Upgrade to Pro — share decks privately, control downloads, hide ads and more …

APIs Exposed! @ BuildStuff.lt

APIs Exposed! @ BuildStuff.lt

More and more developers are building APIs, whether that be for consumption by client-side applications, exposing endpoints directly to customers so they can use an alternative front-end or wrapping up services in containers.

Now that we have all these exposed endpoints, what are we doing to secure them? Previously, our monolith was self-contained with limited points of access making authentication and authorisation more straightforward - that’s no longer the case.

We’ll cover the potential risks we may face such as cross-site scripting and BruteForce attacks as well as a look at the possible options for securing API endpoints including OAuth, Access Tokens, JSON web tokens, IP whitelisting, rate limiting to name but a few.

Layla Porter

November 15, 2018
Tweet

More Decks by Layla Porter

Other Decks in Technology

Transcript

  1. APIS EXPOSED! An encounter with HTTP API security. How it

    can all go wrong and how to prevent it.
  2. For example, account is locked after 3 failed attempts. Account

    Lockout Account is locked for a set period of time which increases with each subsequent failed attempt Progressive Delays Ensures the user is, in fact, a human. Challenge-Response PREVENTING BRUTE FORCE ATTACKS Requires an additional piece of information that only the real user should have available Two Factor Authentication
  3. For example, account is locked after 3 failed attempts. Account

    Lockout Account is locked for a set period of time which increases with each subsequent failed attempt Progressive Delays Ensures the user is, in fact, a human. Challenge-Response PREVENTING BRUTE FORCE ATTACKS Requires an additional piece of information that only the real user should have available Two Factor Authentication
  4. For example, account is locked after 3 failed attempts. Account

    Lockout Account is locked for a set period of time which increases with each subsequent failed attempt Progressive Delays Ensures the user is, in fact, a human. Challenge-Response PREVENTING BRUTE FORCE ATTACKS Requires an additional piece of information that only the real user should have available Two Factor Authentication
  5. For example, account is locked after 3 failed attempts. Account

    Lockout Account is locked for a set period of time which increases with each subsequent failed attempt Progressive Delays Ensures the user is, in fact, a human. Challenge-Response PREVENTING BRUTE FORCE ATTACKS Requires an additional piece of information that only the real user should have available Two Factor Authentication
  6. Requires an additional piece of information that only the real

    user should have available Two Factor Authentication TOTP - Time-Based One Time Passwords
  7. DISTRIBUTED DENIAL OF SERVICE - AKA DDOS When multiple systems

    flood the bandwidth or resources of a targeted system
  8. DISTRIBUTED DENIAL OF SERVICE - AKA DDOS When multiple systems

    flood the bandwidth or resources of a targeted system
  9. DISTRIBUTED DENIAL OF SERVICE - AKA DDOS When multiple systems

    flood the bandwidth or resources of a targeted system
  10. Many providers offer basic protection. Evaluate hosting partner Automatically scale

    services to cope with load Scalability Knowledge of normal traffic Traffic monitoring PREVENTING DDOS ATTACKS Premium services Cloud mitigation providers
  11. Many providers offer basic protection. Evaluate hosting partner Automatically scale

    services to cope with load Scalability Knowledge of normal traffic Traffic monitoring PREVENTING DDOS ATTACKS Premium services Cloud mitigation providers
  12. Many providers offer basic protection. Evaluate hosting partner Automatically scale

    services to cope with load Scalability Knowledge of normal traffic Traffic monitoring PREVENTING DDOS ATTACKS Premium services Cloud mitigation providers
  13. Many providers offer basic protection. Evaluate hosting partner Automatically scale

    services to cope with load Scalability Knowledge of normal traffic Traffic monitoring PREVENTING DDOS ATTACKS Premium services Cloud mitigation providers
  14. Limit the rate and speed at which a user can

    consume the API Rate Limiting PREVENTING DDOS ATTACKS Limit the total number of hits on the API by a user during a given period API Throttling
  15. XSS

  16. PREVENTING XSS ATTACKS HTTPOnly cookie flag Escaping, validating and sanitizing

    Input management Prevents JavaScript from accessing your cookie
  17. HTTPOnly cookie flag Escaping, validating and sanitizing Input management PREVENTING

    XSS ATTACKS Prevents JavaScript from accessing your cookie
  18. CROSS-SITE REQUEST FORGERY - AKA CSRF When an attack vector

    tricks a web browser into executing an unwanted action
  19. CROSS-SITE REQUEST FORGERY - AKA CSRF When an attack vector

    tricks a web browser into executing an unwanted action
  20. CROSS-SITE REQUEST FORGERY - AKA CSRF When an attack vector

    tricks a web browser into executing an unwanted action
  21. HTTPOnly cookie flag Checks that the request is coming from

    the expected source Origin and/or Referrer header Use API keys or sophisticated mechanisms like OAuth Good authentication methods PREVENTING CSRF ATTACKS Random value in both cookie and request parameter Anti Forgery Tokens Particularly good for reflected XSS attacks Double Submit Method Encrypted Token Pattern
  22. An open standard for authorization, commonly used as a way

    for Internet users to log into third party websites using their Microsoft, Google, Facebook or Twitter accounts without exposing their password. OAuth PREVENTING CSRF ATTACKS
  23. HTTPOnly cookie flag Checks that the request is coming from

    the expected source Origin and/or Referer header Use API keys or sophisticated mechanisms like OAuth Good authentication methods PREVENTING CSRF ATTACKS Random value in both cookie and request parameter Particularly good for reflected XSS attacks Double Submit Method Encrypted Token Pattern
  24. Checks that the request is coming from the expected source

    Origin and/or Referer header Use API keys or sophisticated mechanisms like OAuth Good authentication methods PREVENTING CSRF ATTACKS Random value in both cookie and request parameter Particularly good for reflected XSS attacks Double Submit Method Encrypted Token Pattern HTTPOnly cookie flag
  25. Checks that the request is coming from the expected source

    Origin and/or Referer header Use API keys or sophisticated mechanisms like OAuth Good authentication methods PREVENTING CSRF ATTACKS Random value in both cookie and request parameter Particularly good for reflected XSS attacks Double Submit Method Encrypted Token Pattern HTTPOnly cookie flag
  26. HTTPOnly cookie flag Checks that the request is coming from

    the expected source Origin and/or Referer header Use API keys or sophisticated mechanisms like OAuth Good authentication methods PREVENTING CSRF ATTACKS Random value in both cookie and request parameter Particularly good for reflected XSS attacks Double Submit Method Encrypted Token Pattern HTTPOnly cookie flag
  27. JSON WEB TOKENS - AKA JWT A token format used

    in authorization headers Often referred to as a bearer token and consists of 3 parts. header.payload.signature
  28. JSON WEB TOKENS - AKA JWT A token format used

    in authorization headers Often referred to as a bearer token and consists of 3 parts. 1. Header Often referred to as a bearer token and consists of 3 parts.
  29. JSON WEB TOKENS - AKA JWT A token format used

    in authorization headers Often referred to as a bearer token and consists of 3 parts.
  30. JSON WEB TOKENS - AKA JWT A token format used

    in authorization headers Often referred to as a bearer token and consists of 3 parts.
  31. JSON WEB TOKENS - AKA JWT Be careful what you

    put in the JWT and where you store it
  32. API SECURITY Brute Force Cross Site Scripting DDoS SQL Injection

    Cross Site Request Forgery Tokens Authentication Whitelisting API management services