Secure Your REST API (The Right Way)

Transcript

1. Les Hazlewood @lhazlewood Apache Shiro PMC Chair CTO, Stormpath stormpath.com

   Secure your REST API (the right way)

2. .com • User Management and Authentication API • Security for

   your applications • User security workflows • Security best practices • Developer tools, SDKs, libraries

3. HTTP Authentication...

4. ... is all about the headers Learn more at Stormpath.com

5. 1. Request GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Learn more at

   Stormpath.com

6. 2. Challenge Response HTTP/1.1 401 Unauthorized WWW-Authenticate: Basic realm=“name” Learn

   more at Stormpath.com

7. 3. Resubmit Request GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Authorization: Basic

   QWxhZGRpbjpvcGVuIHNlc2FtZQ== Learn more at Stormpath.com

8. Authorization Header Format GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Authorization: Basic

   QWxhZGRpbjpvcGVuIHNlc2FtZQ== Scheme Name Scheme-specific Value sp Learn more at Stormpath.com

9. 4. Successful Response HTTP/1.1 200 OK Content-Type: application/json ... {

   “email”: “[email protected]”, “givenName”: “Joe”, “surname”: Smith”, ... } Learn more at Stormpath.com

10. Example: Oauth 1.0a GET /accounts/1234 HTTP/1.1 Host: api.acme.com Authorization: OAuth

    realm="Photos", oauth_consumer_key="dpf43f3p2l4k3l03", oauth_signature_method="HMAC-SHA1", oauth_timestamp="137131200", oauth_nonce="wIjqoS", oauth_callback="http%3A%2F%2Fprinter.example.com%2Fready", oauth_signature="74KNZJeDHnMBp0EMJ9ZHt%2FXKycU%3D" Learn more at Stormpath.com

11. Example: Oauth 2 GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Authorization: Bearer

    mF_9.B5f-4.1JqM Learn more at Stormpath.com

12. Example: Oauth 2 MAC GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Authorization:

    MAC id="h480djs93hd8", nonce="264095:dj83hs9s”, mac="SLDJd4mg43cjQfElUs3Qub4L6xE=" Learn more at Stormpath.com

13. Ok, now that’s out of the way • Please avoid

    Basic Authc if you can. • Favor HMAC-SHA256 digest algorithms over bearer token algorithms • Use Oauth 1.0a or Oauth 2 (preferably MAC) • Only use a custom scheme if you really, really know what you’re doing. Learn more at Stormpath.com

14. Status Codes Learn more at Stormpath.com

15. 401 vs 403 • 401 “Unauthorized” really means Unauthenticated “You

    need valid credentials for me to respond to this request” • 403 “Forbidden” really means Unauthorized “I understood your credentials, but so sorry, you’re not allowed!” Learn more at Stormpath.com

16. HTTP Authorization Learn more at Stormpath.com

17. HTTP Authorization • After authc, perform authz • Filter requests

    before invoking MVC layer • Blanket security policies • Per-URI customization Learn more at Stormpath.com

18. HTTP Authorization: OAuth • OAuth is an authorization protocol, NOT

    an authentication or SSO protocol. • “Can I see User X’s email address please?” NOT: • “I want to authenticate User X w/ this username and password” • People still try to use OAuth for authentication (OpenId Connect) Learn more at Stormpath.com

19. HTTP Authorization: OAuth • When OAuth 2 is a good

    fit: • If your REST clients do NOT own the data they are attempting to read • When Oauth 2 isn’t as good of a fit: • If your REST client owns the data it is reading • Could still be fine if you’re willing to incur some additional overhead Learn more at Stormpath.com

20. HTTP Authorization: JWT • JWT = JSON Web Token •

    Very new spec, but clean & simple • JWTs can be digitally signed and/or encrypted, and are URL friendly. • Can be used as Bearer Tokens and for SSO Learn more at Stormpath.com

21. Best Practices Learn more at Stormpath.com

22. API Keys Learn more at Stormpath.com

23. API Keys, Not Passwords • Entropy • Independence • Speed

    • Reduced Exposure • Traceability • Rotation Learn more at Stormpath.com

24. API Keys cont’d • Authenticate every request • Encrypt API

    Key secret values at rest. • Avoid Sessions (not RESTful) • Authc every request + no sessions = no XSRF attacks Learn more at Stormpath.com

25. Identifiers Learn more at Stormpath.com

26. Identifiers /accounts/x2b4jX3l31uiL Good Not So Good /accounts/1234 Why? Learn more

    at Stormpath.com

27. Identifiers • Should be opaque • Secure Random or Random/Time

    UUID • URL-friendly ‘Base62’ encoding • Avoid sequential numbers: • distribute ID generation load • mitigate fusking attacks Learn more at Stormpath.com

28. Query Injection Learn more at Stormpath.com

29. Query Injection Vulnerable URL: foo.com/accounts?acctId=‘ or ‘1’=‘1 String query =

    “select * from accounts where acct_id = ‘” + request.getParameter(“acctId”) + “’”; Solution • Use Parameterized Query API (Prepared Statements). • If not available, escape special chars Learn more at Stormpath.com

30. Redirects and Forwards Learn more at Stormpath.com

31. Redirects and Forwards • Avoid redirects and forwards if possible

    • If used, validate the value and ensure authorized for the current user. foo.com/redirect.jsp?url=evil.com foo.com/whatever.jsp?fwd=admin.jsp Learn more at Stormpath.com

32. TLS Learn more at Stormpath.com

33. TLS • Use TLS for everything • Once electing to

    TLS: – Never revert – Never switch back and forth • Cookies: set the ‘secure’ and ‘httpOnly’ flags for secure cookies • Backend/infrastructure connections use TLS too Learn more at Stormpath.com

34. TLS Cont’d • Configure your SSL provider to only support

    strong (FIPS 140-2 compliant) algorithms • Use Cipher Suites w/ Perfect Forward Secrecy! –e.g. ECDHE_RSA_WITH_AES_256_GCM_SHA256 • Keep your TLS certificates valid • But beware, TLS isn’t foolproof – App-level encryption + TLS for most secure results Learn more at Stormpath.com

35. Configuration Learn more at Stormpath.com

36. Configuration • CI: Security Testing • Security Patches • Regularly

    scan/audit • Same config in Dev, Prod, QA* – (Docker is great for this!) • Externalize passwords/credentials * Except credentials of course Learn more at Stormpath.com

37. Storage Learn more at Stormpath.com

38. Storage • Sensitive data encrypted at rest • Encrypt offsite

    backups • Strong algorithms/standards • Strong encryption keys and key mgt • Strong password hashing • External key storage • Encrypted file system (e.g. eCryptfs) Learn more at Stormpath.com

39. Thank You! • [email protected] • Twitter: @lhazlewood • https://stormpath.com Learn

    more at Stormpath.com

40. .com • Free for developers • Eliminate months of development

    • Automatic security best practices Sign Up Now: Stormpath.com Learn more at Stormpath.com