ZendCon 2018: Securing web services

Transcript

1. 1 SECURING WEB SERVICES BY AMRITA JAIN Securing Web Services

   PRESENTED BY: AMRITA JAIN DIRECTOR, DIGITAL TECHNOLOGIES, BEACHBODY, LLC. FUNDAMENTALS, LESSONS LEARNT, COMMON VULNERABILITIES AND SECURITY STRATEGIES

2. 2 SECURING WEB SERVICES BY AMRITA JAIN Talk Agenda Motivation

   Web Security Fundamentals Industry Examples Lessons Learnt Comprehensive Security Strategy Q & A

3. 3 SECURING WEB SERVICES BY AMRITA JAIN “ ” There

   are two types of companies Those that have been hacked and those that don’t know they have been hacked. John Chambers Motivation

4. 4 SECURING WEB SERVICES BY AMRITA JAIN Ref:https://www.mercatus.org/publication/federal-cybersecurity-breaches-mount-despite-increased-spending https://digitalguardian.com /blog/history-data-breaches,

   https://trendsmena.com/management-marketing/16-67-middle-east-data-breaches-2016-compared-2015, https://www.equifaxsecurity2017.com/ Increase in Cyber Attacks

5. 5 SECURING WEB SERVICES BY AMRITA JAIN Breach Reason Source

   Snapchat No authentication, no rate-limit Gibson security Facebook Graph API Improper authorization check; users can delete other user’s photos Programmable Web IRS Get Transcript API IRS Instagram Passwords stolen Daily Dot Tesla Model S Dictionary attack on password Security Affairs Nissan Leaf VIN number as security credential on API TroyHunt T-mobile No validation of access token Motherboard Wordpress REST APIs Allowed unauthenticated access csoonline.com Buffer Compromised third-party password; Oauth secret in github Programmable Web Ref: https://apigee.com/about/blog; https://www.csoonline.com/article/3176028/data-breach/february-2017-the-month-in-hacks- and-breaches.html; https://www.programmableweb.com/news/facebook-fixes-huge-api-security-vulnerability/2014/07/15 Similar Trends in API Security

6. 6 SECURING WEB SERVICES BY AMRITA JAIN Access Restricted Data

   Observed that the entire database of content could be easily downloaded by incrementing ids for a well- known financial blog website. Been Hacked Wordpress personal site got hacked because of generous file permissions. Reverse Engineering HTTP Proxy/Monitoring tools make it very easy to reverse engineer native apps. Access Restricted Content Observed that all songs (mp3 files) could be downloaded via the API for a popular subscription-based Indian music app. Personal Experience

7. 7 SECURING WEB SERVICES BY AMRITA JAIN General Mindset: Not

   Today My company is too small and it won’t happen to me Why spend time and money on a problem we don’t have Get the product out now and deal with security in v2

8. 8 SECURING WEB SERVICES BY AMRITA JAIN “ ” Excellence

   is achieved by mastery of fundamentals. Vince Lombardi API Security Fundamentals

9. 9 SECURING WEB SERVICES BY AMRITA JAIN CIA Principle Confidentiality,

   integrity, and availability are three key factors used in benchmarking security systems. Design Patterns Covered Addresses following security properties: 1. Authentication: Validating identity • Something you know, are, have 2. Authorization: Validating actions 3. Availability: Protecting itself from threats 4. Auditing: Addressing the threats proactively and reactively Facilitates choosing/implementing right strategy API Security Objectives

10. 10 SECURING WEB SERVICES BY AMRITA JAIN 1. Simplest method

    for enforcing access. 2. Client adds HTTP header with credentials encoded in base64 (note: not encrypted) 3. API Keys are best for two things: identification and analytics. 4. Used by JIRA, Wordpress. Basic Authentication GET / HTTP/1.1 Host: example.org Authorization: Basic Zm9vOmJhcg==

11. 11 SECURING WEB SERVICES BY AMRITA JAIN Not Very Secure

    01 Simplicity • Simple to implement • Better Performance 03 Granularity • All or none access • Insufficient 02 Secrets Storage • Easily exposed • Vulnerable to Man- in-the-middle attack

12. 12 SECURING WEB SERVICES BY AMRITA JAIN 12 An API

    access delegation protocol Hotel check-in Present proof of identity via driver’s license and provide credit card. Validate identity Use that to confirm who you are and lookup your reservation, account information etc. Issues Keycard Once validated successfully, they issue a keycard Access to Room Keycard has information encoded which lets you into your room only. Access to Amenities Also gives access to pool, gym etc. OAuth2.0

