SlideShare a Scribd company logo

Secureyourrestapi 140530183606-phpapp02

Download as PPTX, PDF
Subhajit Bhuiya
Subhajit Bhuiya

Api

Technology
1 of 40
Les Hazlewood @lhazlewood Apache Shiro PMC Chair CTO, Stormpath stormpath.com Secure your REST API (the right way)
.com • User Management and Authentication API • Security for your applications • User security workflows • Security best practices • Developer tools, SDKs, libraries
HTTP Authentication...
... is all about the headers Learn more at Stormpath.com
1. Request GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Learn more at Stormpath.com
2. Challenge Response HTTP/1.1 401 Unauthorized WWW-Authenticate: Basic realm=“name” Learn more at Stormpath.com
3. Resubmit Request GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== Learn more at Stormpath.com
Authorization Header Format GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== Scheme Name Scheme-specific Value sp Learn more at Stormpath.com
4. Successful Response HTTP/1.1 200 OK Content-Type: application/json ... { “email”: “jsmith@gmail.com”, “givenName”: “Joe”, “surname”: Smith”, ... } Learn more at Stormpath.com
Example: Oauth 1.0a GET /accounts/1234 HTTP/1.1 Host: api.acme.com Authorization: OAuth realm="Photos", oauth_consumer_key="dpf43f3p2l4k3l03", oauth_signature_method="HMAC-SHA1", oauth_timestamp="137131200", oauth_nonce="wIjqoS", oauth_callback="http%3A%2F%2Fprinter.example.com%2Fready", oauth_signature="74KNZJeDHnMBp0EMJ9ZHt%2FXKycU%3D" Learn more at Stormpath.com
Example: Oauth 2 GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Authorization: Bearer mF_9.B5f-4.1JqM Learn more at Stormpath.com
Example: Oauth 2 MAC GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Authorization: MAC id="h480djs93hd8", nonce="264095:dj83hs9s”, mac="SLDJd4mg43cjQfElUs3Qub4L6xE=" Learn more at Stormpath.com
Ok, now that’s out of the way • Please avoid Basic Authc if you can. • Favor HMAC-SHA256 digest algorithms over bearer token algorithms • Use Oauth 1.0a or Oauth 2 (preferably MAC) • Only use a custom scheme if you really, really know what you’re doing. Learn more at Stormpath.com
Status Codes Learn more at Stormpath.com
401 vs 403 • 401 “Unauthorized” really means Unauthenticated “You need valid credentials for me to respond to this request” • 403 “Forbidden” really means Unauthorized “I understood your credentials, but so sorry, you’re not allowed!” Learn more at Stormpath.com
HTTP Authorization Learn more at Stormpath.com
HTTP Authorization • After authc, perform authz • Filter requests before invoking MVC layer • Blanket security policies • Per-URI customization Learn more at Stormpath.com
HTTP Authorization: OAuth • OAuth is an authorization protocol, NOT an authentication or SSO protocol. • “Can I see User X’s email address please?” NOT: • “I want to authenticate User X w/ this username and password” • People still try to use OAuth for authentication (OpenId Connect) Learn more at Stormpath.com
HTTP Authorization: OAuth • When OAuth 2 is a good fit: • If your REST clients do NOT own the data they are attempting to read • When Oauth 2 isn’t as good of a fit: • If your REST client owns the data it is reading • Could still be fine if you’re willing to incur some additional overhead Learn more at Stormpath.com
HTTP Authorization: JWT • JWT = JSON Web Token • Very new spec, but clean & simple • JWTs can be digitally signed and/or encrypted, and are URL friendly. • Can be used as Bearer Tokens and for SSO Learn more at Stormpath.com
Best Practices Learn more at Stormpath.com
API Keys Learn more at Stormpath.com
API Keys, Not Passwords • Entropy • Independence • Speed • Reduced Exposure • Traceability • Rotation Learn more at Stormpath.com
API Keys cont’d • Authenticate every request • Encrypt API Key secret values at rest. • Avoid Sessions (not RESTful) • Authc every request + no sessions = no XSRF attacks Learn more at Stormpath.com
Identifiers Learn more at Stormpath.com
Identifiers /accounts/x2b4jX3l31uiL Good Not So Good /accounts/1234 Why? Learn more at Stormpath.com
Identifiers • Should be opaque • Secure Random or Random/Time UUID • URL-friendly ‘Base62’ encoding • Avoid sequential numbers: • distribute ID generation load • mitigate fusking attacks Learn more at Stormpath.com
Query Injection Learn more at Stormpath.com
Query Injection Vulnerable URL: foo.com/accounts?acctId=‘ or ‘1’=‘1 String query = “select * from accounts where acct_id = ‘” + request.getParameter(“acctId”) + “’”; Solution • Use Parameterized Query API (Prepared Statements). • If not available, escape special chars Learn more at Stormpath.com
Redirects and Forwards Learn more at Stormpath.com
Redirects and Forwards • Avoid redirects and forwards if possible • If used, validate the value and ensure authorized for the current user. foo.com/redirect.jsp?url=evil.com foo.com/whatever.jsp?fwd=admin.jsp Learn more at Stormpath.com
TLS Learn more at Stormpath.com
TLS • Use TLS for everything • Once electing to TLS: – Never revert – Never switch back and forth • Cookies: set the ‘secure’ and ‘httpOnly’ flags for secure cookies • Backend/infrastructure connections use TLS too Learn more at Stormpath.com
TLS Cont’d • Configure your SSL provider to only support strong (FIPS 140-2 compliant) algorithms • Use Cipher Suites w/ Perfect Forward Secrecy! –e.g. ECDHE_RSA_WITH_AES_256_GCM_SHA256 • Keep your TLS certificates valid • But beware, TLS isn’t foolproof – App-level encryption + TLS for most secure results Learn more at Stormpath.com
Configuration Learn more at Stormpath.com
Configuration • CI: Security Testing • Security Patches • Regularly scan/audit • Same config in Dev, Prod, QA* – (Docker is great for this!) • Externalize passwords/credentials * Except credentials of course Learn more at Stormpath.com
Storage Learn more at Stormpath.com
Storage • Sensitive data encrypted at rest • Encrypt offsite backups • Strong algorithms/standards • Strong encryption keys and key mgt • Strong password hashing • External key storage • Encrypted file system (e.g. eCryptfs) Learn more at Stormpath.com
Thank You! • les@stormpath.com • Twitter: @lhazlewood • https://stormpath.com Learn more at Stormpath.com
.com • Free for developers • Eliminate months of development • Automatic security best practices Sign Up Now: Stormpath.com Learn more at Stormpath.com

