Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing your REST API

Chris Cornutt
November 08, 2013
Technology
2
190

Securing your REST API

With APIs becoming the de-facto standard for getting things done on the web, it's more important than ever to provide the right kind of security for your application. The options can be overwhelming with things like OAuth, signed queries, shared certificates and token authentication just to name a few. I'll go through these and some of the questions you'll need to ask as you think about protecting your API and the data that lies within.

@ True North PHP 2013

Chris Cornutt

November 08, 2013
Tweet

More Decks by Chris Cornutt

See All by Chris Cornutt
Securing Legacy Applications
ccornutt
0
100
Pentesting for Developers
ccornutt
0
110
Securing Legacy Applications - Longhorn PHP 2018
ccornutt
1
160
Pieces of Auth
ccornutt
0
300
Securing Legacy Applications
ccornutt
0
460
Build Security In
ccornutt
0
170
Introduction to Slim 3
ccornutt
0
160
Securing Legacy Applications
ccornutt
0
32
PHP Security, Redfined
ccornutt
0
260

Other Decks in Technology

See All in Technology
B2B SaaSから見た最近のC#/.NETの進化
sansantech
PRO
0
910
Taming you application's environments
salaboy
0
200
20241120_JAWS_東京_ランチタイムLT#17_AWS認定全冠の先へ
tsumita
2
300
Why App Signing Matters for Your Android Apps - Android Bangkok Conference 2024
akexorcist
0
130
あなたの知らない Function.prototype.toString() の世界
mizdra
PRO
1
190
アジャイルでの品質の進化 Agile in Motion vol.1/20241118 Hiroyuki Sato
shift_evolve
0
180
Engineer Career Talk
lycorp_recruit_jp
0
190
飲食店データの分析事例とそれを支えるデータ基盤
kimujun
0
180
組織成長を加速させるオンボーディングの取り組み
sudoakiy
2
220
複雑なState管理からの脱却
sansantech
PRO
1
160
RubyのWebアプリケーションを50倍速くする方法 / How to Make a Ruby Web Application 50 Times Faster
hogelog
3
950
障害対応指揮の意思決定と情報共有における価値観 / Waroom Meetup #2
arthur1
5
490

Featured

See All Featured
Typedesign – Prime Four
hannesfritz
40
2.4k
GraphQLとの向き合い方2022年版
quramy
43
13k
Fireside Chat
paigeccino
34
3k
Happy Clients
brianwarren
98
6.7k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
47
2.1k
KATA
mclloyd
29
14k
Navigating Team Friction
lara
183
14k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
31
2.7k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
169
50k
Thoughts on Productivity
jonyablonski
67
4.3k
Rails Girls Zürich Keynote
gr2m
94
13k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
131
33k

Transcript

  1. Chris Cornutt / @enygma True North PHP 2013 Securing your

    REST API Friday, November 8, 2013

  2. Friday, November 8, 2013

  3. Friday, November 8, 2013

  4. Friday, November 8, 2013

  5. Security is planned. Friday, November 8, 2013

  6. Security is easy to ignore. Friday, November 8, 2013

  7. Security is compromise. Friday, November 8, 2013

  8. Reliability Availability Scalability Friday, November 8, 2013

  9. Auth in Detail Friday, November 8, 2013

  10. HTTP Basic/Digest Friday, November 8, 2013

  11. WWW-Authenticate: Basic realm=”Great White North” HTTP/1.0 401 Unauthorized Authorization: Basic

    username:password <?php $auth = base64_encode($user.’:’.$pass); $header = ‘Authorization: Basic ‘.$auth; ?> Friday, November 8, 2013

  12. WWW-Authenticate: Digest realm=”Great White North”, nonce=”d39175b3e4a2538a01e4afe863092621”, opaque=”ef5b7a6b9f8460ba7c74589a9d7be07c” HTTP/1.0 401 Unauthorized

    Authorization: Digest username=”snowman”, realm=”Great White North”, nonce=”d39175b3e4a2538a01e4afe863092621”, opaque=”ef5b7a6b9f8460ba7c74589a9d7be07c”, uri=”http://foo.com/bar/baz”, response=$response Friday, November 8, 2013