13. 13 SECURING WEB SERVICES BY AMRITA JAIN RFC API Endpoint

    Purpose RFC 6749: Oauth Core /authorize To obtain code if granted access. RFC 6749: Oauth Core /token Issues an access token RFC 7009 /revoke Revocation of access/refresh tokens RFC 7662 /introspect Exposes metadata for a token. RFC 7591 /register Spec for registering a client dynamically. RFC 6750 Authorization: Bearer mF_9.B5fM Bearer Tokens to access APIs. RFC 7636 Discussed later Proof Key for Code Exchange by OAuth Public Clients OAuth2.0: Implementation

14. 14 SECURING WEB SERVICES BY AMRITA JAIN • Identity layer

    on top of Oauth • Sharing user information • Decentralized SSO scenarios • Encoded using a secure JSON Web Token OpenID Connect

15. 15 SECURING WEB SERVICES BY AMRITA JAIN • JWT commonly

    used to provide structure to tokens. • Can be used to prove the authenticity of the source of data. data = base64urlEncode(header)+ “.” + base64urlEncode(payload) “.” + base64urlEncode(cryptographicParameters) signature = Hash(data, secret); JWT = data.signature JSON Web Token (JWT)

16. 16 SECURING WEB SERVICES BY AMRITA JAIN Pros a. Less

    overhead and decentralized verification. b. Adopted widely Cons a. Secret can be compromised. b. Added complexity in client-side implementation. Ref: https://jwt.io JSON Web Token (JWT)

17. 17 SECURING WEB SERVICES BY AMRITA JAIN STRIDE is a

    popular technique to identify threats associated with a system in a methodical manner. Threat Modeling Ref: Threat Modeling: Designing for Security 1st Edition by Adam Shostack Security Properties Threats Authentication Spoofing Integrity Tampering Nonrepudiation Repudiation Confidentiality Information disclosure Availability Denial of Service Authorization Escalation of privileges

18. 18 SECURING WEB SERVICES BY AMRITA JAIN “ ” If

    you wish to make an apple pie from scratch, you must first invent the universe. Carl Sagan Industry Examples

19. 19 SECURING WEB SERVICES BY AMRITA JAIN Analysis of Facebook’s

    Graph API security model that leverages Oauth 2.0 Putting it all together: Facebook Web Browser Application Auth Server Content Server FB Authorization Code FB Authorization Code Access Token Access Token + Request for protected resource Protected resource Protected resource Protected resource Request

20. 20 SECURING WEB SERVICES BY AMRITA JAIN Analysis of Facebook’s

    Graph API security model that leverages Oauth 2.0 Putting it all together: Facebook Web Browser Application Auth Server Content Server FB Authorization Code FB Authorization Code Not authorized Resource: Not available Resource: Not available Request

21. 21 SECURING WEB SERVICES BY AMRITA JAIN The app secret

    proof is a sha256 hash of your access token, using the app secret as the key. $appsecret_proof= hash_hmac('sha256', $access_token, $app_secret); Facebook API to get facebook user details : https://graph.facebook.com/v2.2/me?access_token=EAACPRRovJsoBAM FjS9KMLYz2p9CPy6A1&appsecret_proof=43bb024d&fields=name%2Cfirst _name%2Clast_name%2Cemail%2Clink%2Cgender%2Clocale%2Cpicture Securing Server-side calls: appsecret_proof Ref: https://developers.facebook.com/docs/facebook-login/security#checklist

22. 22 SECURING WEB SERVICES BY AMRITA JAIN OpenID Connect: Google

    Step Request Response Obtaining Authorization Code https://accounts.google.com/o/oaut h2/authorize?scope=openid email&state=mystate&redirect_uri= https://mycallback.com&response_t ype=code&client_id=825249835659 te8qgl701kgonnomnp4sqv7erhu121 1s.apps.googleusercontent.com&ap proval_prompt=force https://mycallback.com/ ? state=mystate& code=4/dlfuPEHWG8QU 9MaJN8vCSEpTzuYo.YlcC VmKswV4SXE- sT2ZLcbQrzK7PiQI

23. 23 SECURING WEB SERVICES BY AMRITA JAIN OpenID Connect: Google

    Step Request Response Obtaining Access Token curl https://accounts.google.com/o/oauth2/tok en -X POST -d "grant_type=authorization_code& code=4/dlfuPEHWG8QU9MaJN8vCSEpTzuY o.YlcCVmKswV4SXE-sT2ZLcbQrzK7PiQI& client_id=825249835659- te8qgl701kgonnomnp4sqv7erhu1211s. apps.googleusercontent.com& client_secret=jNjXE0D922mmcFopsjJJXNJc& redirect_uri=https://mycallback.com" { "access_token":"ya29.1.AADt N_WY1SHPAYomlwrc", "token_type":"Bearer", "expires_in":3600, "id_token":” eyJhbGciOiJub25lIiwidHlwIjoiS ldUIn0.eyJleHAiO jE2NjI3MTYyMzAsImF6cCI6Ik5 KMExYY2ZkT1cyM.EV2RD…”}

