Secure RESTful Web Services to Mobilize Powerful Website Penetration Testing Tools

Transcription

1 Secure RESTful Web Services to Mobilize Powerful Website Penetration Testing Tools

2 Problem statement Powerful penetration testing cyber security tools and techniques are freely available via OS based distributions. However, there is not a powerful equivalent for mobile only users. Therefore, pen testers have to carry around bulky laptops to do their work.

3 Secure RESTful Web Services with JSON web Tokens We can mobilize these apps using some web services. However, these services need to be secure because of the sensitive nature of the penetration testing data. We can t let the bad guys get the blueprint of how to hack the site.

4 Ten Popular Penetration Testing Software Tools Tool Description Requirements Mobile Compatible Burp Suite Web Application Security Testing Linux, MySQL, > 10 GB Storage NO 1 Hydra Parallelized login cracker Linux > 3 GB NO Clam AV Antivirus and malware scanner Linux, MySQL, > 10 GB Storage NO John the Ripper Brute Force Password Hacker Linux, MySQL, > 10 GB Storage NO Maltego Infrastructure Recon and Reconnaissance Linux, MySQL, > 10 GB Storage NO Metasploit Find and exploit vulnerabilities Linux, MySQL, > 10 GB Storage NO WIG Recon and exploit finding for web apps Linux, MySQL, > 5 GB Storage, python NO SQLMap Find sql injections in web apps Linux > 1 GB NO ZAP OWASP tool to find web application vulnerabilities Linux, MySQL, python > 10 GB NO

5 A very popular architecture for web services is REST. REST stands for representational state transfer and it is built to make it easy for a programmer to tap into resources on a server through a protocol such as HTTP. GET HTTP/1.1 HTTP/ OK Content-Type: application/json { } "site_title": "cyber security pen testing", "id": "1121", "created_date":

6 HTTP/1.1 Content-Type: application/json HTTP-Method: POST Authorization: Bearere yj0exaioijkv1qi.eyjrzxkioi.euiabuikv Making RESTful web services more secure with JSON web tokens. { } "name": "Michael Jones", " ": "mj222@armoredware.com", "phone": "(714) "

7 Creating a Prototype with the following technologies: Python Flask Apache CentOS 7 MongoDB Swift 4 IOS

8 Turning Flask into a secure RESTful server with PyJWT GET { "description": "Request does not contain an access token", "error": "Authorization Required", "status_code": 401 }

9 struct Site: Codable { var user_id: String! var domain: String! var uptime: String! var alerts: String! } guard let url = URL(string: " else { return } print(url) var request = URLRequest(url: url) request.httpmethod = "GET" request.addvalue("jwt \(self.token1!)", forhttpheaderfield: "Authorization") Sending and Receiving the Data on IOS using Swift 4 http requests and Codables let task = session.datatask(with: request){ (data, _, _) in guard let data = data else { return } do{ let json = try JSONSerialization.jsonObject(with: data, options: []) print(json) let adata = try JSONDecoder().decode(Site.self, from: data) self.new1 = adata.user_id print(adata.user_id) //site_details = adata.user_id // DispatchQueue.main.async(){ self.new1 = adata.user_id self.sitearray2 = [adata.user_id, adata.site_url, String(aData.price)] self.pagetemp = adata.pages print("sitea2",self.sitearray2) self.sitetableview.reloaddata() } }catch let jsonerror { DispatchQueue.main.async(){ } print(jsonerror) }

10 Mongo MONGO DB

11 We were able to find that using the techniques described in our experiment, we were successfully able to send back results from our custom scripts, ZAP and WIG pen testing tools that were running on our servers to end users on the IOS mobile app. For the experiment we collected, IP Address, Page Load Speed, Site Title, Server OS, Platform software running on the server, and an array of all of the pages on a website and populate this data into the app for the user to see.

12

13

14

15 Conclusion We can use JSON as our link between powerful server driven applications and lightweight mobile apps in a secure way. In addition, this same approach can be applied to IoT. For example, we could use our RESTful web services, JSON and JWT to run a server based virus scan on IoT smart glasses. This provides security to the device, without the overhead of the antivirus application.

16 References 1. (accessed on April 26th, 2018) 2. (accessed on April 26th, 2018) 3. (accessed on April 26th, 2018) 4. (accessed on April 26th, 2018) 5. (accessed on April 26th, 2018) 6. L Richardson, S Ruby. RESTful web services JH Christensen Using RESTful web-services and cloud computing to create next generation mobile applications 8. M Jones, B Campbell, C Mortimore JSON Web Token (JWT) profile for OAuth 2.0 client authentication and authorization Grants 9. (accessed April 27th, 2018) (accessed April 27th, 2018) (accessed April 27th, 2018) (accessed April 27th, 2018) (accessed April 27th, 2018) (accessed April 27th, 2018) (accessed April 20th, 2018) (accessed April 27th, 2018)