Using DVWS for API Security – SQL Injection

With advancing web technologies, APIs play a crucial part in application architecture. APIs, if not tested properly, can lead to serious security vulnerabilities. DVWS or Damn Vulnerable Web Services is a vulnerable application with a web service and an API that can be used to learn about web services / API-related vulnerabilities.

NOTE: Make sure you use DVWS-node (https://github.com/snoopysecurity/dvws-node), not DVWS ((https://github.com/snoopysecurity/dvws)), because the DVWS project is unsupported now.

Damn Vulnerable Web Sockets (DVWS) is a deliberately vulnerable and insecure web application that works on web sockets for client-server communication. It is written in Javascript and uses MySQL as its backend database. DVWS has several common web application functionalities that have been implemented in web sockets, which differs from typical web application communication. It allows users to put their web socket testing skills, tools, and scripts to the test.

By creating a process organizations can effectively implement vulnerability management will be significantly safer from data breaches and theft. The biggest challenge comes for organizations is to have the correct set of tools to address these issues. Some tools are used because “I have used them before” or ” Someone has used them before” syndrome creeps in, but the question is do those tools suffice or address the present needs or are they required?

In a recent client meeting this issue cropped up vehemently. The client had a senior technical resource who had over 15 years experience in the IT & Telecom Industry. The discussion started with ” Well we want to Test all our purchased applications and devices for Cyber Security and Unknown Vulnerabilities”. The discussion went on a serious note and I started describing the process to the client. We broke the problem into Known and Unknown Vulnerability Management and the client liked the approach when the senior technical resource jumped into and said ” What about generating load and conducting performance and conformance testing and check for security vulnerabilities”?. I stopped and paused, and asked ” What about conformance and performance testing?”, ” What do you wish to do about it?”. Prompt came the reply ” Well how can your tools help us to do that?”. Then I shared with them that this portion of testing is not a part of security testing and part of conformance and performance testing to ensure that if the product OEM says he can handle XGB throughput or data on a particular device or port, those tools would help them to verify if the same meets the said requirements or not, and that unknown vulnerability testing is not related to conformance or performance testing.

After providing with some more examples to the client on the details and after my re-emphasis on the fact that one needs to use those tools to only conduct the performance and conformance testing. The client got the picture and we got into discussing Known Vulnerability Management. Though this topic is heavy and not just limited to testing just applications for known vulnerabilities, it also includes code rot or the decay of software code over time.

Before we move forward let us understand a little about Vulnerability Management. Wikipedia defines this as Vulnerability management is the “cyclical practice of identifying, classifying, remediation, and mitigating vulnerabilities”, especially in software and firmware. Vulnerability management is integral to computer security and network security. (http://en.wikipedia.org/wiki/Vulnerability_management).

Vulnerability management can be defined as an ongoing continuous process which covers Identifying, classifying, remediation and mitigating vulnerabilities. Organization use vulnerability management to defend against the exploitation of vulnerabilities in company applications, software and networks. Network Analyses of all critical elements helps in identifying the key vulnerable elements be they applications or appliances and then testing these network elements/ applications for known as well as unknown or zero-day vulnerabilities. The next step is classifying them and then creating actionable points to address and mitigate these vulnerabilities. In brief ” Vulnerability management can be defined as the cyclical practice of identifying, classifying, remediation, and mitigating vulnerabilities.