24. 24 SECURING WEB SERVICES BY AMRITA JAIN OpenID Connect: Google

    Step Request Response Obtaining Access Token curl https://accounts.google.com/o/oauth2/tok en -X POST -d "grant_type=authorization_code& code=4/dlfuPEHWG8QU9MaJN8vCSEpTzuY o.YlcCVmKswV4SXE-sT2ZLcbQrzK7PiQI& client_id=825249835659- te8qgl701kgonnomnp4sqv7erhu1211s. apps.googleusercontent.com& client_secret=jNjXE0D922mmcFopsjJJXNJc& redirect_uri=https://mycallback.com" { "access_token":"ya29.1.AADt N_WY1SHPAYomlwrc", "token_type":"Bearer", "expires_in":3600, "id_token":” eyJhbGciOiJub25lIiwidHlwIjoiS ldUIn0.eyJleHAiO jE2NjI3MTYyMzAsImF6cCI6Ik5 KMExYY2ZkT1cyM.EV2RD…”}

25. 25 SECURING WEB SERVICES BY AMRITA JAIN OpenID Connect: Google

    Step Request Response Obtaining Access Token curl https://accounts.google.com/o/oauth2/tok en -X POST -d "grant_type=authorization_code& code=4/dlfuPEHWG8QU9MaJN8vCSEpTzuY o.YlcCVmKswV4SXE-sT2ZLcbQrzK7PiQI& client_id=825249835659- te8qgl701kgonnomnp4sqv7erhu1211s. apps.googleusercontent.com& client_secret=jNjXE0D922mmcFopsjJJXNJc& redirect_uri=https://mycallback.com" { "access_token":"ya29.1.AADt N_WY1SHPAYomlwrc", "token_type":"Bearer", "expires_in":3600, "id_token":” eyJhbGciOiJub25lIiwidHlwIjoiS ldUIn0.eyJleHAiO jE2NjI3MTYyMzAsImF6cCI6Ik5 KMExYY2ZkT1cyM.EV2RD…”}

26. 26 SECURING WEB SERVICES BY AMRITA JAIN OpenID Connect: Google

    Step Request Response Obtaining Access Token curl https://accounts.google.com/o/oauth2/tok en -X POST -d "grant_type=authorization_code& code=4/dlfuPEHWG8QU9MaJN8vCSEpTzuY o.YlcCVmKswV4SXE-sT2ZLcbQrzK7PiQI& client_id=825249835659- te8qgl701kgonnomnp4sqv7erhu1211s. apps.googleusercontent.com& client_secret=jNjXE0D922mmcFopsjJJXNJc& redirect_uri=https://mycallback.com" { "access_token":"ya29.1.AADt N_WY1SHPAYomlwrc", "token_type":"Bearer", "expires_in":3600, "id_token":” eyJhbGciOiJub25lIiwidHlwIjoiS ldUIn0.eyJleHAiO jE2NjI3MTYyMzAsImF6cCI6Ik5 KMExYY2ZkT1cyM.EV2RD…”}

27. 27 SECURING WEB SERVICES BY AMRITA JAIN OpenID Connect: Google

    Step Request Response Obtaining Access Token curl https://accounts.google.com/o/oauth2/tok en -X POST -d "grant_type=authorization_code& code=4/dlfuPEHWG8QU9MaJN8vCSEpTzuY o.YlcCVmKswV4SXE-sT2ZLcbQrzK7PiQI& client_id=825249835659- te8qgl701kgonnomnp4sqv7erhu1211s. apps.googleusercontent.com& client_secret=jNjXE0D922mmcFopsjJJXNJc& redirect_uri=https://mycallback.com" { "access_token":"ya29.1.AADt N_WY1SHPAYomlwrc", "token_type":"Bearer", "expires_in":3600, "id_token":” { "id":"104063262361625904", "email":”[email protected]", "verified_email":true, "name":”ZendCon", "given_name":”zcoe", "locale":"en” ”}

28. 28 SECURING WEB SERVICES BY AMRITA JAIN Case Study: LinkedIn

    1. Login sets a cookie for auth token. 2. Validity for 30 minutes from time of login 3. Auth token is passed into subsequent requests 4. nc/x-udid = nonce to assist auditing 5. Protection against CSRF

29. 29 SECURING WEB SERVICES BY AMRITA JAIN “ ” For

    those who do not learn are doomed to repeat it George Santayana Lessons Learnt

30. 30 SECURING WEB SERVICES BY AMRITA JAIN 30 Security First

    Approach Lesson 1 Problem: Microservice Heterogeneity 1. Different security mechanisms per microservice. 2. Adds complexity on the client-side code. Solution: Dedicated Trust Server

