SlideShare ist ein Scribd-Unternehmen logo

Aplicando controles de segurança em API’s, por Erick Tedeschi

iMasters
iMasters

Erick Tedeschi, Secure Development Engineer do Walmart.com, falou sobre 'Aplicando controles de segurança em API’s' no iMasters PHP Experience 2015. O iMasters PHP Experience 2015 aconteceu dia 25 de Abril de 2015, no Hotel Renaissance em São Paulo-SP - http://phpexperience.imasters.com.br/

Internet
1 von 23
Applying Security Controls on REST APIs @ericktedeschi Apr 2015
Disclaimer Information shared in this presentation does not represents any position or opinions of Walmart Global E-Commerce BR
Agenda • Unauthorized x forbidden status code • Rate Limiting / Throttle Control • Protecting IDs • JWT – Authentication/Authorization • Internet Facing Example • Internal API Example
Unauthorized x forbidden status code References: http://tools.ietf.org/html/rfc2616#section-10.4.2 Trying to reach a resource with invalid authorization or without authorization Bro, no matter Who you are, I will Not respond to you.
Trying to reach a resource with invalid authorization or without authorization Bro, no matter Who you are, I will Not respond to you. References: http://tools.ietf.org/html/rfc2616#section-10.4.2 Unauthorized x forbidden status code
Rate Limiting / Throttle Control
Rate Limiting / Throttle Control Common Headers Used Time Window: 1 Hour X-RateLimit-Limit: 500 X-RateLimit-Remaining: 253 X-RateLimit-Reset: 1429962300 RFC6586 AdditionalHTTP StatusCode 429 Too Many Requests References: http://tools.ietf.org/html/rfc6585#section-4 http://stackoverflow.com/questions/16022624/examples-of-http-api-rate-limiting-http-response-headers
Rate Limiting / Throttle Control “this is a sample code snippet just to a better understanding. In production env, please improve it." Library used: https://github.com/fustundag/tokenbucket
Rate Limiting / Throttle Control Recommendations  Choose an algorithm (e.g. Token Bucket, Leaky Bucket, your own…)  Parameterized (application/API properties.ini)  Avoid to use a storage that abuses I/O  Good  Hazelcast  Redis  Memcached  Bad  Relational SQL  FILE/Session (oh my God)  GET may have different limit when compared to POST, PUT, DELETE  Monitoring (SOC – Security Operations Center)  Top Requesters  Average of how many 429 were returned References: http://tools.ietf.org/html/rfc6585#section-4 http://stackoverflow.com/questions/16022624/examples-of-http-api-rate-limiting-http-response-headers
Protecting IDs Source: http://www.securityinform.com/2014/06/12/gmail-token-vulnerability-could-have-exposed-every-email-addresses-hosted-on-google/ https://mail.google.com/mail/ mdd-f825a3f2b2-fulano.ciclano%40gmail.com-ccD8J0x6P6JNSLS36vR6Z_sHAb3
Protecting IDs “The intent of UUIDs is to enable distributed systems to uniquely identify information without significantcentral coordination” Source: http://en.wikipedia.org/wiki/Universally_unique_identifier • Avoid sequential / guessable identification /api/v1/user/234 • Use something like UUID instead /api/v1/user/123e4567-e89b-12d3-a456-426655440000 • Avoid to use sensitive information in query params /api/v1/customer/phone/551130304040
