$30 off During Our Annual Pro Sale. View Details »

¿API primero? Seguridad primero: lo que necesitas saber para crear APIs seguras

¿API primero? Seguridad primero: lo que necesitas saber para crear APIs seguras

API First? Security first: what you need to know in order to create secure APIs

Several tools and frameworks such Angular, Ember, React and Flight among others as well as mobile development depend on an API to communicate with your application back-end.

In this talk, we'll anayize common errors in both creation and consumption of APIs and how to mitigate those failures as well as exploring the anatomy of a secure API

Talk presented during Software Guru Conference and Expo in Mexico City, Mexico

http://sg.com.mx/sgce

Fernando Perales

July 02, 2015
Tweet

More Decks by Fernando Perales

Other Decks in Programming

Transcript

  1. Enlighten your software
    ¿API primero? Seguridad primero:
    lo que necesitas saber para crear APIs seguras
    Fernando Perales

    View Slide


  2. View Slide

  3. Fernando Perales
    Software Engineer @ Crowd Interactive
    FLOSS Advocate
    /(.*) metal and lover/
    Passionate about web development and lean
    startup

    View Slide


  4. FerPeralesM

    View Slide


  5. FerPerales

    View Slide


  6. View Slide

  7. Why an
    API?

    View Slide

  8. http://www.apiacademy.co/sites/default/files/Web-APIs-v5_0.png

    View Slide

  9. API first

    View Slide

  10. When to not
    API first

    View Slide

  11. Extracted
    from
    monolithic

    View Slide

  12. Going
    mobile

    View Slide

  13. Public
    API

    View Slide

  14. Decisions

    View Slide

  15. Technology

    View Slide

  16. SOAP vs REST

    View Slide

  17. XML vs JSON

    View Slide

  18. Let's go
    for...

    View Slide

  19. REST +
    JSON

    View Slide

  20. REST

    View Slide

  21. Roy
    Fielding

    View Slide

  22. “REST's client–server
    separation of concerns
    simplifies component
    implementation, reduces the
    complexity of connector
    semantics, improves the
    effectiveness of performance
    tuning, and increases the
    scalability of pure server
    components.”

    View Slide

  23. Architectural
    constraints

    View Slide

  24. Client-server

    View Slide

  25. https://en.wikipedia.org/wiki/Client%E2%80%93server_model#/media/File:Client-server-model.svg

    View Slide

  26. Stateless

    View Slide

  27. Cacheable

    View Slide

  28. Layered
    system

    View Slide

  29. Code on
    demand
    (optional)

    View Slide

  30. Uniform
    interface

    View Slide

  31. View Slide

  32. View Slide

  33. REST is an
    architectural
    style, not an
    standard

    View Slide

  34. Considerations
    for APIs
    (and pretty much, every system)

    View Slide

  35. Correctness

    View Slide

  36. Performance

    View Slide

  37. Reliability

    View Slide

  38. Robustness

    View Slide

  39. Scalability

    View Slide

  40. Security

    View Slide

  41. Security

    View Slide

  42. Security

    View Slide

  43. View Slide

  44. View Slide

  45. View Slide

  46. View Slide

  47. View Slide

  48. Why should
    I care?

    View Slide

  49. Common
    misperceptions

    View Slide

  50. I'm not
    a big company

    View Slide

  51. Nobody will
    care about my
    data

    View Slide

  52. My API is not
    public

    View Slide

  53. I didn't
    know

    View Slide

  54. Ignorantia juris
    non excusat

    View Slide

  55. owasp.org

    View Slide

  56. Let's
    start

    View Slide

  57. Know what you are
    fighting

    View Slide

  58. http://fc04.deviantart.net/fs71/i/2013/107/9/5/it_s_dangerous_to_go_alone_by_michaelmayne-d621qgq.png

    View Slide

  59. OWASP WASC Web
    Hacking Incidents
    Database Project

    View Slide

  60. View Slide

  61. View Slide

  62. View Slide

  63. View Slide

  64. Denial of Service

    View Slide

  65. An attempt to make a
    machine or network resource
    unavailable to its intended
    users.
    https://en.wikipedia.org/wiki/Denial-of-service_attack

