RESTfulアプリの検査でAppScanで検査するときの例

As much as I love SOAP web services (not!), it seems like RESTful web services really caught on and became a de-facto standard these days you see them everywhere, in the cloud, in AJAX or Web 2.0 applications, mobile applications and so forth.
Unlike SOAP services, RESTful services are lightweight. They are extremely easy to understand and also to develop. Nevertheless, there seem to be a million different definitions as to what they really are, but I think the simplest way to understand them is by using the following four definitions, which I’ve found in this DeveloperWorks article:
RESTful services use HTTP methods explicitly
RESTful services are stateless
RESTful services expose directory structure-like URIs
RESTful services transfer XML, JSON or both
Simple right?
As much as RESTful services are simple for humans to understand, they are actually a nightmare for automated web application scanners. Why? Because classic HTTP requests usually include parameters either in the Query or Body part of the request. On the other hand, RESTful services usually pass them as what looks like directories (see rule #3 above). For example the following HTTP request will return the details for a user named Bob:

http://blog.watchfire.com/wfblog/2012/01/testing-restful-services-with-appscan-standard.html