Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing your REST API

224dac66704579d941e927965a6220a2?s=47 Chris Cornutt
November 08, 2013

Securing your REST API

With APIs becoming the de-facto standard for getting things done on the web, it's more important than ever to provide the right kind of security for your application. The options can be overwhelming with things like OAuth, signed queries, shared certificates and token authentication just to name a few. I'll go through these and some of the questions you'll need to ask as you think about protecting your API and the data that lies within.

@ True North PHP 2013

224dac66704579d941e927965a6220a2?s=128

Chris Cornutt

November 08, 2013
Tweet

Transcript

  1. Chris Cornutt / @enygma True North PHP 2013 Securing your

    REST API Friday, November 8, 2013
  2. Friday, November 8, 2013

  3. Friday, November 8, 2013

  4. Friday, November 8, 2013

  5. Security is planned. Friday, November 8, 2013

  6. Security is easy to ignore. Friday, November 8, 2013

  7. Security is compromise. Friday, November 8, 2013

  8. Reliability Availability Scalability Friday, November 8, 2013

  9. Auth in Detail Friday, November 8, 2013

  10. HTTP Basic/Digest Friday, November 8, 2013

  11. WWW-Authenticate: Basic realm=”Great White North” HTTP/1.0 401 Unauthorized Authorization: Basic

    username:password <?php $auth = base64_encode($user.’:’.$pass); $header = ‘Authorization: Basic ‘.$auth; ?> Friday, November 8, 2013
  12. WWW-Authenticate: Digest realm=”Great White North”, nonce=”d39175b3e4a2538a01e4afe863092621”, opaque=”ef5b7a6b9f8460ba7c74589a9d7be07c” HTTP/1.0 401 Unauthorized

    Authorization: Digest username=”snowman”, realm=”Great White North”, nonce=”d39175b3e4a2538a01e4afe863092621”, opaque=”ef5b7a6b9f8460ba7c74589a9d7be07c”, uri=”http://foo.com/bar/baz”, response=$response Friday, November 8, 2013
  13. <?php $hash1 = md5($username.’:’.$realm.’:’.$password); $hash2 = md5($requestMethod.’:’.$requestUri); $response = md5($hash1.’:’.$nonce.’:’.$hash2);

    $header = ‘Authorization: Digest ‘ .‘username=”’.$username.’” ’ .‘realm=”’.$realm.’” ‘ .‘nonce=”’.$nonce.’” ‘ .‘opaque=”’.$opaque.’” ‘ .‘uri=”’.$uri.’” ‘ .‘response=”’.$response.’”’; ?> Friday, November 8, 2013
  14. “Security” Use SSL...or don’t use at all Internal sites Friday,

    November 8, 2013
  15. Shared Tokens Friday, November 8, 2013

  16. Trouble to maintain Static, not asymmetric Not encryption Friday, November

    8, 2013
  17. OAuth v2 Friday, November 8, 2013

  18. Friday, November 8, 2013

  19. Burden of identity Complex to implement Authorization, not authentication “Delegation”?

    Friday, November 8, 2013
  20. <?php $oauth = new OAuth($consumerKey, $secretKey); $token = $oauth->getRequestToken( $requestUrl,

    $callbackUrl ); header( ‘Location: ‘.$authorizeUrl .’?token=’.$token[‘oauth_token’] ); ?> Friday, November 8, 2013
  21. Shared Certificates Friday, November 8, 2013

  22. Stronger protection than passwords No private information involved Difficult to

    deploy Friday, November 8, 2013
  23. Not Just Auth Friday, November 8, 2013

  24. Friday, November 8, 2013

  25. Rate Limiting Friday, November 8, 2013

  26. Limit requests/second Types of requests All about time... Friday, November

    8, 2013
  27. Throttling Friday, November 8, 2013

  28. Limit amount of data Slowing them down All about bandwidth...

    Friday, November 8, 2013
  29. Filtering/Escaping Friday, November 8, 2013

  30. Email URL Name Login IP HTML Num Alpha Bool Regex

    Patterns Friday, November 8, 2013
  31. Direct Object Refs Friday, November 8, 2013

  32. OWASP Top 10 A3: Direct Object References Friday, November 8,

    2013
  33. Yours: GET /user/1/link/42 Good guesses: GET /user/1/link/52 PUT /user/1/link/42 Alternative:

    GET /user/[GUID #1]/link/[GUID #2] GET /user/[username] Friday, November 8, 2013
  34. Error Conditions Friday, November 8, 2013

  35. { “success”: false, “error”: { “code”: 8675309 “message”: “Error in

    request”, “url”: “http://oursite.com/error/8675309” } } Friday, November 8, 2013
  36. Good Practices Friday, November 8, 2013

  37. Use HTTPS Friday, November 8, 2013

  38. Prevent leakage Friday, November 8, 2013

  39. Be stateless Friday, November 8, 2013

  40. Auth on resource, not URI Friday, November 8, 2013

  41. Importance of (HTTP) status Friday, November 8, 2013

  42. Use keys, not passwords Friday, November 8, 2013

  43. Signing with hashes Friday, November 8, 2013

  44. <?php $public = ‘1c53048f8bfbd5cced1aa2d1d5cfd788b1e3e71c’; $private = ‘0f079851e936af2075bf40b1d436c287d943c29c’; $signature = hash_hmac(

    ‘sha256’, $response.time(), $private ); $headers[] = ‘X-Auth-Public: ’.$public; $headers[] = ‘X-Auth-Signature: ‘.$signature; ?> Friday, November 8, 2013
  45. Method permissioning Friday, November 8, 2013

  46. Secure input parsing Friday, November 8, 2013

  47. <!DOCTYPE root [ <!ENTITY one “one”> <!ENTITY two “&one;&one;&one;&one;”> <!ENTITY

    three “&two;&two;&two;&two;”> ]> <test> <testing>&three;</testing> </test> Friday, November 8, 2013
  48. Think Simple Friday, November 8, 2013

  49. Friday, November 8, 2013

  50. Thanks! Questions/Comments? @enygma http://websec.io Friday, November 8, 2013