APIs Exposed! @ BuildStuff.lt

APIs Exposed! @ BuildStuff.lt

More and more developers are building APIs, whether that be for consumption by client-side applications, exposing endpoints directly to customers so they can use an alternative front-end or wrapping up services in containers.

Now that we have all these exposed endpoints, what are we doing to secure them? Previously, our monolith was self-contained with limited points of access making authentication and authorisation more straightforward - that’s no longer the case.

We’ll cover the potential risks we may face such as cross-site scripting and BruteForce attacks as well as a look at the possible options for securing API endpoints including OAuth, Access Tokens, JSON web tokens, IP whitelisting, rate limiting to name but a few.

Ac87ebf0cf6b8e9f4e66582ec9845620?s=128

Layla Porter

November 15, 2018
Tweet

Transcript

  1. APIS EXPOSED! An encounter with HTTP API security. How it

    can all go wrong and how to prevent it.
  2. LAYLA PORTER Developer Evangelist @ Twilio MK.NET Organiser ASP.NET C#

    Engineer
  3. HTTP API Application Program Interface

  4. Structure of an API

  5. Structure of an API

  6. Structure of an API

  7. Structure of an API

  8. Structure of an API

  9. Structure of an API

  10. Brute Force COMMON ATTACK VECTORS

  11. Brute Force COMMON ATTACK VECTORS DDoS

  12. COMMON ATTACK VECTORS Cross Site Scripting DDoS

  13. COMMON ATTACK VECTORS Cross Site Scripting SQL Injection

  14. COMMON ATTACK VECTORS SQL Injection Cross Site Request Forgery

  15. COMMON ATTACK VECTORS Cross Site Request Forgery

  16. OWASP Top 10 Application Security Risks 2017 https:/ /www.owasp.org/index.php/ Top_10-2017_Top_10

  17. HUMANS

  18. None
  19. None
  20. None
  21. None
  22. None
  23. BRUTE FORCE

  24. BRUTE FORCE Repeatedly trying many passwords or passphrases with the

    hope of eventually guessing correctly.
  25. BRUTE FORCE Repeatedly trying many passwords or passphrases with the

    hope of eventually guessing correctly.
  26. BRUTE FORCE Repeatedly trying many passwords or passphrases with the

    hope of eventually guessing correctly.
  27. BRUTE FORCE Repeatedly trying many passwords or passphrases with the

    hope of eventually guessing correctly.
  28. BRUTE FORCE Repeatedly trying many passwords or passphrases with the

    hope of eventually guessing correctly.
  29. BRUTE FORCE Repeatedly trying many passwords or passphrases with the

    hope of eventually guessing correctly.
  30. BRUTE FORCE Repeatedly trying many passwords or passphrases with the

    hope of eventually guessing correctly.
  31. BRUTE FORCE Repeatedly trying many passwords or passphrases with the

    hope of eventually guessing correctly.
  32. BRUTE FORCE Repeatedly trying many passwords or passphrases with the

    hope of eventually guessing correctly.
  33. For example, account is locked after 3 failed attempts. Account

    Lockout Account is locked for a set period of time which increases with each subsequent failed attempt Progressive Delays Ensures the user is, in fact, a human. Challenge-Response PREVENTING BRUTE FORCE ATTACKS Requires an additional piece of information that only the real user should have available Two Factor Authentication
  34. For example, account is locked after 3 failed attempts. Account

    Lockout Account is locked for a set period of time which increases with each subsequent failed attempt Progressive Delays Ensures the user is, in fact, a human. Challenge-Response PREVENTING BRUTE FORCE ATTACKS Requires an additional piece of information that only the real user should have available Two Factor Authentication
  35. For example, account is locked after 3 failed attempts. Account

    Lockout Account is locked for a set period of time which increases with each subsequent failed attempt Progressive Delays Ensures the user is, in fact, a human. Challenge-Response PREVENTING BRUTE FORCE ATTACKS Requires an additional piece of information that only the real user should have available Two Factor Authentication
  36. Ensures the user is, in fact, a human. Challenge-Response

