Securing Your (RESTful) API

Securing Your (RESTful) API

Options on securing Your (RESTful) API with a focus on JSON web tokens (JWTs) and web storage. View code at https://github.com/reubano/arusha-coders-api.

869402f85dcbabcef3da1ee61b88a45a?s=128

Reuben Cummings

May 05, 2015
Tweet

Transcript

  1. 2.

    What’s an API? An application programming interface (API) is a

    standardized way of accessing data from a web server
  2. 5.

    What’s REST? It uniquely identifies data resources via HTTP uris

    /api.example.com/bike /api.example.com/user /api.example.com/car/43
  3. 6.

    What’s REST? A standard interface for interacting with resources GET

    /api.example.com/bike/300 {"brand": "Schwinn", "color": "red"}
  4. 8.
  5. 10.

    What’s a JSON Web Token? A base64 encoded JSON object

    that represents a payload to be transferred between two parties.
  6. 11.

    What’s a JSON Web Token? The JSON object is digitally

    signed using a JSON Web Signature (JWS) and optionally encrypted using JSON Web Encryption (JWE).
  7. 12.

    JWTs: Header { "alg": "HS256", / / algorithm / /

    reject token if "alg" == "none" ) "typ": "JWT", / / type }
  8. 13.

    JWTs: Payload (Claims) { "sub": "rlc@nervu.com", / / Subject (user)

    "iss": "nerevu.com", / / Issuer (server) "aud": "89yfxg498", / / Audience (ClientID) "iat": 1300819370, / / Issued At (timestamp) "exp": 1300819380, / / Expiration Time }
  9. 15.
  10. 16.

    JWTs rock! But where do you store the token once

    you have it? Authentication Showdown
  11. 18.

    Authentication Steps: Login with username and password Cookies Web Storage

    (session/local) Client Action send username & password Server Action verify username & password
  12. 19.

    Cookies Web Storage (session/local) Server Action Set `Cookie` Header with

    JWT Set response body with JWT Client Action No action Save JWT to storage Authentication Steps: Receive JWT
  13. 20.

    Cookies Web Storage (session/local) Client Action No action Set `Authorization`

    Header with JWT Server Action Parse `Cookie` Header and verify JWT Parse `Authorization` Header and verify JWT Authentication Steps: Use JWT for subsequent requests
  14. 21.

    Cookies Web Storage (session/local) Client Action Set expiration to a

    past date Clear storage value Server Action No action No action Authentication Steps: “Logout” by deleting JWT
  15. 25.

    JWT Client Storage Showdown: Exploit Vulnerability Cookies Web Storage (session/local)

    MITM Vulnerable Vulnerable CSRF Vulnerable Immune XSS Vulnerable Vulnerable
  16. 26.

    Cookies Web Storage (session/local) MITM set `Secure` flag use HTTPS

    CSRF set `X-XSRF-TOKEN` header No action needed XSS set `HttpOnly` flag use JSON Web Encryption (JWE)[8,9] JWT Client Storage Showdown: Exploit Mitigation Steps
  17. 27.

    request Cross Origin Resource Sharing (CORS) Your CORS Server 3rd

    Party Client Your non- CORS Server request Your Client request request
  18. 29.

    Storage Recommendations Use web storage only if your jwt library

    supports JWE Validate X-XSRF-TOKEN server side if using cookies
  19. 31.

    Sources 1. http:/ /www.slideshare.net/stormpath/secure-your-rest- api-the-right-way 2. https:/ /stormpath.com/blog/jwt-the-right-way/ 3. http:/

    /tools.ietf.org/html/draft-ietf-oauth-json-web- token-25#section-4.1 4. http:/ /www.slideshare.net/derekperkins/authentication- cookies-vs-jwts-and-why-youre-doing-it-wrong
  20. 32.

    Sources 5. “RESTful Web API” by Nicola Iarocci 6. https:/

    /stormpath.com/blog/where-to-store-your-jwts- cookies-vs-html5-web-storage/ 7. https:/ /auth0.com/blog/2015/03/31/critical- vulnerabilities-in-json-web-token-libraries/ 8. https:/ /github.com/berngp/node-green-jwt 9. https:/ /github.com/square/js-jose
  21. 33.

    Sources 10. https:/ /auth0.com/blog/2014/01/27/ten-things-you- should-know-about-tokens-and-cookies 11. https:/ /auth0.com/blog/2014/01/07/angularjs- authentication-with-cookies-vs-token/ 12.

    https:/ /auth0.com/blog/2014/01/15/auth-with-socket-io/ 13. http:/ /angular-tips.com/blog/2014/05/json-web-tokens- introduction/