JOSÉ JWT JSON Web Token JWA JSON Web Algorithms JWK JSON Web Key JWS JSON Web Signature JWE JSON Web Encryption integrity confidentiality JavaScript Object Signing and Encryption
JWT Characteristics  Stateless  URL-Safe  Intended for space constrained environments  HTTP Headers (like Authorization)  URI Query Parameters  Avoid CSRF  Flexible  Interoperable
JWT - Claims  Reserved  iss: issuer  sub: subject  aud: audience  exp: expiration time  nbf: not before time  iat: issued at time  jti: jwt id  Public  Registered at IANA  Private  Internal use  Document to clients
JWS – Compact Serialization eyJ0eXAiOiJKV1QiLCJ hbGciOiJIUzI1NiJ9.e yJpc3MiOiJpc3N1ZXIu ZXhhbXBsZS5jb20iLCJ pYXQiOjE0Mjk2NTc0Nj UsImV4cCI6MTQyOTY1O DcwOCwiYXVkIjoid3d3 LmV4YW1wbGUuY29tIiw ic3ViIjoiZXJpY2tAZX hhbXBsZS5jb20iLCJHa XZlbk5hbWUiOiJFcmlj ayBUZWRlc2NoaSIsIlJ vbGVzIjpbInBvc3RzOn J3IiwiY29tbWVudHM6c iJdfQ.X4iwLqW2Bze2W lTxfn8v1EIqgfCRql6a VYSLpN22HSU JOSE Header Payload Signature
JWS – Compact Serialization { "typ": "JWT", "alg": "HS256" } JOSE Header Payload Signature { "iss": "issuer.example.com", "iat": 1429657465, "exp": 1429658708, "aud": "www.example.com", "sub": "erick@example.com", "GivenName": "Erick Tedeschi", "Roles": [ "posts:rw", "comments:r" ] } HmacSha256( base64UrlEncode($header) . “.” . base64UrlEncode($payload), “secret”);
Session Based Flow
JWT Internet Facing Example
JWT Internet Facing Example
Interwebs Cloud A Cloud B App Instance App Instance Key KeySame key Client US BR JWT Internet Facing Example UltraDNS myapp.com
JWT Internal API Example Application A Private Key Application B Public Key PAYLOAD { "iss": "application A", "iat": 1429932376, "exp": 1429932676, // 5minutes "aud": "application B", "jti": "1234567890abcdef", "req": { "method": "POST" "path": "/api/v1/payment/pay" "data": hash(data) } } JWT Storage POST /api/v1/payment/pay Authorization: Bearer jwtH.jwtP.jwtS {'from':'xpto','to':'xyz','amount':66.66} Stores jwts until its expiration
References • JOSE • JWT: https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32 • JWA: https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms • JWK: https://tools.ietf.org/html/draft-ietf-jose-json-web-key • JWS: https://tools.ietf.org/html/draft-ietf-jose-json-web-signature • JWE: https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-40 • PHP JWT Libraries • https://github.com/lcobucci/jwt(JWS with SharedSecret and RSA) • https://github.com/Spomky-Labs/jose (JW{T,A,K,SE} fully supported) • Do you want to create your own library? • Examples of protecting content using JWT: https://tools.ietf.org/html/draft-ietf-jose- cookbook-08 • Using JWTs as API Keys • https://auth0.com/blog/2014/12/02/using-json-web-tokens-as-api-keys/ • http://www.thread-safe.com/2014/05/wt-and-jose-have-won-special-european.html • https://securityblog.redhat.com/2015/04/01/jose-json-object-signing-and-encryption/
GET /logout?token=f.i.n.i.s.h E-mail: erick@oerick.com Twitter: http://twitter.com/ericktedeschi LinkedIn: https://www.linkedin.com/in/ericktedeschi