  37. For example, account is locked after 3 failed attempts. Account

    Lockout Account is locked for a set period of time which increases with each subsequent failed attempt Progressive Delays Ensures the user is, in fact, a human. Challenge-Response PREVENTING BRUTE FORCE ATTACKS Requires an additional piece of information that only the real user should have available Two Factor Authentication
  38. Requires an additional piece of information that only the real

    user should have available Two Factor Authentication TOTP - Time-Based One Time Passwords
  39. DDOS

  40. DISTRIBUTED DENIAL OF SERVICE - AKA DDOS When multiple systems

    flood the bandwidth or resources of a targeted system
  41. DISTRIBUTED DENIAL OF SERVICE - AKA DDOS When multiple systems

    flood the bandwidth or resources of a targeted system
  42. DISTRIBUTED DENIAL OF SERVICE - AKA DDOS When multiple systems

    flood the bandwidth or resources of a targeted system
  43. Many providers offer basic protection. Evaluate hosting partner Automatically scale

    services to cope with load Scalability Knowledge of normal traffic Traffic monitoring PREVENTING DDOS ATTACKS Premium services Cloud mitigation providers
  44. Many providers offer basic protection. Evaluate hosting partner Automatically scale

    services to cope with load Scalability Knowledge of normal traffic Traffic monitoring PREVENTING DDOS ATTACKS Premium services Cloud mitigation providers
  45. Many providers offer basic protection. Evaluate hosting partner Automatically scale

    services to cope with load Scalability Knowledge of normal traffic Traffic monitoring PREVENTING DDOS ATTACKS Premium services Cloud mitigation providers
  46. Many providers offer basic protection. Evaluate hosting partner Automatically scale

    services to cope with load Scalability Knowledge of normal traffic Traffic monitoring PREVENTING DDOS ATTACKS Premium services Cloud mitigation providers
  47. Limit the rate and speed at which a user can

    consume the API Rate Limiting PREVENTING DDOS ATTACKS Limit the total number of hits on the API by a user during a given period API Throttling
  48. DEMO

  49. XSS

  50. CROSS-SITE SCRIPTING - AKA XSS When malicious code is injected

    into a vulnerable web app.
  51. CROSS-SITE SCRIPTING - AKA XSS When malicious code is injected

    into a vulnerable web app.
  52. CROSS-SITE SCRIPTING - AKA XSS When malicious code is injected

    into a vulnerable web app.
  53. CROSS-SITE SCRIPTING - AKA XSS When malicious code is injected

    into a vulnerable web app.
  54. PREVENTING XSS ATTACKS https://www.owasp.org/index.php/ XSS_(Cross_Site_Scripting)_Prevention_C heat_Sheet

  55. PREVENTING XSS ATTACKS https://www.owasp.org/index.php/ XSS_(Cross_Site_Scripting)_Prevention_C heat_Sheet

  56. PREVENTING XSS ATTACKS HTTPOnly cookie flag Escaping, validating and sanitizing

    Input management Prevents JavaScript from accessing your cookie
  57. HTTPOnly cookie flag Escaping, validating and sanitizing Input management PREVENTING

    XSS ATTACKS Prevents JavaScript from accessing your cookie
  58. SQL INJECTION

  59. SQL INJECTION ATTACKS

  60. Username: xxx@xxx.xx Password: ‘ or 1=1; drop * from Users’

    SQL INJECTION ATTACKS
  61. PREVENTING SQL INJECTION ATTACKS https://www.owasp.org/index.php/ SQL_Injection_Prevention_Cheat_Sheet

