O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
API Security
learning from a Pentesters POV
API Strategy Workshop March 2015
Dr. Ir. Stefaan Seys, ZIONSECURITY
Who am I
2
 Stefaan Seys
 Security Expert at ZIONSECURITY
 Postdoc researcher at KU Leuven / COSIC
COSIC
Outline
3
 (no exponential graphs on nr of attacks, etc.)
 High level security architecture and objectives
 API securit...
High level API security architecture
End-to-End
Security Components
5
API ServiceConsumer
Threat Protection
Authentication /
Authorization
Logging /
Auditing
S...
Who is the Consumer?
6
API Service
Browser or Browser plug-in
Mobile App
Back-end Service
Not possible to hide
long-term s...
API Security Threats and Prevention
Discovery
8
Public APIs are designed to be used by ‘external’
parties
 Documentation
 API descriptors in standard format...
Swagger example
9
"paths": {
"/pet/{petId}": {
"delete": {
"tags": ["pet"],
"summary": "Deletes a pet",
"description": "",...
“Classic Discovery” in case the API is secret
10
What about just keeping your API secret?
 Local Proxy or network sniffer...
Public API with a secret API key…
11
March 2014
Issue was already reported to them in 2010...
Story
12
 Install the official Android App
 Extract the APK file and install on an emulator
 Use TCPDUMP to listen to t...
What did they do wrong?
13
 They created an API with “useless”, dangerous and
documented features
 Call to get list of a...
Secret API with docs in error message
14
 Basic authentication (over SSL, no cert pinning)
 With static fixed username/p...
Assume your API is public…
Fuzzing and invalid input
16
http://api.openweathermap.org/data/2.5/weather?id=2172797
 Attack vector:
 Replace the id p...
Malicious Input
17
 Attack vector
 Craft malicious input that targets specific message parser,
implementation weakness, ...
Malicious Input
18
 Purpose
 Attempt to put server in insecure state (if lucky)
 Crash server
 Prevention
 Only use p...
(SQL) Injection
19
http://api.openweathermap.org/weather?id=2172797
“SELECT * FROM forecast WHERE locID='” + id +”‘”;
 At...
(SQL) Injection
20
 Purpose
 If used for authentication: get access without credentials
 Dump database
 Clear database...
Cross Site Scripting (XSS)
21
Persistent XSS
API Server
1. Inject malicious
script
 Prevention
 Use context-aware
auto-e...
Cross Site Request Forgery (CSRF)
22
MyFace.com
Authenticated Session
Victim lured to visit attacker’s site
<a href=“https...
Cross Site Request Forgery (CSRF)
23
 Purpose
 Force end-user to execute a state-changing request (as
attacker never see...
CSRF does not apply to APIs…
24
 Normally SOAP and REST API authentication is not
done through a session (cookie)
 Inste...
Authentication and SSL
Authentication
26
 Basic/Digest authentication
 Uses HTTP headers to identify users
 WS-Security SAML and Username Toke...
Username / password ?
27
Apple Celebrity photo hack
 Hidden API to find your phone
 https://fmipmobile.icloud.com/fmipse...
SSL’s Role
28
SSL – The Good
 Secures the actual client authentication; as majority of
web authentication is based on pas...
SSL’s Role
29
SSL – The Bad
 Compatibility -> Complexity -> Vulnerabilities
 For APIs it is also mostly the only crypto ...
How did we get here?
OWASP Top 10 – A History
31
2004 2007 2010 2013
A1 Unvalidated Input A1 Cross Site Scripting (XSS) A1 Injection A1 Injecti...
In Conclusion
Messages to take home
33
 Security is very difficult to get right
 Do not reinvent or worse, “improve” the wheel yoursel...
Questions
34
Thank you!
?
35
36
What’s Up with SSL?
37
 BEAST (2011, CBC padding crypto attack, <TLS1.1)
 RC4 (2013, 223 encryptions required, RC4)
 BR...
Cross Site Scripting (XSS)
38
Reflective XSS
API Server
 Prevention
 Use context-aware
auto-escaping
 When?
Próximos SlideShares
Carregando em…5
×

Web API Security

This presentation gives an impression of the threats you are facing when designing or developing a web API.

