Erick Tedeschi, Secure Development Engineer do Walmart.com, falou sobre 'Aplicando controles de segurança em API’s' no iMasters PHP Experience 2015.
O iMasters PHP Experience 2015 aconteceu dia 25 de Abril de 2015, no Hotel Renaissance em São Paulo-SP - http://phpexperience.imasters.com.br/
3. Agenda
• Unauthorized x forbidden status code
• Rate Limiting / Throttle Control
• Protecting IDs
• JWT – Authentication/Authorization
• Internet Facing Example
• Internal API Example
4. Unauthorized x forbidden status code
References:
http://tools.ietf.org/html/rfc2616#section-10.4.2
Trying to reach a
resource with invalid
authorization or without
authorization
Bro, no matter
Who you are, I will
Not respond to you.
5. Trying to reach a
resource with invalid
authorization or without
authorization
Bro, no matter
Who you are, I will
Not respond to you.
References:
http://tools.ietf.org/html/rfc2616#section-10.4.2
Unauthorized x forbidden status code
7. Rate Limiting / Throttle Control
Common Headers Used
Time Window: 1 Hour
X-RateLimit-Limit: 500
X-RateLimit-Remaining: 253
X-RateLimit-Reset: 1429962300
RFC6586
AdditionalHTTP StatusCode
429 Too Many Requests
References:
http://tools.ietf.org/html/rfc6585#section-4
http://stackoverflow.com/questions/16022624/examples-of-http-api-rate-limiting-http-response-headers
8. Rate Limiting / Throttle Control
“this is a sample code snippet just to a better understanding. In production env, please improve it."
Library used: https://github.com/fustundag/tokenbucket
9. Rate Limiting / Throttle Control
Recommendations
Choose an algorithm (e.g. Token Bucket, Leaky Bucket, your own…)
Parameterized (application/API properties.ini)
Avoid to use a storage that abuses I/O
Good
Hazelcast
Redis
Memcached
Bad
Relational SQL
FILE/Session (oh my God)
GET may have different limit when compared to POST, PUT, DELETE
Monitoring (SOC – Security Operations Center)
Top Requesters
Average of how many 429 were returned
References:
http://tools.ietf.org/html/rfc6585#section-4
http://stackoverflow.com/questions/16022624/examples-of-http-api-rate-limiting-http-response-headers
11. Protecting IDs
“The intent of UUIDs is to enable distributed
systems to uniquely identify information
without significantcentral coordination”
Source: http://en.wikipedia.org/wiki/Universally_unique_identifier
• Avoid sequential / guessable identification
/api/v1/user/234
• Use something like UUID instead
/api/v1/user/123e4567-e89b-12d3-a456-426655440000
• Avoid to use sensitive information in query params
/api/v1/customer/phone/551130304040
12. JOSÉ
JWT
JSON Web Token
JWA
JSON Web Algorithms
JWK
JSON Web Key
JWS
JSON Web Signature
JWE
JSON Web Encryption
integrity confidentiality
JavaScript Object Signing and Encryption
13. JWT Characteristics
Stateless
URL-Safe
Intended for space constrained environments
HTTP Headers (like Authorization)
URI Query Parameters
Avoid CSRF
Flexible
Interoperable
14. JWT - Claims
Reserved
iss: issuer
sub: subject
aud: audience
exp: expiration time
nbf: not before time
iat: issued at time
jti: jwt id
Public
Registered at IANA
Private
Internal use
Document to clients
20. Interwebs
Cloud A Cloud B
App
Instance
App
Instance
Key KeySame
key
Client
US BR
JWT Internet Facing Example
UltraDNS myapp.com
21. JWT Internal API Example
Application A
Private Key
Application B
Public Key
PAYLOAD
{
"iss": "application A",
"iat": 1429932376,
"exp": 1429932676, // 5minutes
"aud": "application B",
"jti": "1234567890abcdef",
"req": {
"method": "POST"
"path": "/api/v1/payment/pay"
"data": hash(data)
}
}
JWT
Storage
POST /api/v1/payment/pay
Authorization: Bearer jwtH.jwtP.jwtS
{'from':'xpto','to':'xyz','amount':66.66}
Stores jwts until its
expiration
22. References
• JOSE
• JWT: https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32
• JWA: https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms
• JWK: https://tools.ietf.org/html/draft-ietf-jose-json-web-key
• JWS: https://tools.ietf.org/html/draft-ietf-jose-json-web-signature
• JWE: https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-40
• PHP JWT Libraries
• https://github.com/lcobucci/jwt(JWS with SharedSecret and RSA)
• https://github.com/Spomky-Labs/jose (JW{T,A,K,SE} fully supported)
• Do you want to create your own library?
• Examples of protecting content using JWT: https://tools.ietf.org/html/draft-ietf-jose-
cookbook-08
• Using JWTs as API Keys
• https://auth0.com/blog/2014/12/02/using-json-web-tokens-as-api-keys/
• http://www.thread-safe.com/2014/05/wt-and-jose-have-won-special-european.html
• https://securityblog.redhat.com/2015/04/01/jose-json-object-signing-and-encryption/