Upgrade to Pro — share decks privately, control downloads, hide ads and more …

APIs Exposed! @ BuildStuff.lt

Layla Porter
November 15, 2018
Technology
0
68

APIs Exposed! @ BuildStuff.lt

More and more developers are building APIs, whether that be for consumption by client-side applications, exposing endpoints directly to customers so they can use an alternative front-end or wrapping up services in containers.

Now that we have all these exposed endpoints, what are we doing to secure them? Previously, our monolith was self-contained with limited points of access making authentication and authorisation more straightforward - that’s no longer the case.

We’ll cover the potential risks we may face such as cross-site scripting and BruteForce attacks as well as a look at the possible options for securing API endpoints including OAuth, Access Tokens, JSON web tokens, IP whitelisting, rate limiting to name but a few.

Layla Porter

November 15, 2018
Tweet

More Decks by Layla Porter

See All by Layla Porter
TDD and the Terminator
laylacodesit
0
81
TDD and the Terminator
laylacodesit
0
830

Other Decks in Technology

See All in Technology
Kernel MemoryでAzure OpenAI Serviceとお手軽データソース連携
mitsuzono
1
270
データベース02: データベースの概念
trycycle
0
180
Azure Container Apps + Bicep 〜 こんな感じで運用しています
kaz29
3
610
On Your Data を超えていく!
hirotomotaguchi
2
750
Grafana x PagerDuty Better Together
jacopen
1
240
The AI Revolution Will Not Be Monopolized: Behind the scenes
inesmontani
PRO
1
150
ルーターでプレゼンする
puhitaku
1
3.2k
Handling focus in 2024
tahia910
0
200
ServiceNow Now Platform 最新版 Washington, D.C.リリース
manarobot
0
100
アクセス制御にまつわる改善 / Improving access control
itkq
0
580
成長をサポートするピープルマネジメントのやり方
sioncojp
1
150
Babylon.jsと色々なものを組み合わせる:ブラウザのAPIやガジェットや2D描画ライブラリなど / Babylon.js 勉強会 vol.3
you
PRO
0
150

Featured

See All Featured
Java REST API Framework Comparison - PWX 2021
mraible
PRO
19
6.9k
Product Roadmaps are Hard
iamctodd
45
9.7k
For a Future-Friendly Web
brad_frost
172
9k
The Invisible Customer
myddelton
114
12k
Building Effective Engineering Teams - LeadDev
addyosmani
31
1.9k
Put a Button on it: Removing Barriers to Going Fast.
kastner
58
3.1k
Faster Mobile Websites
deanohume
300
30k
Teambox: Starting and Learning
jrom
128
8.4k
The Invisible Side of Design
smashingmag
294
49k
[RailsConf 2023] Rails as a piece of cake
palkan
27
4k
Gamification - CAS2011
davidbonilla
76
4.6k
How GitHub (no longer) Works
holman
305
140k

Transcript

  1. APIS EXPOSED! An encounter with HTTP API security. How it

    can all go wrong and how to prevent it.

  2. LAYLA PORTER Developer Evangelist @ Twilio MK.NET Organiser ASP.NET C#

    Engineer

  3. HTTP API Application Program Interface

  4. Structure of an API

  5. Structure of an API

  6. Structure of an API

  7. Structure of an API

  8. Structure of an API

  9. Structure of an API

  10. Brute Force COMMON ATTACK VECTORS

  11. Brute Force COMMON ATTACK VECTORS DDoS

  12. COMMON ATTACK VECTORS Cross Site Scripting DDoS

  13. COMMON ATTACK VECTORS Cross Site Scripting SQL Injection

  14. COMMON ATTACK VECTORS SQL Injection Cross Site Request Forgery

  15. COMMON ATTACK VECTORS Cross Site Request Forgery

  16. OWASP Top 10 Application Security Risks 2017 https:/ /www.owasp.org/index.php/ Top_10-2017_Top_10

  17. HUMANS

  18. None
  19. None
  20. None
  21. None
  22. None

  23. BRUTE FORCE

  24. BRUTE FORCE Repeatedly trying many passwords or passphrases with the

    hope of eventually guessing correctly.

  25. BRUTE FORCE Repeatedly trying many passwords or passphrases with the

    hope of eventually guessing correctly.

  26. BRUTE FORCE Repeatedly trying many passwords or passphrases with the

    hope of eventually guessing correctly.

  27. BRUTE FORCE Repeatedly trying many passwords or passphrases with the

    hope of eventually guessing correctly.

  28. BRUTE FORCE Repeatedly trying many passwords or passphrases with the

    hope of eventually guessing correctly.