Empfohlen

OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10InnoTech
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongDerek Perkins
 
W3C Web Authentication - #idcon vol.24
W3C Web Authentication - #idcon vol.24W3C Web Authentication - #idcon vol.24
W3C Web Authentication - #idcon vol.24Nov Matake
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful APIMuhammad Zbeedat
 
Full stack security
Full stack securityFull stack security
Full stack securityDPC Consulting Ltd
 
Security Issues in HTML 5
Security Issues in HTML 5Security Issues in HTML 5
Security Issues in HTML 5Wasif Altaf
 
Session7-XSS & CSRF
Session7-XSS & CSRFSession7-XSS & CSRF
Session7-XSS & CSRFzakieh alizadeh
 
Assessment methodology and approach
Assessment methodology and approachAssessment methodology and approach
Assessment methodology and approachBlueinfy Solutions
 

Empfohlen

OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10InnoTech
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongDerek Perkins
 
W3C Web Authentication - #idcon vol.24
W3C Web Authentication - #idcon vol.24W3C Web Authentication - #idcon vol.24
W3C Web Authentication - #idcon vol.24Nov Matake
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful APIMuhammad Zbeedat
 
Full stack security
Full stack securityFull stack security
Full stack securityDPC Consulting Ltd
 
Security Issues in HTML 5
Security Issues in HTML 5Security Issues in HTML 5
Security Issues in HTML 5Wasif Altaf
 
Session7-XSS & CSRF
Session7-XSS & CSRFSession7-XSS & CSRF
Session7-XSS & CSRFzakieh alizadeh
 
Assessment methodology and approach
Assessment methodology and approachAssessment methodology and approach
Assessment methodology and approachBlueinfy Solutions
 
Workshop : Application Security
Workshop : Application SecurityWorkshop : Application Security
Workshop : Application SecurityPriyanka Aash
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...Aditya K Sood
 
Abusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAbusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAditya K Sood
 
Authentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN StackAuthentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN StackFITC
 
ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016Nov Matake
 
CSRF Attacks and its Defence using Middleware
CSRF Attacks and its Defence using MiddlewareCSRF Attacks and its Defence using Middleware
CSRF Attacks and its Defence using Middlewareijtsrd
 
Application fuzzing
Application fuzzingApplication fuzzing
Application fuzzingBlueinfy Solutions
 
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseBlueinfy Solutions
 
Lets Make our Web Applications Secure
Lets Make our Web Applications SecureLets Make our Web Applications Secure
Lets Make our Web Applications SecureAryashree Pritikrishna
 
Security vulnerabilities - 2018
Security vulnerabilities - 2018Security vulnerabilities - 2018
Security vulnerabilities - 2018Marius Vorster
 
Secure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior
 
Xss (cross site scripting)
Xss (cross site scripting)Xss (cross site scripting)
Xss (cross site scripting)vinayh.vaghamshi _
 
Micro Web Service - Slim and JWT
Micro Web Service - Slim and JWTMicro Web Service - Slim and JWT
Micro Web Service - Slim and JWTTuyen Vuong
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5Shreeraj Shah
 
Web Hacking
Web HackingWeb Hacking
Web HackingInformation Technology
 
Xfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockXfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockownerkhan
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and PracticesPrabath Siriwardena
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -Naoki Nagazumi
 
The Hitchhiker's Guide to the Land of OAuth
The Hitchhiker's Guide to the Land of OAuthThe Hitchhiker's Guide to the Land of OAuth
The Hitchhiker's Guide to the Land of OAuthChris Adriaensen
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocationguestd5dde6
 
Web Hacking Series Part 5
Web Hacking Series Part 5Web Hacking Series Part 5
Web Hacking Series Part 5Aditya Kamat
 

Weitere ähnliche Inhalte

Was ist angesagt?

Workshop : Application Security
Workshop : Application SecurityWorkshop : Application Security
Workshop : Application SecurityPriyanka Aash
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...Aditya K Sood
 
Abusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAbusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAditya K Sood
 
Authentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN StackAuthentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN StackFITC
 
ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016Nov Matake
 
CSRF Attacks and its Defence using Middleware
CSRF Attacks and its Defence using MiddlewareCSRF Attacks and its Defence using Middleware
CSRF Attacks and its Defence using Middlewareijtsrd
 
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseBlueinfy Solutions
 
Security vulnerabilities - 2018
Security vulnerabilities - 2018Security vulnerabilities - 2018
Security vulnerabilities - 2018Marius Vorster
 
Secure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior
 
Micro Web Service - Slim and JWT
Micro Web Service - Slim and JWTMicro Web Service - Slim and JWT
Micro Web Service - Slim and JWTTuyen Vuong
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5Shreeraj Shah
 
Xfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockXfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockownerkhan
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and PracticesPrabath Siriwardena
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -Naoki Nagazumi
 
The Hitchhiker's Guide to the Land of OAuth
The Hitchhiker's Guide to the Land of OAuthThe Hitchhiker's Guide to the Land of OAuth
The Hitchhiker's Guide to the Land of OAuthChris Adriaensen
 

Was ist angesagt? (20)

Workshop : Application Security
Workshop : Application SecurityWorkshop : Application Security
Workshop : Application Security
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
 
Abusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAbusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and Defences
 
Authentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN StackAuthentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN Stack
 
ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016
 
CSRF Attacks and its Defence using Middleware
CSRF Attacks and its Defence using MiddlewareCSRF Attacks and its Defence using Middleware
CSRF Attacks and its Defence using Middleware
 
Application fuzzing
Application fuzzingApplication fuzzing
Application fuzzing
 
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defense
 
Lets Make our Web Applications Secure
Lets Make our Web Applications SecureLets Make our Web Applications Secure
Lets Make our Web Applications Secure
 
Security vulnerabilities - 2018
Security vulnerabilities - 2018Security vulnerabilities - 2018
Security vulnerabilities - 2018
 
Secure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injection
 
Xss (cross site scripting)
Xss (cross site scripting)Xss (cross site scripting)
Xss (cross site scripting)
 
Micro Web Service - Slim and JWT
Micro Web Service - Slim and JWTMicro Web Service - Slim and JWT
Micro Web Service - Slim and JWT
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5
 
Web Hacking
Web HackingWeb Hacking
Web Hacking
 
Xfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockXfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknock
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and Practices
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
 
The Hitchhiker's Guide to the Land of OAuth
The Hitchhiker's Guide to the Land of OAuthThe Hitchhiker's Guide to the Land of OAuth
The Hitchhiker's Guide to the Land of OAuth
 

Ähnlich wie Aplicando controles de segurança em API’s, por Erick Tedeschi

UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocationguestd5dde6
 
Web Hacking Series Part 5
Web Hacking Series Part 5Web Hacking Series Part 5
Web Hacking Series Part 5Aditya Kamat
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...CA API Management
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
Cm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectionCm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectiondcervigni
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationStormpath
 
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN ...
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN ...QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN ...
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN ...QAFest
 
FIWARE Identity Management and Access Control
FIWARE Identity Management and Access ControlFIWARE Identity Management and Access Control
FIWARE Identity Management and Access ControlFIWARE
 
FIWARE Training: Identity Management and Access Control
FIWARE Training: Identity Management and Access ControlFIWARE Training: Identity Management and Access Control
FIWARE Training: Identity Management and Access ControlFIWARE
 
How to Use Stormpath in angular js
How to Use Stormpath in angular jsHow to Use Stormpath in angular js
How to Use Stormpath in angular jsStormpath
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinJava User Group Latvia
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
Beyond API Authorization
Beyond API AuthorizationBeyond API Authorization
Beyond API AuthorizationJared Hanson
 
apidays LIVE Helsinki & North 2022_Financial-Grade Security for APIs
apidays LIVE Helsinki & North 2022_Financial-Grade Security for APIsapidays LIVE Helsinki & North 2022_Financial-Grade Security for APIs
apidays LIVE Helsinki & North 2022_Financial-Grade Security for APIsapidays
 
Distributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfDistributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfNordic APIs
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 

Ähnlich wie Aplicando controles de segurança em API’s, por Erick Tedeschi (20)

UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
 
Web Hacking Series Part 5
Web Hacking Series Part 5Web Hacking Series Part 5
Web Hacking Series Part 5
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
 
Cm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectionCm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protection
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token Authentication
 
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN ...
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN ...QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN ...
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN ...
 
FIWARE Identity Management and Access Control
FIWARE Identity Management and Access ControlFIWARE Identity Management and Access Control
FIWARE Identity Management and Access Control
 
FIWARE Training: Identity Management and Access Control
FIWARE Training: Identity Management and Access ControlFIWARE Training: Identity Management and Access Control
FIWARE Training: Identity Management and Access Control
 
How to Use Stormpath in angular js
How to Use Stormpath in angular jsHow to Use Stormpath in angular js
How to Use Stormpath in angular js
 
UMA for ACE
UMA for ACEUMA for ACE
UMA for ACE
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
Beyond API Authorization
Beyond API AuthorizationBeyond API Authorization
Beyond API Authorization
 
apidays LIVE Helsinki & North 2022_Financial-Grade Security for APIs
apidays LIVE Helsinki & North 2022_Financial-Grade Security for APIsapidays LIVE Helsinki & North 2022_Financial-Grade Security for APIs
apidays LIVE Helsinki & North 2022_Financial-Grade Security for APIs
 
Distributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfDistributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdf
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
 

Mehr von iMasters

O que você precisa saber para modelar bancos de dados NoSQL - Dani Monteiro
O que você precisa saber para modelar bancos de dados NoSQL - Dani MonteiroO que você precisa saber para modelar bancos de dados NoSQL - Dani Monteiro
O que você precisa saber para modelar bancos de dados NoSQL - Dani MonteiroiMasters
 
Postgres: wanted, beloved or dreaded? - Fabio Telles
Postgres: wanted, beloved or dreaded? - Fabio TellesPostgres: wanted, beloved or dreaded? - Fabio Telles
Postgres: wanted, beloved or dreaded? - Fabio TellesiMasters
 
Por que minha query esta lenta? - Suellen Moraes
Por que minha query esta lenta? - Suellen MoraesPor que minha query esta lenta? - Suellen Moraes
Por que minha query esta lenta? - Suellen MoraesiMasters
 
Relato das trincheiras: o dia a dia de uma consultoria de banco de dados - Ig...
Relato das trincheiras: o dia a dia de uma consultoria de banco de dados - Ig...Relato das trincheiras: o dia a dia de uma consultoria de banco de dados - Ig...
Relato das trincheiras: o dia a dia de uma consultoria de banco de dados - Ig...iMasters
 
ORMs heróis ou vilões dentro da arquitetura de dados? - Otávio gonçalves
ORMs heróis ou vilões dentro da arquitetura de dados? - Otávio gonçalvesORMs heróis ou vilões dentro da arquitetura de dados? - Otávio gonçalves
ORMs heróis ou vilões dentro da arquitetura de dados? - Otávio gonçalvesiMasters
 
SQL e NoSQL trabalhando juntos: uma comparação para obter o melhor de ambos -...
SQL e NoSQL trabalhando juntos: uma comparação para obter o melhor de ambos -...SQL e NoSQL trabalhando juntos: uma comparação para obter o melhor de ambos -...
SQL e NoSQL trabalhando juntos: uma comparação para obter o melhor de ambos -...iMasters
 
Arquitetando seus dados na prática para a LGPD - Alessandra Martins
Arquitetando seus dados na prática para a LGPD - Alessandra MartinsArquitetando seus dados na prática para a LGPD - Alessandra Martins
Arquitetando seus dados na prática para a LGPD - Alessandra MartinsiMasters
 
O papel do DBA no mundo de ciência de dados e machine learning - Mauro Pichil...
O papel do DBA no mundo de ciência de dados e machine learning - Mauro Pichil...O papel do DBA no mundo de ciência de dados e machine learning - Mauro Pichil...
O papel do DBA no mundo de ciência de dados e machine learning - Mauro Pichil...iMasters
 
Desenvolvimento Mobile Híbrido, Nativo ou Web: Quando usá-los - Juliana Chahoud
Desenvolvimento Mobile Híbrido, Nativo ou Web: Quando usá-los - Juliana ChahoudDesenvolvimento Mobile Híbrido, Nativo ou Web: Quando usá-los - Juliana Chahoud
Desenvolvimento Mobile Híbrido, Nativo ou Web: Quando usá-los - Juliana ChahoudiMasters
 
Use MDD e faça as máquinas trabalharem para você - Andreza Leite
Use MDD e faça as máquinas trabalharem para você - Andreza Leite Use MDD e faça as máquinas trabalharem para você - Andreza Leite
Use MDD e faça as máquinas trabalharem para você - Andreza LeiteiMasters
 
Entendendo os porquês do seu servidor - Talita Bernardes
Entendendo os porquês do seu servidor - Talita BernardesEntendendo os porquês do seu servidor - Talita Bernardes
Entendendo os porquês do seu servidor - Talita BernardesiMasters
 
Backend performático além do "coloca mais máquina lá" - Diana Arnos
Backend performático além do "coloca mais máquina lá" - Diana ArnosBackend performático além do "coloca mais máquina lá" - Diana Arnos
Backend performático além do "coloca mais máquina lá" - Diana ArnosiMasters
 
