Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing your REST API

Chris Cornutt
November 08, 2013
Technology
2
190

Securing your REST API

With APIs becoming the de-facto standard for getting things done on the web, it's more important than ever to provide the right kind of security for your application. The options can be overwhelming with things like OAuth, signed queries, shared certificates and token authentication just to name a few. I'll go through these and some of the questions you'll need to ask as you think about protecting your API and the data that lies within.

@ True North PHP 2013

Chris Cornutt

November 08, 2013
Tweet

More Decks by Chris Cornutt

See All by Chris Cornutt
Securing Legacy Applications
ccornutt
0
99
Pentesting for Developers
ccornutt
0
110
Securing Legacy Applications - Longhorn PHP 2018
ccornutt
1
150
Pieces of Auth
ccornutt
0
300
Securing Legacy Applications
ccornutt
0
460
Build Security In
ccornutt
0
170
Introduction to Slim 3
ccornutt
0
150
Securing Legacy Applications
ccornutt
0
32
PHP Security, Redfined
ccornutt
0
260

Other Decks in Technology

See All in Technology
大規模データ基盤チームのオンプレTiDB運用への挑戦 / dpu-tidb
cyberagentdevelopers
PRO
1
110
とあるユーザー企業におけるリスクベースで考えるセキュリティ業務のお話し
4su_para
3
320
生成AIと知識グラフの相互利用に基づく文書解析
koujikozaki
1
140
AWS re:Inventを徹底的に楽しむためのTips / Tips for thoroughly enjoying AWS re:Invent
yuj1osm
1
560
신뢰할 수 있는 AI 검색 엔진을 만들기 위한 Liner의 여정
huffon
0
340
20241031_AWS_生成AIハッカソン_GenMuck
tsumita
0
110
新R25、乃木坂46 Mobileなどのファンビジネスを支えるマルチテナンシーなプラットフォームの全体像 / cam-multi-cloud
cyberagentdevelopers
PRO
1
130
omakaseしないための.rubocop.yml のつくりかた / How to Build Your .rubocop.yml to Avoid Omakase #kaigionrails
linkers_tech
3
730
Oracle Cloud Infrastructure データベース・クラウド:各バージョンのサポート期間
oracle4engineer
PRO
27
12k
Amazon FSx for NetApp ONTAPを利用するにあたっての要件整理と設計のポイント
non97
1
160
ユーザーの購買行動モデリングとその分析 / dsc-purchase-analysis
cyberagentdevelopers
PRO
2
100
10分でわかるfreeeのQA
freee
1
3.4k

Featured

See All Featured
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
46
2.1k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.6k
Designing for Performance
lara
604
68k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.1k
Optimising Largest Contentful Paint
csswizardry
33
2.9k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
246
1.3M
Bash Introduction
62gerente
608
210k
How to Think Like a Performance Engineer
csswizardry
19
1.1k
Code Review Best Practice
trishagee
64
17k
StorybookのUI Testing Handbookを読んだ
zakiyama
26
5.2k
Typedesign – Prime Four
hannesfritz
39
2.4k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k

Transcript

  1. Chris Cornutt / @enygma True North PHP 2013 Securing your

    REST API Friday, November 8, 2013

  2. Friday, November 8, 2013

  3. Friday, November 8, 2013

  4. Friday, November 8, 2013

  5. Security is planned. Friday, November 8, 2013

  6. Security is easy to ignore. Friday, November 8, 2013

  7. Security is compromise. Friday, November 8, 2013

  8. Reliability Availability Scalability Friday, November 8, 2013

  9. Auth in Detail Friday, November 8, 2013

  10. HTTP Basic/Digest Friday, November 8, 2013

  11. WWW-Authenticate: Basic realm=”Great White North” HTTP/1.0 401 Unauthorized Authorization: Basic

    username:password <?php $auth = base64_encode($user.’:’.$pass); $header = ‘Authorization: Basic ‘.$auth; ?> Friday, November 8, 2013

  12. WWW-Authenticate: Digest realm=”Great White North”, nonce=”d39175b3e4a2538a01e4afe863092621”, opaque=”ef5b7a6b9f8460ba7c74589a9d7be07c” HTTP/1.0 401 Unauthorized