  29. BRUTE FORCE Repeatedly trying many passwords or passphrases with the

    hope of eventually guessing correctly.

  30. BRUTE FORCE Repeatedly trying many passwords or passphrases with the

    hope of eventually guessing correctly.

  31. BRUTE FORCE Repeatedly trying many passwords or passphrases with the

    hope of eventually guessing correctly.

  32. BRUTE FORCE Repeatedly trying many passwords or passphrases with the

    hope of eventually guessing correctly.

  33. For example, account is locked after 3 failed attempts. Account

    Lockout Account is locked for a set period of time which increases with each subsequent failed attempt Progressive Delays Ensures the user is, in fact, a human. Challenge-Response PREVENTING BRUTE FORCE ATTACKS Requires an additional piece of information that only the real user should have available Two Factor Authentication

  34. For example, account is locked after 3 failed attempts. Account

    Lockout Account is locked for a set period of time which increases with each subsequent failed attempt Progressive Delays Ensures the user is, in fact, a human. Challenge-Response PREVENTING BRUTE FORCE ATTACKS Requires an additional piece of information that only the real user should have available Two Factor Authentication

  35. For example, account is locked after 3 failed attempts. Account

    Lockout Account is locked for a set period of time which increases with each subsequent failed attempt Progressive Delays Ensures the user is, in fact, a human. Challenge-Response PREVENTING BRUTE FORCE ATTACKS Requires an additional piece of information that only the real user should have available Two Factor Authentication

  36. Ensures the user is, in fact, a human. Challenge-Response

  37. For example, account is locked after 3 failed attempts. Account

    Lockout Account is locked for a set period of time which increases with each subsequent failed attempt Progressive Delays Ensures the user is, in fact, a human. Challenge-Response PREVENTING BRUTE FORCE ATTACKS Requires an additional piece of information that only the real user should have available Two Factor Authentication

  38. Requires an additional piece of information that only the real

    user should have available Two Factor Authentication TOTP - Time-Based One Time Passwords

  39. DDOS

  40. DISTRIBUTED DENIAL OF SERVICE - AKA DDOS When multiple systems

    flood the bandwidth or resources of a targeted system

  41. DISTRIBUTED DENIAL OF SERVICE - AKA DDOS When multiple systems

    flood the bandwidth or resources of a targeted system

  42. DISTRIBUTED DENIAL OF SERVICE - AKA DDOS When multiple systems

    flood the bandwidth or resources of a targeted system

  43. Many providers offer basic protection. Evaluate hosting partner Automatically scale

    services to cope with load Scalability Knowledge of normal traffic Traffic monitoring PREVENTING DDOS ATTACKS Premium services Cloud mitigation providers

  44. Many providers offer basic protection. Evaluate hosting partner Automatically scale

    services to cope with load Scalability Knowledge of normal traffic Traffic monitoring PREVENTING DDOS ATTACKS Premium services Cloud mitigation providers

  45. Many providers offer basic protection. Evaluate hosting partner Automatically scale

    services to cope with load Scalability Knowledge of normal traffic Traffic monitoring PREVENTING DDOS ATTACKS Premium services Cloud mitigation providers

  46. Many providers offer basic protection. Evaluate hosting partner Automatically scale

    services to cope with load Scalability Knowledge of normal traffic Traffic monitoring PREVENTING DDOS ATTACKS Premium services Cloud mitigation providers

  47. Limit the rate and speed at which a user can

    consume the API Rate Limiting PREVENTING DDOS ATTACKS Limit the total number of hits on the API by a user during a given period API Throttling

  48. DEMO

  49. XSS

  50. CROSS-SITE SCRIPTING - AKA XSS When malicious code is injected

    into a vulnerable web app.

  51. CROSS-SITE SCRIPTING - AKA XSS When malicious code is injected

    into a vulnerable web app.

  52. CROSS-SITE SCRIPTING - AKA XSS When malicious code is injected

    into a vulnerable web app.

  53. CROSS-SITE SCRIPTING - AKA XSS When malicious code is injected

    into a vulnerable web app.