Dicas para uma maior performance em APIs REST - Renato Groffe
Dicas para uma maior performance em APIs REST - Renato GroffeDicas para uma maior performance em APIs REST - Renato Groffe
Dicas para uma maior performance em APIs REST - Renato GroffeiMasters
 
7 dicas de desempenho que equivalem por 21 - Danielle Monteiro
7 dicas de desempenho que equivalem por 21 - Danielle Monteiro7 dicas de desempenho que equivalem por 21 - Danielle Monteiro
7 dicas de desempenho que equivalem por 21 - Danielle MonteiroiMasters
 
Quem se importa com acessibilidade Web? - Mauricio Maujor
Quem se importa com acessibilidade Web? - Mauricio MaujorQuem se importa com acessibilidade Web? - Mauricio Maujor
Quem se importa com acessibilidade Web? - Mauricio MaujoriMasters
 
Service Mesh com Istio e Kubernetes - Wellington Figueira da Silva
Service Mesh com Istio e Kubernetes - Wellington Figueira da SilvaService Mesh com Istio e Kubernetes - Wellington Figueira da Silva
Service Mesh com Istio e Kubernetes - Wellington Figueira da SilvaiMasters
 
Erros: Como eles vivem, se alimentam e se reproduzem? - Augusto Pascutti
Erros: Como eles vivem, se alimentam e se reproduzem? - Augusto PascuttiErros: Como eles vivem, se alimentam e se reproduzem? - Augusto Pascutti
Erros: Como eles vivem, se alimentam e se reproduzem? - Augusto PascuttiiMasters
 
Elasticidade e engenharia de banco de dados para alta performance - Rubens G...
Elasticidade e engenharia de banco de dados para alta performance - Rubens G...Elasticidade e engenharia de banco de dados para alta performance - Rubens G...
Elasticidade e engenharia de banco de dados para alta performance - Rubens G...iMasters
 
Construindo aplicações mais confiantes - Carolina Karklis
Construindo aplicações mais confiantes - Carolina KarklisConstruindo aplicações mais confiantes - Carolina Karklis
Construindo aplicações mais confiantes - Carolina KarklisiMasters
 
Monitoramento de Aplicações - Felipe Regalgo
Monitoramento de Aplicações - Felipe RegalgoMonitoramento de Aplicações - Felipe Regalgo
Monitoramento de Aplicações - Felipe RegalgoiMasters
 

Mehr von iMasters (20)

O que você precisa saber para modelar bancos de dados NoSQL - Dani Monteiro
O que você precisa saber para modelar bancos de dados NoSQL - Dani MonteiroO que você precisa saber para modelar bancos de dados NoSQL - Dani Monteiro
O que você precisa saber para modelar bancos de dados NoSQL - Dani Monteiro
 
Postgres: wanted, beloved or dreaded? - Fabio Telles
Postgres: wanted, beloved or dreaded? - Fabio TellesPostgres: wanted, beloved or dreaded? - Fabio Telles
Postgres: wanted, beloved or dreaded? - Fabio Telles
 
Por que minha query esta lenta? - Suellen Moraes
Por que minha query esta lenta? - Suellen MoraesPor que minha query esta lenta? - Suellen Moraes
Por que minha query esta lenta? - Suellen Moraes
 
Relato das trincheiras: o dia a dia de uma consultoria de banco de dados - Ig...
Relato das trincheiras: o dia a dia de uma consultoria de banco de dados - Ig...Relato das trincheiras: o dia a dia de uma consultoria de banco de dados - Ig...
Relato das trincheiras: o dia a dia de uma consultoria de banco de dados - Ig...
 
ORMs heróis ou vilões dentro da arquitetura de dados? - Otávio gonçalves
ORMs heróis ou vilões dentro da arquitetura de dados? - Otávio gonçalvesORMs heróis ou vilões dentro da arquitetura de dados? - Otávio gonçalves
ORMs heróis ou vilões dentro da arquitetura de dados? - Otávio gonçalves
 
SQL e NoSQL trabalhando juntos: uma comparação para obter o melhor de ambos -...
SQL e NoSQL trabalhando juntos: uma comparação para obter o melhor de ambos -...SQL e NoSQL trabalhando juntos: uma comparação para obter o melhor de ambos -...
SQL e NoSQL trabalhando juntos: uma comparação para obter o melhor de ambos -...
 
