Black Hat: No REST for the wicked

From the “more cool session titles” files:

LAS VEGAS — Microsoft hacker (that’s right Microsoft?!)  Bryan Sullivan has got some news for Web Services developers : REST can be a panacea for attackers.

Sullivan’s official title is Security Program Manager on the
Security Development Lifecycle (SDL) team at Microsoft and he spent an hour at Black Hat explaining how REST Web Services could be hacked for Cross Site Request Forgery (CSRF) attacks.

Personally I never really thought of using REST for an attack but it really does make a whole lot of sense since it’s a cross site approach and if it’s not properly secured – you’ve got a problem.

There are a few solutions though Sullivan wasn’t keen on the access control  W3C working draft that could provide a degree of security for REST.

Sullivan however admitted that his company Microsoft actually has a competing proposal for security that is going to be implemented in Internet Explorer 8 called XDR (cross domain requests).

All told though what I surmised is that REST could be a very risky proposition if not properly secured (but then again what isn’t).

News Around the Web