  54. PREVENTING XSS ATTACKS https://www.owasp.org/index.php/ XSS_(Cross_Site_Scripting)_Prevention_C heat_Sheet

  55. PREVENTING XSS ATTACKS https://www.owasp.org/index.php/ XSS_(Cross_Site_Scripting)_Prevention_C heat_Sheet

  56. PREVENTING XSS ATTACKS HTTPOnly cookie flag Escaping, validating and sanitizing

    Input management Prevents JavaScript from accessing your cookie

  57. HTTPOnly cookie flag Escaping, validating and sanitizing Input management PREVENTING

    XSS ATTACKS Prevents JavaScript from accessing your cookie

  58. SQL INJECTION

  59. SQL INJECTION ATTACKS

  60. Username: [email protected] Password: ‘ or 1=1; drop * from Users’

    SQL INJECTION ATTACKS

  61. PREVENTING SQL INJECTION ATTACKS https://www.owasp.org/index.php/ SQL_Injection_Prevention_Cheat_Sheet

  62. PREVENTING SQL INJECTION ATTACKS https://www.owasp.org/index.php/ SQL_Injection_Prevention_Cheat_Sheet

  63. CSRF Photo: Nicky Bay

  64. CROSS-SITE REQUEST FORGERY - AKA CSRF When an attack vector

    tricks a web browser into executing an unwanted action

  65. CROSS-SITE REQUEST FORGERY - AKA CSRF When an attack vector

    tricks a web browser into executing an unwanted action

  66. CROSS-SITE REQUEST FORGERY - AKA CSRF When an attack vector

    tricks a web browser into executing an unwanted action

  67. HTTPOnly cookie flag Checks that the request is coming from

    the expected source Origin and/or Referrer header Use API keys or sophisticated mechanisms like OAuth Good authentication methods PREVENTING CSRF ATTACKS Random value in both cookie and request parameter Anti Forgery Tokens Particularly good for reflected XSS attacks Double Submit Method Encrypted Token Pattern

  68. An open standard for authorization, commonly used as a way

    for Internet users to log into third party websites using their Microsoft, Google, Facebook or Twitter accounts without exposing their password. OAuth PREVENTING CSRF ATTACKS

  69. HTTPOnly cookie flag Checks that the request is coming from

    the expected source Origin and/or Referer header Use API keys or sophisticated mechanisms like OAuth Good authentication methods PREVENTING CSRF ATTACKS Random value in both cookie and request parameter Particularly good for reflected XSS attacks Double Submit Method Encrypted Token Pattern

  70. Checks that the request is coming from the expected source

    Origin and/or Referer header Use API keys or sophisticated mechanisms like OAuth Good authentication methods PREVENTING CSRF ATTACKS Random value in both cookie and request parameter Particularly good for reflected XSS attacks Double Submit Method Encrypted Token Pattern HTTPOnly cookie flag

  71. Checks that the request is coming from the expected source

    Origin and/or Referer header Use API keys or sophisticated mechanisms like OAuth Good authentication methods PREVENTING CSRF ATTACKS Random value in both cookie and request parameter Particularly good for reflected XSS attacks Double Submit Method Encrypted Token Pattern HTTPOnly cookie flag

  72. HTTPOnly cookie flag Checks that the request is coming from

    the expected source Origin and/or Referer header Use API keys or sophisticated mechanisms like OAuth Good authentication methods PREVENTING CSRF ATTACKS Random value in both cookie and request parameter Particularly good for reflected XSS attacks Double Submit Method Encrypted Token Pattern HTTPOnly cookie flag
  73. None

  74. FURTHER IDEAS

  75. API MANAGEMENT SERVICES Take the hassle out of API management

  76. None

  77. IP WHITELISTING Only approved IPs can access API

  78. JSON WEB TOKENS - AKA JWT A token format used

    in authorization headers Often referred to as a bearer token and consists of 3 parts. header.payload.signature

  79. JSON WEB TOKENS - AKA JWT A token format used

    in authorization headers Often referred to as a bearer token and consists of 3 parts. 1. Header Often referred to as a bearer token and consists of 3 parts.

  80. JSON WEB TOKENS - AKA JWT A token format used

    in authorization headers Often referred to as a bearer token and consists of 3 parts.

  81. JSON WEB TOKENS - AKA JWT A token format used

    in authorization headers Often referred to as a bearer token and consists of 3 parts.

  82. JSON WEB TOKENS - AKA JWT Be careful what you

    put in the JWT and where you store it

  83. JSON WEB TOKENS - AKA JWT JWTs are encoded and

    signed, not encrypted.

  84. API SECURITY Brute Force Cross Site Scripting DDoS SQL Injection

    Cross Site Request Forgery Tokens Authentication Whitelisting API management services

  85. NOTABLE MENTIONS AspNetCoreRateLimit https://github.com/stefanprodan/ AspNetCoreRateLimit Authy https://authy.com/ OWASP https://www.owasp.org

  86. THANK YOU! GitHub: layla-p Twitter: @LaylaCodesIt Email: [email protected]