    View Slide

  66. View Slide

  67. Can be from
    malicious
    users

    View Slide

  68. Or legit users
    trying to take
    advantage

    View Slide

  69. View Slide

  70. How to deal
    With?

    View Slide

  71. Throttle / limit
    request

    View Slide

  72. View Slide

  73. Rack::Attack

    View Slide


  74. kickstarter/rack-attack

    View Slide

  75. View Slide

  76. View Slide

  77. Return: HTTP
    code 429

    View Slide

  78. View Slide

  79. How to test?

    View Slide

  80. Apache
    Benchmark

    View Slide

  81. httpd.apache.org/docs/
    2.2/programs/ab.html

    View Slide

  82. ab -c 5 -n 100 http://127.0.0.1:3000/login

    View Slide

  83. SQL
    injections

    View Slide

  84. SQL injection is a code injection
    technique, used to attack data-
    driven applications, in which
    malicious SQL statements are
    inserted into an entry field for
    execution
    https://en.wikipedia.org/wiki/SQL_injection

    View Slide

  85. http://example.com/
    api/v1/user/123

    View Slide

  86. “SELECT * FROM
    users WHERE userID='”
    + user_id +”‘”;

    View Slide

  87. “SELECT * FROM
    users WHERE usetID =
    ‘123’”

    View Slide

  88. Consider this:

    View Slide

  89. http://example.com/
    api/v1/user/’%20or
    %20’1’=’1

    View Slide

  90. SELECT * FROM
    users WHERE
    userID = ‘’ or ‘1’ = ‘1’

    View Slide

  91. Predictable
    Resource
    location

    View Slide

  92. An attack technique used to uncover
    hidden web site content and
    functionality. By making educated
    guesses, the attack is a brute force
    search looking for content that is not
    intended for public viewing.
    http://www.infosecpro.com/applicationsecurity/a54.htm

    View Slide

  93. example.com/v1/users/1

    View Slide

  94. example.com/v1/users/1

    View Slide

  95. UUID

    View Slide

  96. example.com/v1/users/1

    View Slide

  97. example.com/v1/users/
    de305d54-75b4-431b-
    adb2-eb6b9e546014

    View Slide

  98. Who does
    this?

    View Slide

  99. View Slide

  100. Charges:
    ch_16KD5K2eZvKYlo2
    Cm5vtG9HJ

    View Slide

  101. Cards:
    card_16KD5F2eZvKYlo
    2CzRqSKsIR

    View Slide

  102. Transactions:
    txn_16Hn2s2eZvKYlo2
    CSKkdbSPq

    View Slide

  103. Unintended
    disclosure of
    information

    View Slide

  104. Letting unauthorized users to
    access information they shouldn't

    View Slide

  105. It has happened to

    View Slide

  106. me

    View Slide

  107. and many
    others

    View Slide

  108. How to deal
    with this?

    View Slide

  109. Apply
    authentication
    to your API as
    well

    View Slide

  110. And respond
    with the
    minimal
    information
    needed

    View Slide

  111. Protip:

    View Slide

  112. API interactions
    from client to
    server are still user
    input

    View Slide

  113. This
    happened
    to

    View Slide

  114. View Slide

  115. Several
    times...

    View Slide

  116. View Slide

  117. NOTE: Does not work anymore

    View Slide

  118. View Slide

  119. Meet Charles

    View Slide

  120. View Slide

  121. View Slide

  122. Charles can be used as a man-in-
    the-middle HTTPS proxy, enabling
    you to view in plain text the
    communication between web
    browser and SSL web server.

    View Slide

  123. View Slide

  124. View Slide

  125. (._. U)

    View Slide

  126. Wrapping up

    View Slide

  127. Requirements

    View Slide

  128. Knowledge

    View Slide

  129. Prevention

    View Slide

  130. Monitoring

    View Slide

  131. Awareness

    View Slide

  132. Questions?

    View Slide

  133. Thanks!
    [email protected]
     FerPeralesM

    View Slide