  • Entre para ver os comentários

Web API Security

  1. 1. API Security learning from a Pentesters POV API Strategy Workshop March 2015 Dr. Ir. Stefaan Seys, ZIONSECURITY
  2. 2. Who am I 2  Stefaan Seys  Security Expert at ZIONSECURITY  Postdoc researcher at KU Leuven / COSIC COSIC
  3. 3. Outline 3  (no exponential graphs on nr of attacks, etc.)  High level security architecture and objectives  API security threats and prevention  Authentication and SSL/TLS  History revisited  Messages to take home
  4. 4. High level API security architecture
  5. 5. End-to-End Security Components 5 API ServiceConsumer Threat Protection Authentication / Authorization Logging / Auditing Security Analytics Confidentiality Development Access Identity Service Authentication / Authorization Confidentiality Identity Service API Consumption Security API Exposure Security Threat Protection
  6. 6. Who is the Consumer? 6 API Service Browser or Browser plug-in Mobile App Back-end Service Not possible to hide long-term secrets. Very tempting to hide long-term secrets. OK to use long-term secrets.
  7. 7. API Security Threats and Prevention
  8. 8. Discovery 8 Public APIs are designed to be used by ‘external’ parties  Documentation  API descriptors in standard formats  URI-style: Swagger, RAML, API-Blueprint, I/O Docs, etc.  SOAP: WSDL/XML-Schema  Hypermedia: JSON-LD, Siren, Hydra, etc.  This obviously helps in the discovery phase 
  9. 9. Swagger example 9 "paths": { "/pet/{petId}": { "delete": { "tags": ["pet"], "summary": "Deletes a pet", "description": "", "operationId": "deletePet", "produces": ["application/json", "application/xml"], "security": [{ "petstore_auth": ["write:pets", "read:pets"] }] "parameters": [{ "name": "petId", "in": "path", "description": "Pet id to delete", "required": true, "type": "integer", "format": "int64" }], . . . Attack point HTTP method, how does it handle unspecified methods? OAUTH 2: which implementation?, known vulnerabilities? How does it validate tokens? Scopes? Is access validated? Link between user and petId? Are IDs random? Injection? XSS? What if we do not set the “petId”? What if we do not give an int? Or > int64 max size?
  10. 10. “Classic Discovery” in case the API is secret 10 What about just keeping your API secret?  Local Proxy or network sniffer  Guess / brute-force APIs  http://api.*.com/api/v?/*.json
  11. 11. Public API with a secret API key… 11 March 2014 Issue was already reported to them in 2010...
  12. 12. Story 12  Install the official Android App  Extract the APK file and install on an emulator  Use TCPDUMP to listen to traffic from App  Start App, enter garbage at login page  GET /handler.php?CritickerKey=xxxxx&Function=UserSignin&UserName=asdf asdf&Password=6d2dedb5b9e02d466a8d98b4c4398b1d  The Criticker API has a call to get the list of users!  GET handler.php?CritickerKey=xxxxx&Function=AccountUsers  And a call to request the current password! In plaintext!!  GET handler.php?CritickerKey=xxxxx&Function=LookupPassword&UserId=xxx xx
  13. 13. What did they do wrong? 13  They created an API with “useless”, dangerous and documented features  Call to get list of all users?  Call to get password of a any user?  Passwords are stored in plain text on the server  They use plain HTTP (no SSL)  The “key” is sent over the network with every call
  14. 14. Secret API with docs in error message 14  Basic authentication (over SSL, no cert pinning)  With static fixed username/password for all users (embedded in App)  Only ‘authentication’ is the userID  This userID is sequential (not random)  Returns a help file if you send a wrong API request
  15. 15. Assume your API is public…
  16. 16. Fuzzing and invalid input 16 http://api.openweathermap.org/data/2.5/weather?id=2172797  Attack vector:  Replace the id parameter with “randomly” generated value  Purpose:  Get information through error message  Prevention  Ensure generic, consistent and correct error messages that do not reveal any additional information
  17. 17. Malicious Input 17  Attack vector  Craft malicious input that targets specific message parser, implementation weakness, etc.  Vulnerable parser will recursively replace &lol9;  Resulting in a billion ‘lol’s; taking up 3GByte of RAM <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz (#PCDATA)> <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz>
  18. 18. Malicious Input 18  Purpose  Attempt to put server in insecure state (if lucky)  Crash server  Prevention  Only use proven parsers  Patch your system  Input validation and sanitation
  19. 19. (SQL) Injection 19 http://api.openweathermap.org/weather?id=2172797 “SELECT * FROM forecast WHERE locID='” + id +”‘”;  Attack Vector  /weather?id=5’%20or%20’1’=’1  SELECT * FROM forecast WHERE locID=‘5’ or ‘1’=‘1’ [xkcd]
  20. 20. (SQL) Injection 20  Purpose  If used for authentication: get access without credentials  Dump database  Clear database  Prevention  Never use String operations to create ‘semi-structured” data objects such as SQL queries, JSON, XML, Xpath, etc.  Use a parameterized API to construct the object instead  If not available: carefully ensure escaping all special characters depending on the syntax of the interpreter