31. 31 SECURING WEB SERVICES BY AMRITA JAIN Pros: • Handles

    all abstractions for security mechanisms. • Enforces best practices. Tradeoffs: • Gatekeeper for every request to every Microservice APIs. • Minimal RTT response times and must scale. • Heavily monitored with failover capability. High ROI: Foundation for new Microservices. Takeaway: Dedicated Trust Server

32. 32 SECURING WEB SERVICES BY AMRITA JAIN 32 Security comes

    at a cost Psychological Acceptability Usability in Security Lesson 2 Security mechanisms should not make the resource more difficult to access than if the security mechanisms were not present. • It is the users that bear the cost. • A good security mechanism is right balance between security and the user comfort. Security Comfort

33. 33 SECURING WEB SERVICES BY AMRITA JAIN 1.Identify the sensitivity

    of the data exposed via the API. 1. PCI: Credit card, personal, financial or medical information of an user 2. PII: Content generated by the user, not shared publicly 3. Publicly Known Information 2.Analyze traffic patterns 1. High traffic. 2. Low-Medium traffic. High Traffic Low Traffic PCI Tier2 Tier1 User Specific Content Tier 2 Tier 1 Publicly Known Tier 3 Tier 2 Takeaway: Hierarchical Security Model

34. 34 SECURING WEB SERVICES BY AMRITA JAIN 1. Token Lifetime:

    How long an access token is valid for 2. ReadWrite Scope: Defines which methods are allowed 3. Failure Threshold: Bypass if dedicated trust server doesn't respond within threshold. Token Lifetime ReadWrite Scope Failure Threshold Tier 1 One-time Read-write 60s Tier 2 One-time Read-only 300s Tier 3 24 hours Read-only 100ms Takeaway: Hierarchical Security Model More Secure Less Secure

35. 35 SECURING WEB SERVICES BY AMRITA JAIN Reverse Engineering Secrets

    Lesson 3 1. Client secrets are statically stored on the app. § Online tool that looks for secrets: https://android.fallible.co/# § Used for obtaining initial access token, refreshing tokens (or for every call) 2. Leverage code obfuscators: not granular enough

36. 36 SECURING WEB SERVICES BY AMRITA JAIN 1. Mitigates need

    to store client secrets(RFC 7636) 2. Extension for Oauth 2. 3. CodeVerifier is high-entropy random string 4. CodeChallenge is transformed codeVerifier using challengeMethod 5. Used plain challenge method to handle backwards compatibility Takeaway: Implementing PKCE

37. 37 SECURING WEB SERVICES BY AMRITA JAIN 1. Mitigates need

    to store client secrets(RFC 7636) 2. Extension for Oauth 2. 3. CodeVerifier is high-entropy random string 4. CodeChallenge is transformed codeVerifier using challengeMethod 5. Used plain challenge method to handle backwards compatibility Takeaway: Implementing PKCE abc sha256 sha256(abc)

38. 38 SECURING WEB SERVICES BY AMRITA JAIN 1. All lessons

    learnt lead us to this comprehensive security . 2. Adopted the simplified Oauth 2.0 flow with OpenId Connect. 3. Dedicated Trust Server introduces abstraction. 4. Dynamic Secret Sharing ensured authenticity of the client apps. 5. Rate limiting and monitoring usage by each client. Takeaway: Overall Security Model

39. 39 SECURING WEB SERVICES BY AMRITA JAIN Takeaway: Overall Security

    Model User App Server Auth Server API Generates Code Verifier Authorization Request + CodeChallenge + ChallengeMethod Request OIDC Auth Request ID Token + Access Token Auth Code

40. 40 SECURING WEB SERVICES BY AMRITA JAIN Takeaway: Overall Security

    Model: Success User App Server Auth Server API Access Token + Code Verifier Response: OK API Resource Validate Token + Code Verifier Response

41. 41 SECURING WEB SERVICES BY AMRITA JAIN Takeaway: Overall Security

    Model: Error User App Server Auth Server API Access Token + Code Verifier Response: Error Auth Error Validate Token + Code Verifier Auth Error

42. 42 SECURING WEB SERVICES BY AMRITA JAIN “ ” Hey!

    Let’s be safe out there. Source: Hill Street Blues Speaker: Sergeant P. Esterhaus To Conclude…

43. 43 SECURING WEB SERVICES BY AMRITA JAIN § It is

    always worth to spend time and energy for security. § Choosing the right security protocol and combining it with right data protection techniques is the key to secure web service. § It’s a constant battle. Conclusion

44. 44 SECURING WEB SERVICES BY AMRITA JAIN Thank you! @amritajain973

    https://joind.in/talk/3dbda Currently @ Glassdoor and Hiring!