¿API primero? Seguridad primero: lo que necesitas saber para crear APIs seguras

Transcript

1. Enlighten your software
   ¿API primero? Seguridad primero:
   lo que necesitas saber para crear APIs seguras
   Fernando Perales
   

   View Slide

2. 
   

   View Slide

3. Fernando Perales
   Software Engineer @ Crowd Interactive
   FLOSS Advocate
   /(.*) metal and lover/
   Passionate about web development and lean
   startup
   

   View Slide

4. 
   FerPeralesM
   

   View Slide

5. 
   FerPerales
   

   View Slide

6. 
   

   View Slide

7. Why an
   API?
   

   View Slide

8. http://www.apiacademy.co/sites/default/files/Web-APIs-v5_0.png
   

   View Slide

9. API first
   

   View Slide

10. When to not
    API first
    

    View Slide

11. Extracted
    from
    monolithic
    

    View Slide

12. Going
    mobile
    

    View Slide

13. Public
    API
    

    View Slide

14. Decisions
    

    View Slide

15. Technology
    

    View Slide

16. SOAP vs REST
    

    View Slide

17. XML vs JSON
    

    View Slide

18. Let's go
    for...
    

    View Slide

19. REST +
    JSON
    

    View Slide

20. REST
    

    View Slide

21. Roy
    Fielding
    

    View Slide

22. “REST's client–server
    separation of concerns
    simplifies component
    implementation, reduces the
    complexity of connector
    semantics, improves the
    effectiveness of performance
    tuning, and increases the
    scalability of pure server
    components.”
    

    View Slide

23. Architectural
    constraints
    

    View Slide

24. Client-server
    

    View Slide

25. https://en.wikipedia.org/wiki/Client%E2%80%93server_model#/media/File:Client-server-model.svg
    

    View Slide

26. Stateless
    

    View Slide

27. Cacheable
    

    View Slide

28. Layered
    system
    

    View Slide

29. Code on
    demand
    (optional)
    

    View Slide

30. Uniform
    interface
    

    View Slide

31. View Slide

32. View Slide

33. REST is an
    architectural
    style, not an
    standard
    

    View Slide

34. Considerations
    for APIs
    (and pretty much, every system)
    

    View Slide

35. Correctness
    

    View Slide

36. Performance
    

    View Slide

37. Reliability
    

    View Slide

38. Robustness
    

    View Slide

39. Scalability
    

    View Slide

40. Security
    

    View Slide

41. Security
    

    View Slide

42. Security
    

    View Slide

43. View Slide

44. View Slide

45. View Slide

46. View Slide

47. View Slide

48. Why should
    I care?
    

    View Slide

49. Common
    misperceptions
    

    View Slide

50. I'm not
    a big company
    

    View Slide

51. Nobody will
    care about my
    data
    

    View Slide

52. My API is not
    public
    

    View Slide

53. I didn't
    know
    

    View Slide

54. Ignorantia juris
    non excusat
    

    View Slide

55. owasp.org
    

    View Slide

56. Let's
    start
    

    View Slide

57. Know what you are
    fighting
    

    View Slide

58. http://fc04.deviantart.net/fs71/i/2013/107/9/5/it_s_dangerous_to_go_alone_by_michaelmayne-d621qgq.png
    

    View Slide

59. OWASP WASC Web
    Hacking Incidents
    Database Project
    

    View Slide

60. View Slide

61. View Slide

62. View Slide

63. View Slide

64. Denial of Service
    

    View Slide

65. An attempt to make a
    machine or network resource
    unavailable to its intended
    users.
    https://en.wikipedia.org/wiki/Denial-of-service_attack
    

    View Slide

66. View Slide

67. Can be from
    malicious
    users
    

    View Slide

68. Or legit users
    trying to take
    advantage
    

    View Slide

69. View Slide

70. How to deal
    With?
    

    View Slide

71. Throttle / limit
    request
    

    View Slide

72. View Slide

73. Rack::Attack
    

    View Slide

74. 
    kickstarter/rack-attack
    

    View Slide

75. View Slide

76. View Slide

77. Return: HTTP
    code 429
    

    View Slide

78. View Slide

79. How to test?
    

    View Slide

80. Apache
    Benchmark
    

    View Slide

81. httpd.apache.org/docs/
    2.2/programs/ab.html
    

    View Slide

82. ab -c 5 -n 100 http://127.0.0.1:3000/login
    

    View Slide

83. SQL
    injections
    

    View Slide

84. SQL injection is a code injection
    technique, used to attack data-
    driven applications, in which
    malicious SQL statements are
    inserted into an entry field for
    execution
    https://en.wikipedia.org/wiki/SQL_injection
    

    View Slide

85. http://example.com/
    api/v1/user/123
    

    View Slide

86. “SELECT * FROM
    users WHERE userID='”
    + user_id +”‘”;
    

    View Slide

87. “SELECT * FROM
    users WHERE usetID =
    ‘123’”
    

    View Slide

88. Consider this:
    

    View Slide

89. http://example.com/
    api/v1/user/’%20or
    %20’1’=’1
    

    View Slide

90. SELECT * FROM
    users WHERE
    userID = ‘’ or ‘1’ = ‘1’
    

    View Slide

91. Predictable
    Resource
    location
    

    View Slide

92. An attack technique used to uncover
    hidden web site content and
    functionality. By making educated
    guesses, the attack is a brute force
    search looking for content that is not
    intended for public viewing.
    http://www.infosecpro.com/applicationsecurity/a54.htm
    

    View Slide

93. example.com/v1/users/1
    

    View Slide

94. example.com/v1/users/1
    

    View Slide

95. UUID
    

    View Slide

96. example.com/v1/users/1
    

    View Slide

97. example.com/v1/users/
    de305d54-75b4-431b-
    adb2-eb6b9e546014
    

    View Slide

98. Who does
    this?
    

    View Slide

99. View Slide

100. Charges:
     ch_16KD5K2eZvKYlo2
     Cm5vtG9HJ
     

     View Slide

101. Cards:
     card_16KD5F2eZvKYlo
     2CzRqSKsIR
     

     View Slide

102. Transactions:
     txn_16Hn2s2eZvKYlo2
     CSKkdbSPq
     

     View Slide

103. Unintended
     disclosure of
     information
     

     View Slide

104. Letting unauthorized users to
     access information they shouldn't
     

     View Slide

105. It has happened to
     

     View Slide

106. me
     

     View Slide

107. and many
     others
     

     View Slide

108. How to deal
     with this?
     

     View Slide

109. Apply
     authentication
     to your API as
     well
     

     View Slide

110. And respond
     with the
     minimal
     information
     needed
     

     View Slide

111. Protip:
     

     View Slide

112. API interactions
     from client to
     server are still user
     input
     

     View Slide

113. This
     happened
     to
     

     View Slide

114. View Slide

115. Several
     times...
     

     View Slide

116. View Slide

117. NOTE: Does not work anymore
     

     View Slide

118. View Slide

119. Meet Charles
     

     View Slide

120. View Slide

121. View Slide

122. Charles can be used as a man-in-
     the-middle HTTPS proxy, enabling
     you to view in plain text the
     communication between web
     browser and SSL web server.
     

     View Slide

123. View Slide

124. View Slide

125. (._. U)
     

     View Slide

126. Wrapping up
     

     View Slide

127. Requirements
     

     View Slide

128. Knowledge
     

     View Slide

129. Prevention
     

     View Slide

130. Monitoring
     

     View Slide

131. Awareness
     

     View Slide

132. Questions?
     

     View Slide

133. Thanks!
      [email protected]
      FerPeralesM
     

     View Slide