Securing Your (RESTful) API

Slide 1

Slide 1 text

Securing your (RESTful) API Reuben Cummings @reubano Arusha Coders May 5, 2015 (Updated May 10, 2015)

Slide 2

Slide 2 text

What’s an API? An application programming interface (API) is a standardized way of accessing data from a web server

Slide 3

Slide 3 text

What’s an API? Client request Server data

Slide 4

Slide 4 text

What’s REST? Representational State Transfer (REST) is an architecture for designing networked applications

Slide 5

Slide 5 text

What’s REST? It uniquely identiﬁes data resources via HTTP uris /api.example.com/bike /api.example.com/user /api.example.com/car/43

Slide 6

Slide 6 text

What’s REST? A standard interface for interacting with resources GET /api.example.com/bike/300 {"brand": "Schwinn", "color": "red"}

Slide 7

Slide 7 text

What’s REST? Stateless: does not require the sever to retain session information about each user

Slide 8

Slide 8 text

What’s REST? Scalable: easy to add more servers since they don’t have to sync session state

Slide 9

Slide 9 text

Authentication Options Passwords Sessions JSON Web Tokens (JWTs) API Keys, OAuth, etc.

Slide 10

Slide 10 text

What’s a JSON Web Token? A base64 encoded JSON object that represents a payload to be transferred between two parties.

Slide 11

Slide 11 text

What’s a JSON Web Token? The JSON object is digitally signed using a JSON Web Signature (JWS) and optionally encrypted using JSON Web Encryption (JWE).

Slide 12

Slide 12 text

JWTs: Header { "alg": "HS256", / / algorithm / / reject token if "alg" == "none" ) "typ": "JWT", / / type }

Slide 13

Slide 13 text

JWTs: Payload (Claims) { "sub": "rlc@nervu.com", / / Subject (user) "iss": "nerevu.com", / / Issuer (server) "aud": "89yfxg498", / / Audience (ClientID) "iat": 1300819370, / / Issued At (timestamp) "exp": 1300819380, / / Expiration Time }

Slide 14

Slide 14 text

http:/ /jwt.io

Slide 15

Slide 15 text

Authentication Showdown Passwords Sessions JWTs Stateless Yes No Yes Expireable No Yes Yes Scopeable No No Yes Multiple No No Yes

Slide 16

Slide 16 text

JWTs rock! But where do you store the token once you have it? Authentication Showdown

Slide 17

Slide 17 text

JWT Client Storage Options vs Cookies Web Storage

Slide 18

Slide 18 text

Authentication Steps: Login with username and password Cookies Web Storage (session/local) Client Action send username & password Server Action verify username & password

Slide 19

Slide 19 text

Cookies Web Storage (session/local) Server Action Set `Cookie` Header with JWT Set response body with JWT Client Action No action Save JWT to storage Authentication Steps: Receive JWT

Slide 20

Slide 20 text

Cookies Web Storage (session/local) Client Action No action Set `Authorization` Header with JWT Server Action Parse `Cookie` Header and verify JWT Parse `Authorization` Header and verify JWT Authentication Steps: Use JWT for subsequent requests

Slide 21

Slide 21 text

Cookies Web Storage (session/local) Client Action Set expiration to a past date Clear storage value Server Action No action No action Authentication Steps: “Logout” by deleting JWT

Slide 22

Slide 22 text

Browser Exploits: man-in-the-middle attack (MITM) Your Client Your Server Attacker’s Server normal trafﬁc intercepted trafﬁc

Slide 23

Slide 23 text

Browser Browser Exploits: cross-site scripting (XSS) Your Client Your JS Vendor JS Your data

Slide 24

Slide 24 text

Browser Browser Exploits: cross-site request forgery (CSRF) Attacker’s Client User Your Server Your Client User’s Cookie

Slide 25

Slide 25 text

JWT Client Storage Showdown: Exploit Vulnerability Cookies Web Storage (session/local) MITM Vulnerable Vulnerable CSRF Vulnerable Immune XSS Vulnerable Vulnerable

Slide 26

Slide 26 text

Cookies Web Storage (session/local) MITM set `Secure` ﬂag use HTTPS CSRF set `X-XSRF-TOKEN` header No action needed XSS set `HttpOnly` ﬂag use JSON Web Encryption (JWE)[8,9] JWT Client Storage Showdown: Exploit Mitigation Steps

Slide 27

Slide 27 text

request Cross Origin Resource Sharing (CORS) Your CORS Server 3rd Party Client Your non- CORS Server request Your Client request request

Slide 28

Slide 28 text

JWT Client Storage Showdown: Features Cookies Web Storage (session/local) Mobile Friendly No Yes CORS Friendly No Yes

Slide 29

Slide 29 text

Storage Recommendations Use web storage only if your jwt library supports JWE Validate X-XSRF-TOKEN server side if using cookies

Slide 30

Slide 30 text

https:/ /github.com/reubano/ arusha-coders-api

Slide 31

Slide 31 text

Sources 1. http:/ /www.slideshare.net/stormpath/secure-your-rest- api-the-right-way 2. https:/ /stormpath.com/blog/jwt-the-right-way/ 3. http:/ /tools.ietf.org/html/draft-ietf-oauth-json-web- token-25#section-4.1 4. http:/ /www.slideshare.net/derekperkins/authentication- cookies-vs-jwts-and-why-youre-doing-it-wrong

Slide 32

Slide 32 text

Sources 5. “RESTful Web API” by Nicola Iarocci 6. https:/ /stormpath.com/blog/where-to-store-your-jwts- cookies-vs-html5-web-storage/ 7. https:/ /auth0.com/blog/2015/03/31/critical- vulnerabilities-in-json-web-token-libraries/ 8. https:/ /github.com/berngp/node-green-jwt 9. https:/ /github.com/square/js-jose

Slide 33

Slide 33 text

Sources 10. https:/ /auth0.com/blog/2014/01/27/ten-things-you- should-know-about-tokens-and-cookies 11. https:/ /auth0.com/blog/2014/01/07/angularjs- authentication-with-cookies-vs-token/ 12. https:/ /auth0.com/blog/2014/01/15/auth-with-socket-io/ 13. http:/ /angular-tips.com/blog/2014/05/json-web-tokens- introduction/

Slide 34

Slide 34 text

Sources 14. https:/ /auth0.com/blog/2015/03/10/blacklist-json-web- token-api-keys/

Slide 35

Slide 35 text

Questions?? Thank you! Reuben Cummings @reubano