Tweet
Tweet

Slide 1

Slide 1 text

Chris Cornutt / @enygma True North PHP 2013 Securing your REST API Friday, November 8, 2013

Slide 2

Slide 2 text

Friday, November 8, 2013

Slide 3

Slide 3 text

Friday, November 8, 2013

Slide 4

Slide 4 text

Friday, November 8, 2013

Slide 5

Slide 5 text

Security is planned. Friday, November 8, 2013

Slide 6

Slide 6 text

Security is easy to ignore. Friday, November 8, 2013

Slide 7

Slide 7 text

Security is compromise. Friday, November 8, 2013

Slide 8

Slide 8 text

Reliability Availability Scalability Friday, November 8, 2013

Slide 9

Slide 9 text

Auth in Detail Friday, November 8, 2013

Slide 10

Slide 10 text

HTTP Basic/Digest Friday, November 8, 2013

Slide 11

Slide 11 text

WWW-Authenticate: Basic realm=”Great White North” HTTP/1.0 401 Unauthorized Authorization: Basic username:password Friday, November 8, 2013

Slide 12

Slide 12 text

WWW-Authenticate: Digest realm=”Great White North”, nonce=”d39175b3e4a2538a01e4afe863092621”, opaque=”ef5b7a6b9f8460ba7c74589a9d7be07c” HTTP/1.0 401 Unauthorized Authorization: Digest username=”snowman”, realm=”Great White North”, nonce=”d39175b3e4a2538a01e4afe863092621”, opaque=”ef5b7a6b9f8460ba7c74589a9d7be07c”, uri=”http://foo.com/bar/baz”, response=$response Friday, November 8, 2013

Slide 13

Slide 13 text

Friday, November 8, 2013

Slide 14

Slide 14 text

“Security” Use SSL...or don’t use at all Internal sites Friday, November 8, 2013

Slide 15

Slide 15 text

Shared Tokens Friday, November 8, 2013

Slide 16

Slide 16 text

Trouble to maintain Static, not asymmetric Not encryption Friday, November 8, 2013

Slide 17

Slide 17 text

OAuth v2 Friday, November 8, 2013

Slide 18

Slide 18 text

Friday, November 8, 2013

Slide 19

Slide 19 text

Burden of identity Complex to implement Authorization, not authentication “Delegation”? Friday, November 8, 2013

Slide 20

Slide 20 text

getRequestToken( $requestUrl, $callbackUrl ); header( ‘Location: ‘.$authorizeUrl .’?token=’.$token[‘oauth_token’] ); ?> Friday, November 8, 2013

Slide 21

Slide 21 text

Shared Certificates Friday, November 8, 2013

Slide 22

Slide 22 text

Stronger protection than passwords No private information involved Difficult to deploy Friday, November 8, 2013

Slide 23

Slide 23 text

Not Just Auth Friday, November 8, 2013

Slide 24

Slide 24 text

Friday, November 8, 2013

Slide 25

Slide 25 text

Rate Limiting Friday, November 8, 2013

Slide 26

Slide 26 text

Limit requests/second Types of requests All about time... Friday, November 8, 2013

Slide 27

Slide 27 text

Throttling Friday, November 8, 2013

Slide 28

Slide 28 text

Limit amount of data Slowing them down All about bandwidth... Friday, November 8, 2013

Slide 29

Slide 29 text

Filtering/Escaping Friday, November 8, 2013

Slide 30

Slide 30 text

Email URL Name Login IP HTML Num Alpha Bool Regex Patterns Friday, November 8, 2013

Slide 31

Slide 31 text

Direct Object Refs Friday, November 8, 2013

Slide 32

Slide 32 text

OWASP Top 10 A3: Direct Object References Friday, November 8, 2013

Slide 33

Slide 33 text

Yours: GET /user/1/link/42 Good guesses: GET /user/1/link/52 PUT /user/1/link/42 Alternative: GET /user/[GUID #1]/link/[GUID #2] GET /user/[username] Friday, November 8, 2013

Slide 34

Slide 34 text

Error Conditions Friday, November 8, 2013

Slide 35

Slide 35 text

{ “success”: false, “error”: { “code”: 8675309 “message”: “Error in request”, “url”: “http://oursite.com/error/8675309” } } Friday, November 8, 2013

Slide 36

Slide 36 text

Good Practices Friday, November 8, 2013

Slide 37

Slide 37 text

Use HTTPS Friday, November 8, 2013

Slide 38

Slide 38 text

Prevent leakage Friday, November 8, 2013

Slide 39

Slide 39 text

Be stateless Friday, November 8, 2013

Slide 40

Slide 40 text

Auth on resource, not URI Friday, November 8, 2013

Slide 41

Slide 41 text

Importance of (HTTP) status Friday, November 8, 2013

Slide 42

Slide 42 text

Use keys, not passwords Friday, November 8, 2013

Slide 43

Slide 43 text

Signing with hashes Friday, November 8, 2013

Slide 44

Slide 44 text

Friday, November 8, 2013

Slide 45

Slide 45 text

Method permissioning Friday, November 8, 2013

Slide 46

Slide 46 text

Secure input parsing Friday, November 8, 2013

Slide 47

Slide 47 text

]> &three; Friday, November 8, 2013

Slide 48

Slide 48 text

Think Simple Friday, November 8, 2013

Slide 49

Slide 49 text

Friday, November 8, 2013

Slide 50

Slide 50 text

Thanks! Questions/Comments? @enygma http://websec.io Friday, November 8, 2013