Recommended

Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web ServicesRob Daigneau
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Stormpath
 
Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHPDavid Ingram
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthfossmy
 
Elegant Rest Design Webinar
Elegant Rest Design WebinarElegant Rest Design Webinar
Elegant Rest Design WebinarStormpath
 
REST API Design for JAX-RS And Jersey
REST API Design for JAX-RS And JerseyREST API Design for JAX-RS And Jersey
REST API Design for JAX-RS And JerseyStormpath
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSource Conference
 

Recommended

Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web ServicesRob Daigneau
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Stormpath
 
Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHPDavid Ingram
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthfossmy
 
Elegant Rest Design Webinar
Elegant Rest Design WebinarElegant Rest Design Webinar
Elegant Rest Design WebinarStormpath
 
REST API Design for JAX-RS And Jersey
REST API Design for JAX-RS And JerseyREST API Design for JAX-RS And Jersey
REST API Design for JAX-RS And JerseyStormpath
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSource Conference
 
XPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal InjectionXPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal InjectionBlueinfy Solutions
 
Build a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON APIBuild a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON APIStormpath
 
Secure RESTful API Automation With JavaScript
Secure RESTful API Automation With JavaScriptSecure RESTful API Automation With JavaScript
Secure RESTful API Automation With JavaScriptJonathan LeBlanc
 
Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIsClaire Hunsaker
 
Rest services caching
Rest services cachingRest services caching
Rest services cachingSperasoft
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodann|u - The Open Security Community
 
Open source security
Open source securityOpen source security
Open source securitylrigknat
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationStefan Achtsnit
 
Pentesting RESTful webservices
Pentesting RESTful webservicesPentesting RESTful webservices
Pentesting RESTful webservicesMohammed A. Imran
 
Understanding and testing restful web services
Understanding and testing restful web servicesUnderstanding and testing restful web services
Understanding and testing restful web servicesmwinteringham
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
Unusual Web Bugs
Unusual Web BugsUnusual Web Bugs
Unusual Web Bugsamiable_indian
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Unicode
UnicodeUnicode
UnicodeRonan Dunne, CEH, SSCP
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009Aduci
 
