Siddharth-Bezalwar

...
...
15/01/2018

Understanding Stack based buffer overflow


Siddharth-Bezalwar

What is stack? A stack is a limited access data structure – elements can be added and removed from the stack only at the top. It works on LIFO(last-in-first-out) principle. Stack supports two operations push and pop. Push: Adds an item to the top of the stack. Pop: Removes an item from the top of the stack. Now lets examine the memory layout of a c program especially stack, it’s content and it’s working during function call and return.

Read more
01/12/2017

Tiredful API Solution


Siddharth-Bezalwar

The idea behind usage of the app is to consume the API-end points using RESTClient app such as Postman, Curl,ARC, RESTClient firefox add-on.For demonstration I am using RESTClient firefox add-on. Now, lets get started with main motto of this post – Solution to Tiredful API challenges. Solutions Information Disclosure First challenge in the list is “Information Disclosure”. From the following image you can see that API end point is /api/v1/books// and use valid ids mentioned .

Read more
09/10/2017

Authentication schemes in REST API


Siddharth-Bezalwar

In simple terms, authentication means process of verifying the identity of a user. The process consist of simple steps, 1) User tries to connect to web services. 2) Web services asked user for credentials(Identity Information). 3) User provides credentials. 4)Web services verify the identity of the user by verifying provided credentials and responds accordingly.

Read more
07/07/2017

Beginner’s Guide to RESTful API VAPT – Part 2


Siddharth-Bezalwar

You have got the basic concepts of REST API and how it is implemented. Now let’s get started with the main motto of this post i.e.How to perform VAPT of a REST API web service and what are different issues we should be looking. Finally, the Guide! REST API VAPT is somewhat similar to web application VAPT since we need to look for some standard vulnerabilities that we look for the web application such as SQL Injection, Access Control, XSS, CSRF, etc. Apart from these standard vulnerabilities, we need to look for API specific vulnerabilities also. Enumeration Before attacking any web service it is necessary to know from where you can start attacking. This can be tricky, finding attack surface for a web application is easy as we get GUI to examine different form fields, URLS, etc. But for API we only get API end point. In this stage we need to gather as much information as we can about the API’s endpoints, messages, parameters and behavior and technologies implemented. Following are some helpful points to gather information about the API end points. a) If client provides API programming documentation or configuration files, analyse it thoroughly check how user authentication process is implemented, check URL style used, check what are different standard HTTP headers and non-standard HTTP headers are required to interact with the API service and analyse the error codes and description to get clear idea about the valid range of values an API end point is accepting, how user authentication and authorisation is handled by web service.

Read more
07/07/2017

Beginner’s Guide to RESTful API VAPT – Part 1


Siddharth-Bezalwar

With more and more web applications are developed on top of the web services (RESTful API) many web application penetration tester are wondering exactly how to test these web services and what to actually look for. To help explain how to perform VAPT of REST API, let’s take a quick look at the basics of RESTful API. What is a RESTful API? Before understanding RESTful API let’s take a look at what the term REST actually mean. REST REST stands for REpresentational State Transfer which is a style of web architecture which describes six constraints. Uniform Interface

Read more