Arquitetando seus dados na prática para a LGPD - Alessandra Martins
Arquitetando seus dados na prática para a LGPD - Alessandra MartinsArquitetando seus dados na prática para a LGPD - Alessandra Martins
Arquitetando seus dados na prática para a LGPD - Alessandra Martins
 
O papel do DBA no mundo de ciência de dados e machine learning - Mauro Pichil...
O papel do DBA no mundo de ciência de dados e machine learning - Mauro Pichil...O papel do DBA no mundo de ciência de dados e machine learning - Mauro Pichil...
O papel do DBA no mundo de ciência de dados e machine learning - Mauro Pichil...
 
Desenvolvimento Mobile Híbrido, Nativo ou Web: Quando usá-los - Juliana Chahoud
Desenvolvimento Mobile Híbrido, Nativo ou Web: Quando usá-los - Juliana ChahoudDesenvolvimento Mobile Híbrido, Nativo ou Web: Quando usá-los - Juliana Chahoud
Desenvolvimento Mobile Híbrido, Nativo ou Web: Quando usá-los - Juliana Chahoud
 
Use MDD e faça as máquinas trabalharem para você - Andreza Leite
Use MDD e faça as máquinas trabalharem para você - Andreza Leite Use MDD e faça as máquinas trabalharem para você - Andreza Leite
Use MDD e faça as máquinas trabalharem para você - Andreza Leite
 
Entendendo os porquês do seu servidor - Talita Bernardes
Entendendo os porquês do seu servidor - Talita BernardesEntendendo os porquês do seu servidor - Talita Bernardes
Entendendo os porquês do seu servidor - Talita Bernardes
 
Backend performático além do "coloca mais máquina lá" - Diana Arnos
Backend performático além do "coloca mais máquina lá" - Diana ArnosBackend performático além do "coloca mais máquina lá" - Diana Arnos
Backend performático além do "coloca mais máquina lá" - Diana Arnos
 
Dicas para uma maior performance em APIs REST - Renato Groffe
Dicas para uma maior performance em APIs REST - Renato GroffeDicas para uma maior performance em APIs REST - Renato Groffe
Dicas para uma maior performance em APIs REST - Renato Groffe
 
7 dicas de desempenho que equivalem por 21 - Danielle Monteiro
7 dicas de desempenho que equivalem por 21 - Danielle Monteiro7 dicas de desempenho que equivalem por 21 - Danielle Monteiro
7 dicas de desempenho que equivalem por 21 - Danielle Monteiro
 
Quem se importa com acessibilidade Web? - Mauricio Maujor
Quem se importa com acessibilidade Web? - Mauricio MaujorQuem se importa com acessibilidade Web? - Mauricio Maujor
Quem se importa com acessibilidade Web? - Mauricio Maujor
 
Service Mesh com Istio e Kubernetes - Wellington Figueira da Silva
Service Mesh com Istio e Kubernetes - Wellington Figueira da SilvaService Mesh com Istio e Kubernetes - Wellington Figueira da Silva
Service Mesh com Istio e Kubernetes - Wellington Figueira da Silva
 
Erros: Como eles vivem, se alimentam e se reproduzem? - Augusto Pascutti
Erros: Como eles vivem, se alimentam e se reproduzem? - Augusto PascuttiErros: Como eles vivem, se alimentam e se reproduzem? - Augusto Pascutti
Erros: Como eles vivem, se alimentam e se reproduzem? - Augusto Pascutti
 
Elasticidade e engenharia de banco de dados para alta performance - Rubens G...
Elasticidade e engenharia de banco de dados para alta performance - Rubens G...Elasticidade e engenharia de banco de dados para alta performance - Rubens G...
Elasticidade e engenharia de banco de dados para alta performance - Rubens G...
 
