O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
Applying Security Controls on REST APIs
@ericktedeschi
Apr 2015
Disclaimer
Information shared in this presentation does
not represents any position or opinions of
Walmart Global E-Commer...
Agenda
• Unauthorized x forbidden status code
• Rate Limiting / Throttle Control
• Protecting IDs
• JWT – Authentication/A...
Unauthorized x forbidden status code
References:
http://tools.ietf.org/html/rfc2616#section-10.4.2
Trying to reach a
resou...
Trying to reach a
resource with invalid
authorization or without
authorization
Bro, no matter
Who you are, I will
Not resp...
Rate Limiting / Throttle Control
Rate Limiting / Throttle Control
Common Headers Used
Time Window: 1 Hour
X-RateLimit-Limit: 500
X-RateLimit-Remaining: 253...
Rate Limiting / Throttle Control
“this is a sample code snippet just to a better understanding. In production env, please ...
Rate Limiting / Throttle Control
Recommendations
 Choose an algorithm (e.g. Token Bucket, Leaky Bucket, your own…)
 Para...
Protecting IDs
Source: http://www.securityinform.com/2014/06/12/gmail-token-vulnerability-could-have-exposed-every-email-a...
Protecting IDs
“The intent of UUIDs is to enable distributed
systems to uniquely identify information
without significantc...
JOSÉ
JWT
JSON Web Token
JWA
JSON Web Algorithms
JWK
JSON Web Key
JWS
JSON Web Signature
JWE
JSON Web Encryption
integrity ...
JWT Characteristics
 Stateless
 URL-Safe
 Intended for space constrained environments
 HTTP Headers (like Authorizatio...
JWT - Claims
 Reserved
 iss: issuer
 sub: subject
 aud: audience
 exp: expiration time
 nbf: not before time
 iat: ...
JWS – Compact Serialization
eyJ0eXAiOiJKV1QiLCJ
hbGciOiJIUzI1NiJ9.e
yJpc3MiOiJpc3N1ZXIu
ZXhhbXBsZS5jb20iLCJ
pYXQiOjE0Mjk2N...
JWS – Compact Serialization
{
"typ": "JWT",
"alg": "HS256"
}
JOSE Header
Payload
Signature
{
"iss": "issuer.example.com",
...
Session Based Flow
JWT Internet Facing Example
JWT Internet Facing Example
Interwebs
Cloud A Cloud B
App
Instance
App
Instance
Key KeySame
key
Client
US BR
JWT Internet Facing Example
UltraDNS myap...
JWT Internal API Example
Application A
Private Key
Application B
Public Key
PAYLOAD
{
"iss": "application A",
"iat": 14299...
References
• JOSE
• JWT: https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32
• JWA: https://tools.ietf.org/html...
GET /logout?token=f.i.n.i.s.h
E-mail: erick@oerick.com
Twitter: http://twitter.com/ericktedeschi
LinkedIn: https://www.lin...
Próximos SlideShares
Carregando em…5
×

Aplicando controles de segurança em API’s, por Erick Tedeschi

1.081 visualizações

Publicada em

Erick Tedeschi, Secure Development Engineer do Walmart.com, falou sobre 'Aplicando controles de segurança em API’s' no iMasters PHP Experience 2015.

O iMasters PHP Experience 2015 aconteceu dia 25 de Abril de 2015, no Hotel Renaissance em São Paulo-SP - http://phpexperience.imasters.com.br/