  62. PREVENTING SQL INJECTION ATTACKS https://www.owasp.org/index.php/ SQL_Injection_Prevention_Cheat_Sheet

  63. CSRF Photo: Nicky Bay

  64. CROSS-SITE REQUEST FORGERY - AKA CSRF When an attack vector

    tricks a web browser into executing an unwanted action
  65. CROSS-SITE REQUEST FORGERY - AKA CSRF When an attack vector

    tricks a web browser into executing an unwanted action
  66. CROSS-SITE REQUEST FORGERY - AKA CSRF When an attack vector

    tricks a web browser into executing an unwanted action
  67. HTTPOnly cookie flag Checks that the request is coming from

    the expected source Origin and/or Referrer header Use API keys or sophisticated mechanisms like OAuth Good authentication methods PREVENTING CSRF ATTACKS Random value in both cookie and request parameter Anti Forgery Tokens Particularly good for reflected XSS attacks Double Submit Method Encrypted Token Pattern
  68. An open standard for authorization, commonly used as a way

    for Internet users to log into third party websites using their Microsoft, Google, Facebook or Twitter accounts without exposing their password. OAuth PREVENTING CSRF ATTACKS
  69. HTTPOnly cookie flag Checks that the request is coming from

    the expected source Origin and/or Referer header Use API keys or sophisticated mechanisms like OAuth Good authentication methods PREVENTING CSRF ATTACKS Random value in both cookie and request parameter Particularly good for reflected XSS attacks Double Submit Method Encrypted Token Pattern
  70. Checks that the request is coming from the expected source

    Origin and/or Referer header Use API keys or sophisticated mechanisms like OAuth Good authentication methods PREVENTING CSRF ATTACKS Random value in both cookie and request parameter Particularly good for reflected XSS attacks Double Submit Method Encrypted Token Pattern HTTPOnly cookie flag
  71. Checks that the request is coming from the expected source

    Origin and/or Referer header Use API keys or sophisticated mechanisms like OAuth Good authentication methods PREVENTING CSRF ATTACKS Random value in both cookie and request parameter Particularly good for reflected XSS attacks Double Submit Method Encrypted Token Pattern HTTPOnly cookie flag
  72. HTTPOnly cookie flag Checks that the request is coming from

    the expected source Origin and/or Referer header Use API keys or sophisticated mechanisms like OAuth Good authentication methods PREVENTING CSRF ATTACKS Random value in both cookie and request parameter Particularly good for reflected XSS attacks Double Submit Method Encrypted Token Pattern HTTPOnly cookie flag
  73. None
  74. FURTHER IDEAS

  75. API MANAGEMENT SERVICES Take the hassle out of API management

  76. None
  77. IP WHITELISTING Only approved IPs can access API

  78. JSON WEB TOKENS - AKA JWT A token format used

    in authorization headers Often referred to as a bearer token and consists of 3 parts. header.payload.signature
  79. JSON WEB TOKENS - AKA JWT A token format used

    in authorization headers Often referred to as a bearer token and consists of 3 parts. 1. Header Often referred to as a bearer token and consists of 3 parts.
  80. JSON WEB TOKENS - AKA JWT A token format used

    in authorization headers Often referred to as a bearer token and consists of 3 parts.
  81. JSON WEB TOKENS - AKA JWT A token format used

    in authorization headers Often referred to as a bearer token and consists of 3 parts.
  82. JSON WEB TOKENS - AKA JWT Be careful what you

    put in the JWT and where you store it
  83. JSON WEB TOKENS - AKA JWT JWTs are encoded and

    signed, not encrypted.
  84. API SECURITY Brute Force Cross Site Scripting DDoS SQL Injection

    Cross Site Request Forgery Tokens Authentication Whitelisting API management services
  85. NOTABLE MENTIONS AspNetCoreRateLimit https://github.com/stefanprodan/ AspNetCoreRateLimit Authy https://authy.com/ OWASP https://www.owasp.org

  86. THANK YOU! GitHub: layla-p Twitter: @LaylaCodesIt Email: lporter@twilio.com