  13. <?php $hash1 = md5($username.’:’.$realm.’:’.$password); $hash2 = md5($requestMethod.’:’.$requestUri); $response = md5($hash1.’:’.$nonce.’:’.$hash2);

    $header = ‘Authorization: Digest ‘ .‘username=”’.$username.’” ’ .‘realm=”’.$realm.’” ‘ .‘nonce=”’.$nonce.’” ‘ .‘opaque=”’.$opaque.’” ‘ .‘uri=”’.$uri.’” ‘ .‘response=”’.$response.’”’; ?> Friday, November 8, 2013

  14. “Security” Use SSL...or don’t use at all Internal sites Friday,

    November 8, 2013

  15. Shared Tokens Friday, November 8, 2013

  16. Trouble to maintain Static, not asymmetric Not encryption Friday, November

    8, 2013

  17. OAuth v2 Friday, November 8, 2013

  18. Friday, November 8, 2013

  19. Burden of identity Complex to implement Authorization, not authentication “Delegation”?

    Friday, November 8, 2013

  20. <?php $oauth = new OAuth($consumerKey, $secretKey); $token = $oauth->getRequestToken( $requestUrl,

    $callbackUrl ); header( ‘Location: ‘.$authorizeUrl .’?token=’.$token[‘oauth_token’] ); ?> Friday, November 8, 2013

  21. Shared Certificates Friday, November 8, 2013

  22. Stronger protection than passwords No private information involved Difficult to

    deploy Friday, November 8, 2013

  23. Not Just Auth Friday, November 8, 2013

  24. Friday, November 8, 2013

  25. Rate Limiting Friday, November 8, 2013

  26. Limit requests/second Types of requests All about time... Friday, November

    8, 2013

  27. Throttling Friday, November 8, 2013

  28. Limit amount of data Slowing them down All about bandwidth...

    Friday, November 8, 2013

  29. Filtering/Escaping Friday, November 8, 2013

  30. Email URL Name Login IP HTML Num Alpha Bool Regex

    Patterns Friday, November 8, 2013

  31. Direct Object Refs Friday, November 8, 2013

  32. OWASP Top 10 A3: Direct Object References Friday, November 8,

    2013

  33. Yours: GET /user/1/link/42 Good guesses: GET /user/1/link/52 PUT /user/1/link/42 Alternative:

    GET /user/[GUID #1]/link/[GUID #2] GET /user/[username] Friday, November 8, 2013

  34. Error Conditions Friday, November 8, 2013

  35. { “success”: false, “error”: { “code”: 8675309 “message”: “Error in

    request”, “url”: “http://oursite.com/error/8675309” } } Friday, November 8, 2013

  36. Good Practices Friday, November 8, 2013

  37. Use HTTPS Friday, November 8, 2013

  38. Prevent leakage Friday, November 8, 2013

  39. Be stateless Friday, November 8, 2013

  40. Auth on resource, not URI Friday, November 8, 2013

  41. Importance of (HTTP) status Friday, November 8, 2013

  42. Use keys, not passwords Friday, November 8, 2013

  43. Signing with hashes Friday, November 8, 2013

  44. <?php $public = ‘1c53048f8bfbd5cced1aa2d1d5cfd788b1e3e71c’; $private = ‘0f079851e936af2075bf40b1d436c287d943c29c’; $signature = hash_hmac(

    ‘sha256’, $response.time(), $private ); $headers[] = ‘X-Auth-Public: ’.$public; $headers[] = ‘X-Auth-Signature: ‘.$signature; ?> Friday, November 8, 2013

  45. Method permissioning Friday, November 8, 2013

  46. Secure input parsing Friday, November 8, 2013

  47. <!DOCTYPE root [ <!ENTITY one “one”> <!ENTITY two “&one;&one;&one;&one;”> <!ENTITY

    three “&two;&two;&two;&two;”> ]> <test> <testing>&three;</testing> </test> Friday, November 8, 2013

  48. Think Simple Friday, November 8, 2013

  49. Friday, November 8, 2013

  50. Thanks! Questions/Comments? @enygma http://websec.io Friday, November 8, 2013