Publicada em: Internet
  • Seja o primeiro a comentar

  • Seja a primeira pessoa a gostar disto

Aplicando controles de segurança em API’s, por Erick Tedeschi

  1. 1. Applying Security Controls on REST APIs @ericktedeschi Apr 2015
  2. 2. Disclaimer Information shared in this presentation does not represents any position or opinions of Walmart Global E-Commerce BR
  3. 3. Agenda • Unauthorized x forbidden status code • Rate Limiting / Throttle Control • Protecting IDs • JWT – Authentication/Authorization • Internet Facing Example • Internal API Example
  4. 4. Unauthorized x forbidden status code References: http://tools.ietf.org/html/rfc2616#section-10.4.2 Trying to reach a resource with invalid authorization or without authorization Bro, no matter Who you are, I will Not respond to you.
  5. 5. Trying to reach a resource with invalid authorization or without authorization Bro, no matter Who you are, I will Not respond to you. References: http://tools.ietf.org/html/rfc2616#section-10.4.2 Unauthorized x forbidden status code
  6. 6. Rate Limiting / Throttle Control
  7. 7. Rate Limiting / Throttle Control Common Headers Used Time Window: 1 Hour X-RateLimit-Limit: 500 X-RateLimit-Remaining: 253 X-RateLimit-Reset: 1429962300 RFC6586 AdditionalHTTP StatusCode 429 Too Many Requests References: http://tools.ietf.org/html/rfc6585#section-4 http://stackoverflow.com/questions/16022624/examples-of-http-api-rate-limiting-http-response-headers
  8. 8. Rate Limiting / Throttle Control “this is a sample code snippet just to a better understanding. In production env, please improve it." Library used: https://github.com/fustundag/tokenbucket
  9. 9. Rate Limiting / Throttle Control Recommendations  Choose an algorithm (e.g. Token Bucket, Leaky Bucket, your own…)  Parameterized (application/API properties.ini)  Avoid to use a storage that abuses I/O  Good  Hazelcast  Redis  Memcached  Bad  Relational SQL  FILE/Session (oh my God)  GET may have different limit when compared to POST, PUT, DELETE  Monitoring (SOC – Security Operations Center)  Top Requesters  Average of how many 429 were returned References: http://tools.ietf.org/html/rfc6585#section-4 http://stackoverflow.com/questions/16022624/examples-of-http-api-rate-limiting-http-response-headers
  10. 10. Protecting IDs Source: http://www.securityinform.com/2014/06/12/gmail-token-vulnerability-could-have-exposed-every-email-addresses-hosted-on-google/ https://mail.google.com/mail/ mdd-f825a3f2b2-fulano.ciclano%40gmail.com-ccD8J0x6P6JNSLS36vR6Z_sHAb3
  11. 11. Protecting IDs “The intent of UUIDs is to enable distributed systems to uniquely identify information without significantcentral coordination” Source: http://en.wikipedia.org/wiki/Universally_unique_identifier • Avoid sequential / guessable identification /api/v1/user/234 • Use something like UUID instead /api/v1/user/123e4567-e89b-12d3-a456-426655440000 • Avoid to use sensitive information in query params /api/v1/customer/phone/551130304040
  12. 12. JOSÉ JWT JSON Web Token JWA JSON Web Algorithms JWK JSON Web Key JWS JSON Web Signature JWE JSON Web Encryption integrity confidentiality JavaScript Object Signing and Encryption
  13. 13. JWT Characteristics  Stateless  URL-Safe  Intended for space constrained environments  HTTP Headers (like Authorization)  URI Query Parameters  Avoid CSRF  Flexible  Interoperable
  14. 14. JWT - Claims  Reserved  iss: issuer  sub: subject  aud: audience  exp: expiration time  nbf: not before time  iat: issued at time  jti: jwt id  Public  Registered at IANA  Private  Internal use  Document to clients
  15. 15. JWS – Compact Serialization eyJ0eXAiOiJKV1QiLCJ hbGciOiJIUzI1NiJ9.e yJpc3MiOiJpc3N1ZXIu ZXhhbXBsZS5jb20iLCJ pYXQiOjE0Mjk2NTc0Nj UsImV4cCI6MTQyOTY1O DcwOCwiYXVkIjoid3d3 LmV4YW1wbGUuY29tIiw ic3ViIjoiZXJpY2tAZX hhbXBsZS5jb20iLCJHa XZlbk5hbWUiOiJFcmlj ayBUZWRlc2NoaSIsIlJ vbGVzIjpbInBvc3RzOn J3IiwiY29tbWVudHM6c iJdfQ.X4iwLqW2Bze2W lTxfn8v1EIqgfCRql6a VYSLpN22HSU JOSE Header Payload Signature
  16. 16. JWS – Compact Serialization { "typ": "JWT", "alg": "HS256" } JOSE Header Payload Signature { "iss": "issuer.example.com", "iat": 1429657465, "exp": 1429658708, "aud": "www.example.com", "sub": "erick@example.com", "GivenName": "Erick Tedeschi", "Roles": [ "posts:rw", "comments:r" ] } HmacSha256( base64UrlEncode($header) . “.” . base64UrlEncode($payload), “secret”);
  17. 17. Session Based Flow
  18. 18. JWT Internet Facing Example
  19. 19. JWT Internet Facing Example
  20. 20. Interwebs Cloud A Cloud B App Instance App Instance Key KeySame key Client US BR JWT Internet Facing Example UltraDNS myapp.com
  21. 21. JWT Internal API Example Application A Private Key Application B Public Key PAYLOAD { "iss": "application A", "iat": 1429932376, "exp": 1429932676, // 5minutes "aud": "application B", "jti": "1234567890abcdef", "req": { "method": "POST" "path": "/api/v1/payment/pay" "data": hash(data) } } JWT Storage POST /api/v1/payment/pay Authorization: Bearer jwtH.jwtP.jwtS {'from':'xpto','to':'xyz','amount':66.66} Stores jwts until its expiration
  22. 22. References • JOSE • JWT: https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32 • JWA: https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms • JWK: https://tools.ietf.org/html/draft-ietf-jose-json-web-key • JWS: https://tools.ietf.org/html/draft-ietf-jose-json-web-signature • JWE: https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-40 • PHP JWT Libraries • https://github.com/lcobucci/jwt(JWS with SharedSecret and RSA) • https://github.com/Spomky-Labs/jose (JW{T,A,K,SE} fully supported) • Do you want to create your own library? • Examples of protecting content using JWT: https://tools.ietf.org/html/draft-ietf-jose- cookbook-08 • Using JWTs as API Keys • https://auth0.com/blog/2014/12/02/using-json-web-tokens-as-api-keys/ • http://www.thread-safe.com/2014/05/wt-and-jose-have-won-special-european.html • https://securityblog.redhat.com/2015/04/01/jose-json-object-signing-and-encryption/
  23. 23. GET /logout?token=f.i.n.i.s.h E-mail: erick@oerick.com Twitter: http://twitter.com/ericktedeschi LinkedIn: https://www.linkedin.com/in/ericktedeschi

×