Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing Your (RESTful) API

Reuben Cummings
May 05, 2015
Programming
1
220

Securing Your (RESTful) API

Options on securing Your (RESTful) API with a focus on JSON web tokens (JWTs) and web storage. View code at https://github.com/reubano/arusha-coders-api.

Reuben Cummings

May 05, 2015
Tweet

More Decks by Reuben Cummings

See All by Reuben Cummings
Peoria Data Strategy
reubano
1
17
Fast Sites FTW!
reubano
1
21
You Might Not Need Pandas
reubano
0
180
Stream processing made easy with riko
reubano
1
180
A Functional Programming Approach To Data Processing In Python
reubano
1
470
Using Functional Programming for efficient Data Processing and Analysis
reubano
3
510
Geospatial Analysis Made Easy with meza
reubano
0
170
Quantum of Data: A data science journey
reubano
1
170
Open Data Day Arusha
reubano
0
89

Other Decks in Programming

See All in Programming
たのしいドメイン駆動設計: 序 / Enjoy domain driven design : ZYO
jpt_corp_official
7
3.6k
外部APIとズブズブな開発どうしてますか?
kin29
0
300
Jakarta EE Guide for Spring Developers
ivargrimstad
0
330
RDRA, ICONIX, DDDの実践から得た学び
hsawaji
5
680
Jetpack Media3로 좋은 콘텐츠 소비 경험 구현하기
workspace93
0
100
ブラウザで「今すぐ」gemを読み込む方法 / Load-gem-from-browser-JUST-NOW
lnit
0
270
顔写真メイクアップアプリの開発におけるプライバシー保護とコスト削減のための手法
akkeylab
1
130
A Practitioner's Journey from Ruby 1.8 to Present
koic
1
680
KustoクエリのChatGPT Plugin!
tomokusaba
0
260
Dagger Hilt로 의존성 주입부터 멀티모듈화까지
fornewid
0
230
アプリケーションパフォーマンスの計測と改善の方法を勉強している話
devoc
9
2.4k
初めましてLaravel、君のことを教えてくれ! 〜春に就職したばかりの新卒エンジニアが調べた内部仕様と、そのプロセス〜
amixedcolor
0
160

Featured

See All Featured
We Have a Design System, Now What?
morganepeng
40
6.3k
Fontdeck: Realign not Redesign
paulrobertlloyd
74
4.6k
GraphQLの誤解/rethinking-graphql
sonatard
44
8.5k
Three Pipe Problems
jasonvnalue
89
9.2k
For a Future-Friendly Web
brad_frost
168
8.2k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
152
14k
Creatively Recalculating Your Daily Design Routine
revolveconf
208
11k
A better future with KSS
kneath
230
16k
Unsuck your backbone
ammeep
660
56k
Designing with Data
zakiwarfel
93
4.5k
Bootstrapping a Software Product
garrettdimon
PRO
299
110k
Writing Fast Ruby
sferik
615
59k

Transcript

  1. Securing your (RESTful) API
    Reuben Cummings
    @reubano
    Arusha Coders
    May 5, 2015 (Updated May 10, 2015)

    View Slide

  2. What’s an API?
    An application programming
    interface (API) is a
    standardized way of accessing
    data from a web server

    View Slide

  3. What’s an API?
    Client
    request
    Server
    data

    View Slide

  4. What’s REST?
    Representational State
    Transfer (REST) is an
    architecture for designing
    networked applications

    View Slide

  5. What’s REST?
    It uniquely identifies data
    resources via HTTP uris
    /api.example.com/bike
    /api.example.com/user
    /api.example.com/car/43

    View Slide

  6. What’s REST?
    A standard interface for
    interacting with resources
    GET /api.example.com/bike/300
    {"brand": "Schwinn", "color": "red"}

    View Slide

  7. What’s REST?
    Stateless: does not require
    the sever to retain session
    information about each user

    View Slide

  8. What’s REST?
    Scalable: easy to add more
    servers since they don’t have
    to sync session state

    View Slide

  9. Authentication Options
    Passwords
    Sessions
    JSON Web Tokens (JWTs)
    API Keys, OAuth, etc.

    View Slide

  10. What’s a JSON Web Token?
    A base64 encoded JSON
    object that represents a
    payload to be transferred
    between two parties.

    View Slide

  11. What’s a JSON Web Token?
    The JSON object is digitally
    signed using a JSON Web
    Signature (JWS) and
    optionally encrypted using
    JSON Web Encryption (JWE).