Making Sense of API Access Control
Making Sense of API Access ControlMaking Sense of API Access Control
Making Sense of API Access ControlCA API Management
 
In graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesIn graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesMohammed A. Imran
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 
Scalable Reliable Secure REST
Scalable Reliable Secure RESTScalable Reliable Secure REST
Scalable Reliable Secure RESTguestb2ed5f
 

More Related Content

What's hot

XPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal InjectionXPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal InjectionBlueinfy Solutions
 
Build a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON APIBuild a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON APIStormpath
 
Secure RESTful API Automation With JavaScript
Secure RESTful API Automation With JavaScriptSecure RESTful API Automation With JavaScript
Secure RESTful API Automation With JavaScriptJonathan LeBlanc
 
Rest services caching
Rest services cachingRest services caching
Rest services cachingSperasoft
 
Open source security
Open source securityOpen source security
Open source securitylrigknat
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationStefan Achtsnit
 
Pentesting RESTful webservices
Pentesting RESTful webservicesPentesting RESTful webservices
Pentesting RESTful webservicesMohammed A. Imran
 
Understanding and testing restful web services
Understanding and testing restful web servicesUnderstanding and testing restful web services
Understanding and testing restful web servicesmwinteringham
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009Aduci
 
Making Sense of API Access Control
Making Sense of API Access ControlMaking Sense of API Access Control
Making Sense of API Access ControlCA API Management
 
In graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesIn graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesMohammed A. Imran
 

What's hot (19)

XPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal InjectionXPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal Injection
 
Build a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON APIBuild a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON API
 
Secure RESTful API Automation With JavaScript
Secure RESTful API Automation With JavaScriptSecure RESTful API Automation With JavaScript
Secure RESTful API Automation With JavaScript
 
Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIs
 
Rest services caching
Rest services cachingRest services caching
Rest services caching
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Open source security
Open source securityOpen source security
Open source security
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based Authentication
 
Pentesting RESTful webservices
Pentesting RESTful webservicesPentesting RESTful webservices
Pentesting RESTful webservices
 
Understanding and testing restful web services
Understanding and testing restful web servicesUnderstanding and testing restful web services
Understanding and testing restful web services
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
 
Unusual Web Bugs
Unusual Web BugsUnusual Web Bugs
Unusual Web Bugs
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
Unicode
UnicodeUnicode
Unicode
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
 
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
 
Making Sense of API Access Control
Making Sense of API Access ControlMaking Sense of API Access Control
Making Sense of API Access Control
 
In graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesIn graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challenges
 

Similar to Secureyourrestapi 140530183606-phpapp02

REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 
Scalable Reliable Secure REST
Scalable Reliable Secure RESTScalable Reliable Secure REST
Scalable Reliable Secure RESTguestb2ed5f
 
Ch 3: Web Application Technologies
Ch 3: Web Application TechnologiesCh 3: Web Application Technologies
Ch 3: Web Application TechnologiesSam Bowne
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbedleahculver
 
Building Awesome APIs with Lumen
Building Awesome APIs with LumenBuilding Awesome APIs with Lumen
Building Awesome APIs with LumenKit Brennan
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocationguestd5dde6
 
Using Communication and Messaging API in the HTML5 World
Using Communication and Messaging API in the HTML5 WorldUsing Communication and Messaging API in the HTML5 World
Using Communication and Messaging API in the HTML5 WorldGil Fink
 
HTTP Services & REST API Security
HTTP Services & REST API SecurityHTTP Services & REST API Security
HTTP Services & REST API SecurityTaiseer Joudeh
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
 
Pentesting web applications
Pentesting web applicationsPentesting web applications
Pentesting web applicationsSatish b
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Mads Toustrup-Lønne
 
Леонід Кузьмін “Сам собі паблішер. Від сайту ігрової студії до універсального...
Леонід Кузьмін “Сам собі паблішер. Від сайту ігрової студії до універсального...Леонід Кузьмін “Сам собі паблішер. Від сайту ігрової студії до універсального...
Леонід Кузьмін “Сам собі паблішер. Від сайту ігрової студії до універсального...Lviv Startup Club
 
DefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp
 

Similar to Secureyourrestapi 140530183606-phpapp02 (20)

REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
 
Scalable Reliable Secure REST
Scalable Reliable Secure RESTScalable Reliable Secure REST
Scalable Reliable Secure REST
 
Api security
Api security Api security
Api security
 
Ch 3: Web Application Technologies
Ch 3: Web Application TechnologiesCh 3: Web Application Technologies
Ch 3: Web Application Technologies
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
 
Facebook & Twitter API
Facebook & Twitter APIFacebook & Twitter API
Facebook & Twitter API
 
Building Awesome APIs with Lumen
Building Awesome APIs with LumenBuilding Awesome APIs with Lumen
Building Awesome APIs with Lumen
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
 
HTTP
HTTPHTTP
HTTP
 
Using Communication and Messaging API in the HTML5 World
Using Communication and Messaging API in the HTML5 WorldUsing Communication and Messaging API in the HTML5 World
Using Communication and Messaging API in the HTML5 World
 
HTTP Services & REST API Security
HTTP Services & REST API SecurityHTTP Services & REST API Security
HTTP Services & REST API Security
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
 
Demystifying REST
Demystifying RESTDemystifying REST
Demystifying REST
 
Pentesting web applications
Pentesting web applicationsPentesting web applications
Pentesting web applications
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
 
Леонід Кузьмін “Сам собі паблішер. Від сайту ігрової студії до універсального...
Леонід Кузьмін “Сам собі паблішер. Від сайту ігрової студії до універсального...Леонід Кузьмін “Сам собі паблішер. Від сайту ігрової студії до універсального...
Леонід Кузьмін “Сам собі паблішер. Від сайту ігрової студії до універсального...
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
 
DefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysis
 

Recently uploaded

Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 

Recently uploaded (20)

Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 

Secureyourrestapi 140530183606-phpapp02

  • 1. Les Hazlewood @lhazlewood Apache Shiro PMC Chair CTO, Stormpath stormpath.com Secure your REST API (the right way)
  • 2. .com • User Management and Authentication API • Security for your applications • User security workflows • Security best practices • Developer tools, SDKs, libraries
  • 4. ... is all about the headers Learn more at Stormpath.com
  • 5. 1. Request GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Learn more at Stormpath.com
  • 6. 2. Challenge Response HTTP/1.1 401 Unauthorized WWW-Authenticate: Basic realm=“name” Learn more at Stormpath.com
  • 7. 3. Resubmit Request GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== Learn more at Stormpath.com
  • 8. Authorization Header Format GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== Scheme Name Scheme-specific Value sp Learn more at Stormpath.com
  • 9. 4. Successful Response HTTP/1.1 200 OK Content-Type: application/json ... { “email”: “jsmith@gmail.com”, “givenName”: “Joe”, “surname”: Smith”, ... } Learn more at Stormpath.com
  • 10. Example: Oauth 1.0a GET /accounts/1234 HTTP/1.1 Host: api.acme.com Authorization: OAuth realm="Photos", oauth_consumer_key="dpf43f3p2l4k3l03", oauth_signature_method="HMAC-SHA1", oauth_timestamp="137131200", oauth_nonce="wIjqoS", oauth_callback="http%3A%2F%2Fprinter.example.com%2Fready", oauth_signature="74KNZJeDHnMBp0EMJ9ZHt%2FXKycU%3D" Learn more at Stormpath.com
  • 11. Example: Oauth 2 GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Authorization: Bearer mF_9.B5f-4.1JqM Learn more at Stormpath.com
  • 12. Example: Oauth 2 MAC GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Authorization: MAC id="h480djs93hd8", nonce="264095:dj83hs9s”, mac="SLDJd4mg43cjQfElUs3Qub4L6xE=" Learn more at Stormpath.com
  • 13. Ok, now that’s out of the way • Please avoid Basic Authc if you can. • Favor HMAC-SHA256 digest algorithms over bearer token algorithms • Use Oauth 1.0a or Oauth 2 (preferably MAC) • Only use a custom scheme if you really, really know what you’re doing. Learn more at Stormpath.com
  • 14. Status Codes Learn more at Stormpath.com
  • 15. 401 vs 403 • 401 “Unauthorized” really means Unauthenticated “You need valid credentials for me to respond to this request” • 403 “Forbidden” really means Unauthorized “I understood your credentials, but so sorry, you’re not allowed!” Learn more at Stormpath.com
  • 16. HTTP Authorization Learn more at Stormpath.com
  • 17. HTTP Authorization • After authc, perform authz • Filter requests before invoking MVC layer • Blanket security policies • Per-URI customization Learn more at Stormpath.com
  • 18. HTTP Authorization: OAuth • OAuth is an authorization protocol, NOT an authentication or SSO protocol. • “Can I see User X’s email address please?” NOT: • “I want to authenticate User X w/ this username and password” • People still try to use OAuth for authentication (OpenId Connect) Learn more at Stormpath.com
  • 19. HTTP Authorization: OAuth • When OAuth 2 is a good fit: • If your REST clients do NOT own the data they are attempting to read • When Oauth 2 isn’t as good of a fit: • If your REST client owns the data it is reading • Could still be fine if you’re willing to incur some additional overhead Learn more at Stormpath.com
  • 20. HTTP Authorization: JWT • JWT = JSON Web Token • Very new spec, but clean & simple • JWTs can be digitally signed and/or encrypted, and are URL friendly. • Can be used as Bearer Tokens and for SSO Learn more at Stormpath.com
  • 21. Best Practices Learn more at Stormpath.com
  • 22. API Keys Learn more at Stormpath.com
  • 23. API Keys, Not Passwords • Entropy • Independence • Speed • Reduced Exposure • Traceability • Rotation Learn more at Stormpath.com
  • 24. API Keys cont’d • Authenticate every request • Encrypt API Key secret values at rest. • Avoid Sessions (not RESTful) • Authc every request + no sessions = no XSRF attacks Learn more at Stormpath.com
  • 25. Identifiers Learn more at Stormpath.com
  • 27. Identifiers • Should be opaque • Secure Random or Random/Time UUID • URL-friendly ‘Base62’ encoding • Avoid sequential numbers: • distribute ID generation load • mitigate fusking attacks Learn more at Stormpath.com
  • 28. Query Injection Learn more at Stormpath.com
  • 29. Query Injection Vulnerable URL: foo.com/accounts?acctId=‘ or ‘1’=‘1 String query = “select * from accounts where acct_id = ‘” + request.getParameter(“acctId”) + “’”; Solution • Use Parameterized Query API (Prepared Statements). • If not available, escape special chars Learn more at Stormpath.com
  • 30. Redirects and Forwards Learn more at Stormpath.com
  • 31. Redirects and Forwards • Avoid redirects and forwards if possible • If used, validate the value and ensure authorized for the current user. foo.com/redirect.jsp?url=evil.com foo.com/whatever.jsp?fwd=admin.jsp Learn more at Stormpath.com
  • 32. TLS Learn more at Stormpath.com
  • 33. TLS • Use TLS for everything • Once electing to TLS: – Never revert – Never switch back and forth • Cookies: set the ‘secure’ and ‘httpOnly’ flags for secure cookies • Backend/infrastructure connections use TLS too Learn more at Stormpath.com
  • 34. TLS Cont’d • Configure your SSL provider to only support strong (FIPS 140-2 compliant) algorithms • Use Cipher Suites w/ Perfect Forward Secrecy! –e.g. ECDHE_RSA_WITH_AES_256_GCM_SHA256 • Keep your TLS certificates valid • But beware, TLS isn’t foolproof – App-level encryption + TLS for most secure results Learn more at Stormpath.com
  • 36. Configuration • CI: Security Testing • Security Patches • Regularly scan/audit • Same config in Dev, Prod, QA* – (Docker is great for this!) • Externalize passwords/credentials * Except credentials of course Learn more at Stormpath.com
  • 37. Storage Learn more at Stormpath.com
  • 38. Storage • Sensitive data encrypted at rest • Encrypt offsite backups • Strong algorithms/standards • Strong encryption keys and key mgt • Strong password hashing • External key storage • Encrypted file system (e.g. eCryptfs) Learn more at Stormpath.com
  • 39. Thank You! • les@stormpath.com • Twitter: @lhazlewood • https://stormpath.com Learn more at Stormpath.com
  • 40. .com • Free for developers • Eliminate months of development • Automatic security best practices Sign Up Now: Stormpath.com Learn more at Stormpath.com