  21. 21. Cross Site Scripting (XSS) 21 Persistent XSS API Server 1. Inject malicious script  Prevention  Use context-aware auto-escaping  When?
  22. 22. Cross Site Request Forgery (CSRF) 22 MyFace.com Authenticated Session Victim lured to visit attacker’s site <a href=“https://www.myface.com/ update.php?relationship=Single%2 0and%20Desperate>Free beer</a> POST
  23. 23. Cross Site Request Forgery (CSRF) 23  Purpose  Force end-user to execute a state-changing request (as attacker never sees response).  Change user’s email address, reset password, transfer funds, …  Prevention  Include a per request random authentication code that is verified on the server (once!)
  24. 24. CSRF does not apply to APIs… 24  Normally SOAP and REST API authentication is not done through a session (cookie)  Instead, every API call contains authentication information  In a URL parameter  In the HTTP header (Oauth)  Part of the XML body (SOAP)  If you stick to these principles and use proper authentication/authorization model, CSRF does not apply.
  25. 25. Authentication and SSL
  26. 26. Authentication 26  Basic/Digest authentication  Uses HTTP headers to identify users  WS-Security SAML and Username Tokens  SOAP/XML based authentication, passes credentials and assertions in SOAP message headers, optionally signed and encrypted  API Key based authentication  each request to an API contains a key uniquely identifying the client  OAuth 1.x/2  HTTP-based interactions and flows that authorize usage of HTTP resources (API, Web, etc). OAuth indirectly includes a step for authentication but makes no claims on how that authentication should be done.  JSON web tokens
  27. 27. Username / password ? 27 Apple Celebrity photo hack  Hidden API to find your phone  https://fmipmobile.icloud.com/fmipservice/device/ <apple_id>/initClient  Basic Authentication through SSL tunnel <apple_id> : <password>  So far so good…  Server does not limit the number of attempts…  Same password for all you i-things on Apple (iCloud)
  28. 28. SSL’s Role 28 SSL – The Good  Secures the actual client authentication; as majority of web authentication is based on passwords/tokens  Compatible with vast amount of clients and servers  ‘Easy’ to set up (hard to do right)  Removes crypto burden from application developers
  29. 29. SSL’s Role 29 SSL – The Bad  Compatibility -> Complexity -> Vulnerabilities  For APIs it is also mostly the only crypto layer  If broken -> huge impact  “But we are using SSL…”: it does not magically make your site secure…  If used with server side certs only, client side authentication is not in scope  Transport layer security -> does not prevent many application layer problems (injection, XSS, etc.)
  30. 30. How did we get here?
  31. 31. OWASP Top 10 – A History 31 2004 2007 2010 2013 A1 Unvalidated Input A1 Cross Site Scripting (XSS) A1 Injection A1 Injection A2 Broken Access Control A2 Injection Flaws A2 Cross Site Scripting (XSS) A2 Broken Authentication and Session Management A3 Broken Authentication and Session Management A3 Malicious File Execution A3 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Cross Site Scripting A4 Insecure Direct Object Reference A4 Insecure Direct Object References A4 Insecure Direct Object References A5 Buffer Overflow A5 Cross Site Request Forgery (CSRF) A5 Cross Site Request Forgery (CSRF) A5 Security Misconfiguration A6 Injection Flaws A6 Information Leakage and Improper Error Handling A6 Security Misconfiguration A6 Sensitive Data Exposure A7 Improper Error Handling A7 Broken Authentication and Session Management A7 Insecure Cryptographic Storage A7 Missing Function Level Access Control A8 Insecure Storage A8 Insecure Cryptographic Storage A8 Failure to Restrict URL Access A8 Cross-Site Request Forgery (CSRF) A9 Application Denial of Service A9 Insecure Communications A9 Insufficient Transport Layer Protection A9 Using Components with Known Vulnerabilities A10 Insecure Configuration Management A10 Failure to Restrict URL Access A10 Unvalidated Redirects and Forwards A10 Unvalidated Redirects and Forwards [Jim DelGrosso]
  32. 32. In Conclusion
  33. 33. Messages to take home 33  Security is very difficult to get right  Do not reinvent or worse, “improve” the wheel yourself  Web API’s suffer more or less from the same general ‘issues’ as web applications  However, API ‘structure’ allows for dedicated security enforcement point  Messaging (Request/Response)  Authentication  Authorization  Tailor (authentication mechanism) to your consumer  Take your SSL setup seriously
  34. 34. Questions 34 Thank you! ?
  35. 35. 35
  36. 36. 36
  37. 37. What’s Up with SSL? 37  BEAST (2011, CBC padding crypto attack, <TLS1.1)  RC4 (2013, 223 encryptions required, RC4)  BREACH (2013, clever crypto attack, universal)  Heartbleed (2014, openssl buffer overread, 1.0.1 to 1.0.1f)  POODLE (2014, ~BEAST, SSL3.0, TLS?)  FREAK (2015, RSA_EXPORT factoring, various)  Who says you can trust root certificates in your browser?  177 root certs in Firefox
  38. 38. Cross Site Scripting (XSS) 38 Reflective XSS API Server  Prevention  Use context-aware auto-escaping  When?

×