¿API primero? Seguridad primero: lo que necesitas saber para crear APIs seguras

Transcript

1. Enlighten your software ¿API primero? Seguridad primero: lo que necesitas

   saber para crear APIs seguras Fernando Perales

2. <me>

3. Fernando Perales Software Engineer @ Crowd Interactive FLOSS Advocate /(.*)

   metal and lover/ Passionate about web development and lean startup

4.  FerPeralesM

5.  FerPerales

6. </me>

7. Why an API?

8. http://www.apiacademy.co/sites/default/files/Web-APIs-v5_0.png

9. API first

10. When to not API first

11. Extracted from monolithic

12. Going mobile

13. Public API

14. Decisions

15. Technology

16. SOAP vs REST

17. XML vs JSON

18. Let's go for...

19. REST + JSON

20. REST

21. Roy Fielding

22. “REST's client–server separation of concerns simplifies component implementation, reduces the

    complexity of connector semantics, improves the effectiveness of performance tuning, and increases the scalability of pure server components.”

23. Architectural constraints

24. Client-server

25. https://en.wikipedia.org/wiki/Client%E2%80%93server_model#/media/File:Client-server-model.svg

26. Stateless

27. Cacheable

28. Layered system

29. Code on demand (optional)

30. Uniform interface

31. None
32. None

33. REST is an architectural style, not an standard

34. Considerations for APIs (and pretty much, every system)

35. Correctness

36. Performance

37. Reliability

38. Robustness

39. Scalability

40. Security

41. Security

42. Security

43. None
44. None
45. None
46. None
47. None

48. Why should I care?

49. Common misperceptions

50. I'm not a big company

51. Nobody will care about my data

52. My API is not public

53. I didn't know

54. Ignorantia juris non excusat

55. owasp.org

56. Let's start

57. Know what you are fighting

58. http://fc04.deviantart.net/fs71/i/2013/107/9/5/it_s_dangerous_to_go_alone_by_michaelmayne-d621qgq.png

59. OWASP WASC Web Hacking Incidents Database Project

60. None
61. None
62. None
63. None

64. Denial of Service

65. An attempt to make a machine or network resource unavailable

    to its intended users. https://en.wikipedia.org/wiki/Denial-of-service_attack
66. None

67. Can be from malicious users

68. Or legit users trying to take advantage

69. None

70. How to deal With?

71. Throttle / limit request

72. None

73. Rack::Attack

74.  kickstarter/rack-attack

75. None
76. None

77. Return: HTTP code 429

78. None

79. How to test?

80. Apache Benchmark

81. httpd.apache.org/docs/ 2.2/programs/ab.html

82. ab -c 5 -n 100 http://127.0.0.1:3000/login

83. SQL injections

84. SQL injection is a code injection technique, used to attack

    data- driven applications, in which malicious SQL statements are inserted into an entry field for execution https://en.wikipedia.org/wiki/SQL_injection

85. http://example.com/ api/v1/user/123

86. “SELECT * FROM users WHERE userID='” + user_id +”‘”;

87. “SELECT * FROM users WHERE usetID = ‘123’”

88. Consider this:

89. http://example.com/ api/v1/user/’%20or %20’1’=’1

90. SELECT * FROM users WHERE userID = ‘’ or ‘1’

    = ‘1’

91. Predictable Resource location

92. An attack technique used to uncover hidden web site content

    and functionality. By making educated guesses, the attack is a brute force search looking for content that is not intended for public viewing. http://www.infosecpro.com/applicationsecurity/a54.htm

93. example.com/v1/users/1

94. example.com/v1/users/1

95. UUID

96. example.com/v1/users/1

97. example.com/v1/users/ de305d54-75b4-431b- adb2-eb6b9e546014

98. Who does this?

99. None

100. Charges: ch_16KD5K2eZvKYlo2 Cm5vtG9HJ

101. Cards: card_16KD5F2eZvKYlo 2CzRqSKsIR

102. Transactions: txn_16Hn2s2eZvKYlo2 CSKkdbSPq

103. Unintended disclosure of information

104. Letting unauthorized users to access information they shouldn't

105. It has happened to

106. me

107. and many others

108. How to deal with this?

109. Apply authentication to your API as well

110. And respond with the minimal information needed

111. Protip:

112. API interactions from client to server are still user input

113. This happened to

114. None

115. Several times...

116. None

117. NOTE: Does not work anymore

118. None

119. Meet Charles

120. None
121. None

122. Charles can be used as a man-in- the-middle HTTPS proxy,

     enabling you to view in plain text the communication between web browser and SSL web server.
123. None
124. None

125. (._. U)

126. Wrapping up

127. Requirements

128. Knowledge

129. Prevention

130. Monitoring

131. Awareness

132. Questions?

133. Thanks!  [email protected]  FerPeralesM