Securing Your (RESTful) API

Securing Your (RESTful) API

Options on securing Your (RESTful) API with a focus on JSON web tokens (JWTs) and web storage. View code at https://github.com/reubano/arusha-coders-api.

869402f85dcbabcef3da1ee61b88a45a?s=128

Reuben Cummings

May 05, 2015
Tweet

Transcript

  1. Securing your (RESTful) API Reuben Cummings @reubano Arusha Coders May

    5, 2015 (Updated May 10, 2015)
  2. What’s an API? An application programming interface (API) is a

    standardized way of accessing data from a web server
  3. What’s an API? Client request Server data

  4. What’s REST? Representational State Transfer (REST) is an architecture for

    designing networked applications
  5. What’s REST? It uniquely identifies data resources via HTTP uris

    /api.example.com/bike /api.example.com/user /api.example.com/car/43
  6. What’s REST? A standard interface for interacting with resources GET

    /api.example.com/bike/300 {"brand": "Schwinn", "color": "red"}
  7. What’s REST? Stateless: does not require the sever to retain

    session information about each user
  8. What’s REST? Scalable: easy to add more servers since they

    don’t have to sync session state
  9. Authentication Options Passwords Sessions JSON Web Tokens (JWTs) API Keys,

    OAuth, etc.
  10. What’s a JSON Web Token? A base64 encoded JSON object

    that represents a payload to be transferred between two parties.
  11. What’s a JSON Web Token? The JSON object is digitally

    signed using a JSON Web Signature (JWS) and optionally encrypted using JSON Web Encryption (JWE).
  12. JWTs: Header { "alg": "HS256", / / algorithm / /

    reject token if "alg" == "none" ) "typ": "JWT", / / type }
  13. JWTs: Payload (Claims) { "sub": "rlc@nervu.com", / / Subject (user)

    "iss": "nerevu.com", / / Issuer (server) "aud": "89yfxg498", / / Audience (ClientID) "iat": 1300819370, / / Issued At (timestamp) "exp": 1300819380, / / Expiration Time }
  14. http:/ /jwt.io

  15. Authentication Showdown Passwords Sessions JWTs Stateless Yes No Yes Expireable

    No Yes Yes Scopeable No No Yes Multiple No No Yes
  16. JWTs rock! But where do you store the token once

    you have it? Authentication Showdown
  17. JWT Client Storage Options vs Cookies Web Storage

  18. Authentication Steps: Login with username and password Cookies Web Storage

    (session/local) Client Action send username & password Server Action verify username & password
  19. Cookies Web Storage (session/local) Server Action Set `Cookie` Header with

    JWT Set response body with JWT Client Action No action Save JWT to storage Authentication Steps: Receive JWT
  20. Cookies Web Storage (session/local) Client Action No action Set `Authorization`

    Header with JWT Server Action Parse `Cookie` Header and verify JWT Parse `Authorization` Header and verify JWT Authentication Steps: Use JWT for subsequent requests
  21. Cookies Web Storage (session/local) Client Action Set expiration to a

    past date Clear storage value Server Action No action No action Authentication Steps: “Logout” by deleting JWT
  22. Browser Exploits: man-in-the-middle attack (MITM) Your Client Your Server Attacker’s

    Server normal traffic intercepted traffic
  23. Browser Browser Exploits: cross-site scripting (XSS) Your Client Your JS

    Vendor JS Your data
  24. Browser Browser Exploits: cross-site request forgery (CSRF) Attacker’s Client User

    Your Server Your Client User’s Cookie
  25. JWT Client Storage Showdown: Exploit Vulnerability Cookies Web Storage (session/local)

    MITM Vulnerable Vulnerable CSRF Vulnerable Immune XSS Vulnerable Vulnerable
  26. Cookies Web Storage (session/local) MITM set `Secure` flag use HTTPS

    CSRF set `X-XSRF-TOKEN` header No action needed XSS set `HttpOnly` flag use JSON Web Encryption (JWE)[8,9] JWT Client Storage Showdown: Exploit Mitigation Steps
  27. request Cross Origin Resource Sharing (CORS) Your CORS Server 3rd

    Party Client Your non- CORS Server request Your Client request request
  28. JWT Client Storage Showdown: Features Cookies Web Storage (session/local) Mobile

    Friendly No Yes CORS Friendly No Yes
  29. Storage Recommendations Use web storage only if your jwt library

    supports JWE Validate X-XSRF-TOKEN server side if using cookies
  30. https:/ /github.com/reubano/ arusha-coders-api

  31. Sources 1. http:/ /www.slideshare.net/stormpath/secure-your-rest- api-the-right-way 2. https:/ /stormpath.com/blog/jwt-the-right-way/ 3. http:/

    /tools.ietf.org/html/draft-ietf-oauth-json-web- token-25#section-4.1 4. http:/ /www.slideshare.net/derekperkins/authentication- cookies-vs-jwts-and-why-youre-doing-it-wrong
  32. Sources 5. “RESTful Web API” by Nicola Iarocci 6. https:/

    /stormpath.com/blog/where-to-store-your-jwts- cookies-vs-html5-web-storage/ 7. https:/ /auth0.com/blog/2015/03/31/critical- vulnerabilities-in-json-web-token-libraries/ 8. https:/ /github.com/berngp/node-green-jwt 9. https:/ /github.com/square/js-jose
  33. Sources 10. https:/ /auth0.com/blog/2014/01/27/ten-things-you- should-know-about-tokens-and-cookies 11. https:/ /auth0.com/blog/2014/01/07/angularjs- authentication-with-cookies-vs-token/ 12.

    https:/ /auth0.com/blog/2014/01/15/auth-with-socket-io/ 13. http:/ /angular-tips.com/blog/2014/05/json-web-tokens- introduction/
  34. Sources 14. https:/ /auth0.com/blog/2015/03/10/blacklist-json-web- token-api-keys/

  35. Questions?? Thank you! Reuben Cummings @reubano