Securing Your (RESTful) API

Transcript

1. Securing your (RESTful) API Reuben Cummings @reubano Arusha Coders May

   5, 2015 (Updated May 10, 2015)

2. What’s an API? An application programming interface (API) is a

   standardized way of accessing data from a web server

3. What’s an API? Client request Server data

4. What’s REST? Representational State Transfer (REST) is an architecture for

   designing networked applications

5. What’s REST? It uniquely identifies data resources via HTTP uris

   /api.example.com/bike /api.example.com/user /api.example.com/car/43

6. What’s REST? A standard interface for interacting with resources GET

   /api.example.com/bike/300 {"brand": "Schwinn", "color": "red"}

7. What’s REST? Stateless: does not require the sever to retain

   session information about each user

8. What’s REST? Scalable: easy to add more servers since they

   don’t have to sync session state

9. Authentication Options Passwords Sessions JSON Web Tokens (JWTs) API Keys,

   OAuth, etc.

10. What’s a JSON Web Token? A base64 encoded JSON object

    that represents a payload to be transferred between two parties.

11. What’s a JSON Web Token? The JSON object is digitally

    signed using a JSON Web Signature (JWS) and optionally encrypted using JSON Web Encryption (JWE).

12. JWTs: Header { "alg": "HS256", / / algorithm / /

    reject token if "alg" == "none" ) "typ": "JWT", / / type }

13. JWTs: Payload (Claims) { "sub": "[email protected]", / / Subject (user)

    "iss": "nerevu.com", / / Issuer (server) "aud": "89yfxg498", / / Audience (ClientID) "iat": 1300819370, / / Issued At (timestamp) "exp": 1300819380, / / Expiration Time }

14. http:/ /jwt.io

15. Authentication Showdown Passwords Sessions JWTs Stateless Yes No Yes Expireable

    No Yes Yes Scopeable No No Yes Multiple No No Yes

16. JWTs rock! But where do you store the token once

    you have it? Authentication Showdown

17. JWT Client Storage Options vs Cookies Web Storage

18. Authentication Steps: Login with username and password Cookies Web Storage

    (session/local) Client Action send username & password Server Action verify username & password

19. Cookies Web Storage (session/local) Server Action Set `Cookie` Header with

    JWT Set response body with JWT Client Action No action Save JWT to storage Authentication Steps: Receive JWT

20. Cookies Web Storage (session/local) Client Action No action Set `Authorization`

    Header with JWT Server Action Parse `Cookie` Header and verify JWT Parse `Authorization` Header and verify JWT Authentication Steps: Use JWT for subsequent requests

21. Cookies Web Storage (session/local) Client Action Set expiration to a

    past date Clear storage value Server Action No action No action Authentication Steps: “Logout” by deleting JWT

22. Browser Exploits: man-in-the-middle attack (MITM) Your Client Your Server Attacker’s

    Server normal traffic intercepted traffic

23. Browser Browser Exploits: cross-site scripting (XSS) Your Client Your JS

    Vendor JS Your data

24. Browser Browser Exploits: cross-site request forgery (CSRF) Attacker’s Client User

    Your Server Your Client User’s Cookie

25. JWT Client Storage Showdown: Exploit Vulnerability Cookies Web Storage (session/local)

    MITM Vulnerable Vulnerable CSRF Vulnerable Immune XSS Vulnerable Vulnerable

26. Cookies Web Storage (session/local) MITM set `Secure` flag use HTTPS

    CSRF set `X-XSRF-TOKEN` header No action needed XSS set `HttpOnly` flag use JSON Web Encryption (JWE)[8,9] JWT Client Storage Showdown: Exploit Mitigation Steps

27. request Cross Origin Resource Sharing (CORS) Your CORS Server 3rd

    Party Client Your non- CORS Server request Your Client request request

28. JWT Client Storage Showdown: Features Cookies Web Storage (session/local) Mobile

    Friendly No Yes CORS Friendly No Yes

29. Storage Recommendations Use web storage only if your jwt library

    supports JWE Validate X-XSRF-TOKEN server side if using cookies

30. https:/ /github.com/reubano/ arusha-coders-api

31. Sources 1. http:/ /www.slideshare.net/stormpath/secure-your-rest- api-the-right-way 2. https:/ /stormpath.com/blog/jwt-the-right-way/ 3. http:/

    /tools.ietf.org/html/draft-ietf-oauth-json-web- token-25#section-4.1 4. http:/ /www.slideshare.net/derekperkins/authentication- cookies-vs-jwts-and-why-youre-doing-it-wrong

32. Sources 5. “RESTful Web API” by Nicola Iarocci 6. https:/

    /stormpath.com/blog/where-to-store-your-jwts- cookies-vs-html5-web-storage/ 7. https:/ /auth0.com/blog/2015/03/31/critical- vulnerabilities-in-json-web-token-libraries/ 8. https:/ /github.com/berngp/node-green-jwt 9. https:/ /github.com/square/js-jose

33. Sources 10. https:/ /auth0.com/blog/2014/01/27/ten-things-you- should-know-about-tokens-and-cookies 11. https:/ /auth0.com/blog/2014/01/07/angularjs- authentication-with-cookies-vs-token/ 12.

    https:/ /auth0.com/blog/2014/01/15/auth-with-socket-io/ 13. http:/ /angular-tips.com/blog/2014/05/json-web-tokens- introduction/

34. Sources 14. https:/ /auth0.com/blog/2015/03/10/blacklist-json-web- token-api-keys/

35. Questions?? Thank you! Reuben Cummings @reubano