    View Slide

  12. JWTs: Header
    {
    "alg": "HS256",
    /
    / algorithm
    /
    / reject token if "alg" == "none" )
    "typ": "JWT", /
    / type
    }

    View Slide

  13. JWTs: Payload (Claims)
    {
    "sub": "[email protected]", /
    / Subject (user)
    "iss": "nerevu.com", /
    / Issuer (server)
    "aud": "89yfxg498", /
    / Audience (ClientID)
    "iat": 1300819370, /
    / Issued At (timestamp)
    "exp": 1300819380, /
    / Expiration Time
    }

    View Slide

  14. http:/
    /jwt.io

    View Slide

  15. Authentication Showdown
    Passwords Sessions JWTs
    Stateless Yes No Yes
    Expireable No Yes Yes
    Scopeable No No Yes
    Multiple No No Yes

    View Slide

  16. JWTs rock!
    But where do you store the
    token once you have it?
    Authentication Showdown

    View Slide

  17. JWT Client Storage Options
    vs
    Cookies Web Storage

    View Slide

  18. Authentication Steps: Login with
    username and password
    Cookies
    Web Storage
    (session/local)
    Client Action send username & password
    Server Action verify username & password

    View Slide

  19. Cookies
    Web Storage
    (session/local)
    Server Action
    Set `Cookie` Header
    with JWT
    Set response
    body with JWT
    Client Action No action Save JWT to storage
    Authentication Steps:
    Receive JWT

    View Slide

  20. Cookies
    Web Storage
    (session/local)
    Client Action No action
    Set `Authorization`
    Header with JWT
    Server Action
    Parse `Cookie` Header
    and verify JWT
    Parse `Authorization`
    Header and verify JWT
    Authentication Steps:
    Use JWT for subsequent requests

    View Slide

  21. Cookies
    Web Storage
    (session/local)
    Client Action
    Set expiration to a past
    date
    Clear storage value
    Server Action No action No action
    Authentication Steps:
    “Logout” by deleting JWT

    View Slide

  22. Browser Exploits:
    man-in-the-middle attack (MITM)
    Your
    Client
    Your
    Server
    Attacker’s
    Server
    normal traffic
    intercepted traffic

    View Slide

  23. Browser
    Browser Exploits:
    cross-site scripting (XSS)
    Your
    Client
    Your JS Vendor JS
    Your data

    View Slide

  24. Browser
    Browser Exploits:
    cross-site request forgery (CSRF)
    Attacker’s
    Client
    User
    Your
    Server
    Your Client
    User’s Cookie

    View Slide

  25. JWT Client Storage Showdown:
    Exploit Vulnerability
    Cookies
    Web Storage
    (session/local)
    MITM Vulnerable Vulnerable
    CSRF Vulnerable Immune
    XSS Vulnerable Vulnerable

    View Slide

  26. Cookies
    Web Storage
    (session/local)
    MITM set `Secure` flag use HTTPS
    CSRF
    set `X-XSRF-TOKEN`
    header
    No action needed
    XSS set `HttpOnly` flag
    use JSON Web Encryption
    (JWE)[8,9]
    JWT Client Storage Showdown:
    Exploit Mitigation Steps

    View Slide

  27. request
    Cross Origin Resource Sharing
    (CORS)
    Your
    CORS
    Server
    3rd
    Party
    Client
    Your
    non-
    CORS
    Server
    request
    Your
    Client
    request
    request

    View Slide

  28. JWT Client Storage Showdown:
    Features
    Cookies
    Web Storage
    (session/local)
    Mobile
    Friendly
    No Yes
    CORS
    Friendly
    No Yes

    View Slide

  29. Storage Recommendations
    Use web storage only if your
    jwt library supports JWE
    Validate X-XSRF-TOKEN
    server side if using cookies

    View Slide

  30. https:/
    /github.com/reubano/
    arusha-coders-api

    View Slide

  31. Sources
    1. http:/
    /www.slideshare.net/stormpath/secure-your-rest-
    api-the-right-way
    2. https:/
    /stormpath.com/blog/jwt-the-right-way/
    3. http:/
    /tools.ietf.org/html/draft-ietf-oauth-json-web-
    token-25#section-4.1
    4. http:/
    /www.slideshare.net/derekperkins/authentication-
    cookies-vs-jwts-and-why-youre-doing-it-wrong

    View Slide

  32. Sources
    5. “RESTful Web API” by Nicola Iarocci
    6. https:/
    /stormpath.com/blog/where-to-store-your-jwts-
    cookies-vs-html5-web-storage/
    7. https:/
    /auth0.com/blog/2015/03/31/critical-
    vulnerabilities-in-json-web-token-libraries/
    8. https:/
    /github.com/berngp/node-green-jwt
    9. https:/
    /github.com/square/js-jose

    View Slide

  33. Sources
    10. https:/
    /auth0.com/blog/2014/01/27/ten-things-you-
    should-know-about-tokens-and-cookies
    11. https:/
    /auth0.com/blog/2014/01/07/angularjs-
    authentication-with-cookies-vs-token/
    12. https:/
    /auth0.com/blog/2014/01/15/auth-with-socket-io/
    13. http:/
    /angular-tips.com/blog/2014/05/json-web-tokens-
    introduction/

    View Slide

  34. Sources
    14. https:/
    /auth0.com/blog/2015/03/10/blacklist-json-web-
    token-api-keys/

    View Slide

  35. Questions??
    Thank you!
    Reuben Cummings
    @reubano

    View Slide