    Authorization: Digest username=”snowman”, realm=”Great White North”, nonce=”d39175b3e4a2538a01e4afe863092621”, opaque=”ef5b7a6b9f8460ba7c74589a9d7be07c”, uri=”http://foo.com/bar/baz”, response=$response Friday, November 8, 2013

  13. <?php $hash1 = md5($username.’:’.$realm.’:’.$password); $hash2 = md5($requestMethod.’:’.$requestUri); $response = md5($hash1.’:’.$nonce.’:’.$hash2);

    $header = ‘Authorization: Digest ‘ .‘username=”’.$username.’” ’ .‘realm=”’.$realm.’” ‘ .‘nonce=”’.$nonce.’” ‘ .‘opaque=”’.$opaque.’” ‘ .‘uri=”’.$uri.’” ‘ .‘response=”’.$response.’”’; ?> Friday, November 8, 2013

  14. “Security” Use SSL...or don’t use at all Internal sites Friday,

    November 8, 2013

  15. Shared Tokens Friday, November 8, 2013

  16. Trouble to maintain Static, not asymmetric Not encryption Friday, November

    8, 2013

  17. OAuth v2 Friday, November 8, 2013

  18. Friday, November 8, 2013

  19. Burden of identity Complex to implement Authorization, not authentication “Delegation”?

    Friday, November 8, 2013

  20. <?php $oauth = new OAuth($consumerKey, $secretKey); $token = $oauth->getRequestToken( $requestUrl,

    $callbackUrl ); header( ‘Location: ‘.$authorizeUrl .’?token=’.$token[‘oauth_token’] ); ?> Friday, November 8, 2013

  21. Shared Certificates Friday, November 8, 2013

  22. Stronger protection than passwords No private information involved Difficult to

    deploy Friday, November 8, 2013

  23. Not Just Auth Friday, November 8, 2013

  24. Friday, November 8, 2013

  25. Rate Limiting Friday, November 8, 2013

  26. Limit requests/second Types of requests All about time... Friday, November

    8, 2013

  27. Throttling Friday, November 8, 2013

  28. Limit amount of data Slowing them down All about bandwidth...

    Friday, November 8, 2013

  29. Filtering/Escaping Friday, November 8, 2013

  30. Email URL Name Login IP HTML Num Alpha Bool Regex

    Patterns Friday, November 8, 2013

  31. Direct Object Refs Friday, November 8, 2013

  32. OWASP Top 10 A3: Direct Object References Friday, November 8,

    2013

  33. Yours: GET /user/1/link/42 Good guesses: GET /user/1/link/52 PUT /user/1/link/42 Alternative:

    GET /user/[GUID #1]/link/[GUID #2] GET /user/[username] Friday, November 8, 2013

  34. Error Conditions Friday, November 8, 2013

  35. { “success”: false, “error”: { “code”: 8675309 “message”: “Error in

    request”, “url”: “http://oursite.com/error/8675309” } } Friday, November 8, 2013

  36. Good Practices Friday, November 8, 2013

  37. Use HTTPS Friday, November 8, 2013

  38. Prevent leakage Friday, November 8, 2013

  39. Be stateless Friday, November 8, 2013

  40. Auth on resource, not URI Friday, November 8, 2013

  41. Importance of (HTTP) status Friday, November 8, 2013

  42. Use keys, not passwords Friday, November 8, 2013

  43. Signing with hashes Friday, November 8, 2013

  44. <?php $public = ‘1c53048f8bfbd5cced1aa2d1d5cfd788b1e3e71c’; $private = ‘0f079851e936af2075bf40b1d436c287d943c29c’; $signature = hash_hmac(

    ‘sha256’, $response.time(), $private ); $headers[] = ‘X-Auth-Public: ’.$public; $headers[] = ‘X-Auth-Signature: ‘.$signature; ?> Friday, November 8, 2013

  45. Method permissioning Friday, November 8, 2013

  46. Secure input parsing Friday, November 8, 2013

  47. <!DOCTYPE root [ <!ENTITY one “one”> <!ENTITY two “&one;&one;&one;&one;”> <!ENTITY

    three “&two;&two;&two;&two;”> ]> <test> <testing>&three;</testing> </test> Friday, November 8, 2013

  48. Think Simple Friday, November 8, 2013

  49. Friday, November 8, 2013

  50. Thanks! Questions/Comments? @enygma http://websec.io Friday, November 8, 2013