting in 2013.

You can download the presentation (updated April 2013) here or watch the video recorded at Source Seattle in September 2012 here.

Post new comment

Full HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
By submitting this form, you accept the Mollom privacy policy.