January 2019
Beginner
404 pages
8h 53m
English
Content preview from Becoming the HackerBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Attack considerations
Targeting HTTP-based APIs is really no different than traditional web applications. We have to follow the same basic procedure:
- Identify injection points
- Send unexpected input and observe how the API behaves
- Look for the usual suspects: SQLi, XXE, XSS, command injection, LFI, and RFI
We can use all the tips and tricks we already know to find these issues, with some exceptions.
XSS vulnerabilities in a typical web application are easy to prove. You send the input, the input is reflected to the client as HTML or JavaScript, the browser renders the content, and the code executes.
With web services, the response is typically not rendered, primarily due to the Content-Type header set by the response. This is usually JSON or XML, which ...