Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing Your (RESTful) API

Securing Your (RESTful) API

Options on securing Your (RESTful) API with a focus on JSON web tokens (JWTs) and web storage. View code at https://github.com/reubano/arusha-coders-api.

Reuben Cummings

May 05, 2015

More Decks by Reuben Cummings

Other Decks in Programming


  1. What’s an API? An application programming interface (API) is a

    standardized way of accessing data from a web server
  2. What’s REST? It uniquely identifies data resources via HTTP uris

    /api.example.com/bike /api.example.com/user /api.example.com/car/43
  3. What’s REST? A standard interface for interacting with resources GET

    /api.example.com/bike/300 {"brand": "Schwinn", "color": "red"}
  4. What’s a JSON Web Token? A base64 encoded JSON object

    that represents a payload to be transferred between two parties.
  5. What’s a JSON Web Token? The JSON object is digitally

    signed using a JSON Web Signature (JWS) and optionally encrypted using JSON Web Encryption (JWE).
  6. JWTs: Header { "alg": "HS256", / / algorithm / /

    reject token if "alg" == "none" ) "typ": "JWT", / / type }
  7. JWTs: Payload (Claims) { "sub": "[email protected]", / / Subject (user)

    "iss": "nerevu.com", / / Issuer (server) "aud": "89yfxg498", / / Audience (ClientID) "iat": 1300819370, / / Issued At (timestamp) "exp": 1300819380, / / Expiration Time }
  8. JWTs rock! But where do you store the token once

    you have it? Authentication Showdown
  9. Authentication Steps: Login with username and password Cookies Web Storage

    (session/local) Client Action send username & password Server Action verify username & password
  10. Cookies Web Storage (session/local) Server Action Set `Cookie` Header with

    JWT Set response body with JWT Client Action No action Save JWT to storage Authentication Steps: Receive JWT
  11. Cookies Web Storage (session/local) Client Action No action Set `Authorization`

    Header with JWT Server Action Parse `Cookie` Header and verify JWT Parse `Authorization` Header and verify JWT Authentication Steps: Use JWT for subsequent requests
  12. Cookies Web Storage (session/local) Client Action Set expiration to a

    past date Clear storage value Server Action No action No action Authentication Steps: “Logout” by deleting JWT
  13. JWT Client Storage Showdown: Exploit Vulnerability Cookies Web Storage (session/local)

    MITM Vulnerable Vulnerable CSRF Vulnerable Immune XSS Vulnerable Vulnerable
  14. Cookies Web Storage (session/local) MITM set `Secure` flag use HTTPS

    CSRF set `X-XSRF-TOKEN` header No action needed XSS set `HttpOnly` flag use JSON Web Encryption (JWE)[8,9] JWT Client Storage Showdown: Exploit Mitigation Steps
  15. request Cross Origin Resource Sharing (CORS) Your CORS Server 3rd

    Party Client Your non- CORS Server request Your Client request request
  16. Storage Recommendations Use web storage only if your jwt library

    supports JWE Validate X-XSRF-TOKEN server side if using cookies
  17. Sources 1. http:/ /www.slideshare.net/stormpath/secure-your-rest- api-the-right-way 2. https:/ /stormpath.com/blog/jwt-the-right-way/ 3. http:/

    /tools.ietf.org/html/draft-ietf-oauth-json-web- token-25#section-4.1 4. http:/ /www.slideshare.net/derekperkins/authentication- cookies-vs-jwts-and-why-youre-doing-it-wrong
  18. Sources 5. “RESTful Web API” by Nicola Iarocci 6. https:/

    /stormpath.com/blog/where-to-store-your-jwts- cookies-vs-html5-web-storage/ 7. https:/ /auth0.com/blog/2015/03/31/critical- vulnerabilities-in-json-web-token-libraries/ 8. https:/ /github.com/berngp/node-green-jwt 9. https:/ /github.com/square/js-jose
  19. Sources 10. https:/ /auth0.com/blog/2014/01/27/ten-things-you- should-know-about-tokens-and-cookies 11. https:/ /auth0.com/blog/2014/01/07/angularjs- authentication-with-cookies-vs-token/ 12.

    https:/ /auth0.com/blog/2014/01/15/auth-with-socket-io/ 13. http:/ /angular-tips.com/blog/2014/05/json-web-tokens- introduction/