Securing your (RESTful) API
Reuben Cummings
@reubano
Arusha Coders
May 5, 2015 (Updated May 10, 2015)
Slide 2
Slide 2 text
What’s an API?
An application programming
interface (API) is a
standardized way of accessing
data from a web server
Slide 3
Slide 3 text
What’s an API?
Client
request
Server
data
Slide 4
Slide 4 text
What’s REST?
Representational State
Transfer (REST) is an
architecture for designing
networked applications
Slide 5
Slide 5 text
What’s REST?
It uniquely identifies data
resources via HTTP uris
/api.example.com/bike
/api.example.com/user
/api.example.com/car/43
Slide 6
Slide 6 text
What’s REST?
A standard interface for
interacting with resources
GET /api.example.com/bike/300
{"brand": "Schwinn", "color": "red"}
Slide 7
Slide 7 text
What’s REST?
Stateless: does not require
the sever to retain session
information about each user
Slide 8
Slide 8 text
What’s REST?
Scalable: easy to add more
servers since they don’t have
to sync session state
Slide 9
Slide 9 text
Authentication Options
Passwords
Sessions
JSON Web Tokens (JWTs)
API Keys, OAuth, etc.
Slide 10
Slide 10 text
What’s a JSON Web Token?
A base64 encoded JSON
object that represents a
payload to be transferred
between two parties.
Slide 11
Slide 11 text
What’s a JSON Web Token?
The JSON object is digitally
signed using a JSON Web
Signature (JWS) and
optionally encrypted using
JSON Web Encryption (JWE).
Authentication Showdown
Passwords Sessions JWTs
Stateless Yes No Yes
Expireable No Yes Yes
Scopeable No No Yes
Multiple No No Yes
Slide 16
Slide 16 text
JWTs rock!
But where do you store the
token once you have it?
Authentication Showdown
Slide 17
Slide 17 text
JWT Client Storage Options
vs
Cookies Web Storage
Slide 18
Slide 18 text
Authentication Steps: Login with
username and password
Cookies
Web Storage
(session/local)
Client Action send username & password
Server Action verify username & password
Slide 19
Slide 19 text
Cookies
Web Storage
(session/local)
Server Action
Set `Cookie` Header
with JWT
Set response
body with JWT
Client Action No action Save JWT to storage
Authentication Steps:
Receive JWT
Slide 20
Slide 20 text
Cookies
Web Storage
(session/local)
Client Action No action
Set `Authorization`
Header with JWT
Server Action
Parse `Cookie` Header
and verify JWT
Parse `Authorization`
Header and verify JWT
Authentication Steps:
Use JWT for subsequent requests
Slide 21
Slide 21 text
Cookies
Web Storage
(session/local)
Client Action
Set expiration to a past
date
Clear storage value
Server Action No action No action
Authentication Steps:
“Logout” by deleting JWT
Slide 22
Slide 22 text
Browser Exploits:
man-in-the-middle attack (MITM)
Your
Client
Your
Server
Attacker’s
Server
normal traffic
intercepted traffic
Slide 23
Slide 23 text
Browser
Browser Exploits:
cross-site scripting (XSS)
Your
Client
Your JS Vendor JS
Your data
Slide 24
Slide 24 text
Browser
Browser Exploits:
cross-site request forgery (CSRF)
Attacker’s
Client
User
Your
Server
Your Client
User’s Cookie
Slide 25
Slide 25 text
JWT Client Storage Showdown:
Exploit Vulnerability
Cookies
Web Storage
(session/local)
MITM Vulnerable Vulnerable
CSRF Vulnerable Immune
XSS Vulnerable Vulnerable
Slide 26
Slide 26 text
Cookies
Web Storage
(session/local)
MITM set `Secure` flag use HTTPS
CSRF
set `X-XSRF-TOKEN`
header
No action needed
XSS set `HttpOnly` flag
use JSON Web Encryption
(JWE)[8,9]
JWT Client Storage Showdown:
Exploit Mitigation Steps
Slide 27
Slide 27 text
request
Cross Origin Resource Sharing
(CORS)
Your
CORS
Server
3rd
Party
Client
Your
non-
CORS
Server
request
Your
Client
request
request
Slide 28
Slide 28 text
JWT Client Storage Showdown:
Features
Cookies
Web Storage
(session/local)
Mobile
Friendly
No Yes
CORS
Friendly
No Yes
Slide 29
Slide 29 text
Storage Recommendations
Use web storage only if your
jwt library supports JWE
Validate X-XSRF-TOKEN
server side if using cookies