Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing Your (RESTful) API

Securing Your (RESTful) API

Options on securing Your (RESTful) API with a focus on JSON web tokens (JWTs) and web storage. View code at https://github.com/reubano/arusha-coders-api.

Reuben Cummings

May 05, 2015
Tweet

More Decks by Reuben Cummings

Other Decks in Programming

Transcript

  1. Securing your (RESTful) API
    Reuben Cummings
    @reubano
    Arusha Coders
    May 5, 2015 (Updated May 10, 2015)

    View Slide

  2. What’s an API?
    An application programming
    interface (API) is a
    standardized way of accessing
    data from a web server

    View Slide

  3. What’s an API?
    Client
    request
    Server
    data

    View Slide

  4. What’s REST?
    Representational State
    Transfer (REST) is an
    architecture for designing
    networked applications

    View Slide

  5. What’s REST?
    It uniquely identifies data
    resources via HTTP uris
    /api.example.com/bike
    /api.example.com/user
    /api.example.com/car/43

    View Slide

  6. What’s REST?
    A standard interface for
    interacting with resources
    GET /api.example.com/bike/300
    {"brand": "Schwinn", "color": "red"}

    View Slide

  7. What’s REST?
    Stateless: does not require
    the sever to retain session
    information about each user

    View Slide

  8. What’s REST?
    Scalable: easy to add more
    servers since they don’t have
    to sync session state

    View Slide

  9. Authentication Options
    Passwords
    Sessions
    JSON Web Tokens (JWTs)
    API Keys, OAuth, etc.

    View Slide

  10. What’s a JSON Web Token?
    A base64 encoded JSON
    object that represents a
    payload to be transferred
    between two parties.

    View Slide

  11. What’s a JSON Web Token?
    The JSON object is digitally
    signed using a JSON Web
    Signature (JWS) and
    optionally encrypted using
    JSON Web Encryption (JWE).

    View Slide

  12. JWTs: Header
    {
    "alg": "HS256",
    /
    / algorithm
    /
    / reject token if "alg" == "none" )
    "typ": "JWT", /
    / type
    }

    View Slide

  13. JWTs: Payload (Claims)
    {
    "sub": "[email protected]", /
    / Subject (user)
    "iss": "nerevu.com", /
    / Issuer (server)
    "aud": "89yfxg498", /
    / Audience (ClientID)
    "iat": 1300819370, /
    / Issued At (timestamp)
    "exp": 1300819380, /
    / Expiration Time
    }

    View Slide

  14. http:/
    /jwt.io

    View Slide

  15. Authentication Showdown
    Passwords Sessions JWTs
    Stateless Yes No Yes
    Expireable No Yes Yes
    Scopeable No No Yes
    Multiple No No Yes

    View Slide

  16. JWTs rock!
    But where do you store the
    token once you have it?
    Authentication Showdown

    View Slide

  17. JWT Client Storage Options
    vs
    Cookies Web Storage

    View Slide

  18. Authentication Steps: Login with
    username and password
    Cookies
    Web Storage
    (session/local)
    Client Action send username & password
    Server Action verify username & password

    View Slide

  19. Cookies
    Web Storage
    (session/local)
    Server Action
    Set `Cookie` Header
    with JWT
    Set response
    body with JWT
    Client Action No action Save JWT to storage
    Authentication Steps:
    Receive JWT

    View Slide

  20. Cookies
    Web Storage
    (session/local)
    Client Action No action
    Set `Authorization`
    Header with JWT
    Server Action
    Parse `Cookie` Header
    and verify JWT
    Parse `Authorization`
    Header and verify JWT
    Authentication Steps:
    Use JWT for subsequent requests

    View Slide

  21. Cookies
    Web Storage
    (session/local)
    Client Action
    Set expiration to a past
    date
    Clear storage value
    Server Action No action No action
    Authentication Steps:
    “Logout” by deleting JWT

    View Slide

  22. Browser Exploits:
    man-in-the-middle attack (MITM)
    Your
    Client
    Your
    Server
    Attacker’s
    Server
    normal traffic
    intercepted traffic

    View Slide

  23. Browser
    Browser Exploits:
    cross-site scripting (XSS)
    Your
    Client
    Your JS Vendor JS
    Your data

    View Slide

  24. Browser
    Browser Exploits:
    cross-site request forgery (CSRF)
    Attacker’s
    Client
    User
    Your
    Server
    Your Client
    User’s Cookie

    View Slide

  25. JWT Client Storage Showdown:
    Exploit Vulnerability
    Cookies
    Web Storage
    (session/local)
    MITM Vulnerable Vulnerable
    CSRF Vulnerable Immune
    XSS Vulnerable Vulnerable

    View Slide

  26. Cookies
    Web Storage
    (session/local)
    MITM set `Secure` flag use HTTPS
    CSRF
    set `X-XSRF-TOKEN`
    header
    No action needed
    XSS set `HttpOnly` flag
    use JSON Web Encryption
    (JWE)[8,9]
    JWT Client Storage Showdown:
    Exploit Mitigation Steps

    View Slide

  27. request
    Cross Origin Resource Sharing
    (CORS)
    Your
    CORS
    Server
    3rd
    Party
    Client
    Your
    non-
    CORS
    Server
    request
    Your
    Client
    request
    request

    View Slide

  28. JWT Client Storage Showdown:
    Features
    Cookies
    Web Storage
    (session/local)
    Mobile
    Friendly
    No Yes
    CORS
    Friendly
    No Yes

    View Slide

  29. Storage Recommendations
    Use web storage only if your
    jwt library supports JWE
    Validate X-XSRF-TOKEN
    server side if using cookies

    View Slide

  30. https:/
    /github.com/reubano/
    arusha-coders-api

    View Slide

  31. Sources
    1. http:/
    /www.slideshare.net/stormpath/secure-your-rest-
    api-the-right-way
    2. https:/
    /stormpath.com/blog/jwt-the-right-way/
    3. http:/
    /tools.ietf.org/html/draft-ietf-oauth-json-web-
    token-25#section-4.1
    4. http:/
    /www.slideshare.net/derekperkins/authentication-
    cookies-vs-jwts-and-why-youre-doing-it-wrong

    View Slide

  32. Sources
    5. “RESTful Web API” by Nicola Iarocci
    6. https:/
    /stormpath.com/blog/where-to-store-your-jwts-
    cookies-vs-html5-web-storage/
    7. https:/
    /auth0.com/blog/2015/03/31/critical-
    vulnerabilities-in-json-web-token-libraries/
    8. https:/
    /github.com/berngp/node-green-jwt
    9. https:/
    /github.com/square/js-jose

    View Slide

  33. Sources
    10. https:/
    /auth0.com/blog/2014/01/27/ten-things-you-
    should-know-about-tokens-and-cookies
    11. https:/
    /auth0.com/blog/2014/01/07/angularjs-
    authentication-with-cookies-vs-token/
    12. https:/
    /auth0.com/blog/2014/01/15/auth-with-socket-io/
    13. http:/
    /angular-tips.com/blog/2014/05/json-web-tokens-
    introduction/

    View Slide

  34. Sources
    14. https:/
    /auth0.com/blog/2015/03/10/blacklist-json-web-
    token-api-keys/

    View Slide

  35. Questions??
    Thank you!
    Reuben Cummings
    @reubano

    View Slide