Construindo aplicações mais confiantes - Carolina Karklis
Construindo aplicações mais confiantes - Carolina KarklisConstruindo aplicações mais confiantes - Carolina Karklis
Construindo aplicações mais confiantes - Carolina Karklis
 
Monitoramento de Aplicações - Felipe Regalgo
Monitoramento de Aplicações - Felipe RegalgoMonitoramento de Aplicações - Felipe Regalgo
Monitoramento de Aplicações - Felipe Regalgo
 

Kürzlich hochgeladen

INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.CarlotaBedoya1
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445ruhi
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...tanu pandey
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...Diya Sharma
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$kojalkojal131
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.soniya singh
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Sheetaleventcompany
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)Damian Radcliffe
 
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...Escorts Call Girls
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...SofiyaSharma5
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Call Girls in Nagpur High Profile
 
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.soniya singh
 
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663Call Girls Mumbai
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Servicegwenoracqe6
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableSeo
 

Kürzlich hochgeladen (20)

INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)
 
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
 
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
 
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
 
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
 
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
 

Aplicando controles de segurança em API’s, por Erick Tedeschi

  • 1. Applying Security Controls on REST APIs @ericktedeschi Apr 2015
  • 2. Disclaimer Information shared in this presentation does not represents any position or opinions of Walmart Global E-Commerce BR
  • 3. Agenda • Unauthorized x forbidden status code • Rate Limiting / Throttle Control • Protecting IDs • JWT – Authentication/Authorization • Internet Facing Example • Internal API Example
  • 4. Unauthorized x forbidden status code References: http://tools.ietf.org/html/rfc2616#section-10.4.2 Trying to reach a resource with invalid authorization or without authorization Bro, no matter Who you are, I will Not respond to you.
  • 5. Trying to reach a resource with invalid authorization or without authorization Bro, no matter Who you are, I will Not respond to you. References: http://tools.ietf.org/html/rfc2616#section-10.4.2 Unauthorized x forbidden status code
  • 6. Rate Limiting / Throttle Control
  • 7. Rate Limiting / Throttle Control Common Headers Used Time Window: 1 Hour X-RateLimit-Limit: 500 X-RateLimit-Remaining: 253 X-RateLimit-Reset: 1429962300 RFC6586 AdditionalHTTP StatusCode 429 Too Many Requests References: http://tools.ietf.org/html/rfc6585#section-4 http://stackoverflow.com/questions/16022624/examples-of-http-api-rate-limiting-http-response-headers
  • 8. Rate Limiting / Throttle Control “this is a sample code snippet just to a better understanding. In production env, please improve it." Library used: https://github.com/fustundag/tokenbucket
  • 9. Rate Limiting / Throttle Control Recommendations  Choose an algorithm (e.g. Token Bucket, Leaky Bucket, your own…)  Parameterized (application/API properties.ini)  Avoid to use a storage that abuses I/O  Good  Hazelcast  Redis  Memcached  Bad  Relational SQL  FILE/Session (oh my God)  GET may have different limit when compared to POST, PUT, DELETE  Monitoring (SOC – Security Operations Center)  Top Requesters  Average of how many 429 were returned References: http://tools.ietf.org/html/rfc6585#section-4 http://stackoverflow.com/questions/16022624/examples-of-http-api-rate-limiting-http-response-headers
  • 11. Protecting IDs “The intent of UUIDs is to enable distributed systems to uniquely identify information without significantcentral coordination” Source: http://en.wikipedia.org/wiki/Universally_unique_identifier • Avoid sequential / guessable identification /api/v1/user/234 • Use something like UUID instead /api/v1/user/123e4567-e89b-12d3-a456-426655440000 • Avoid to use sensitive information in query params /api/v1/customer/phone/551130304040
  • 12. JOSÉ JWT JSON Web Token JWA JSON Web Algorithms JWK JSON Web Key JWS JSON Web Signature JWE JSON Web Encryption integrity confidentiality JavaScript Object Signing and Encryption
  • 13. JWT Characteristics  Stateless  URL-Safe  Intended for space constrained environments  HTTP Headers (like Authorization)  URI Query Parameters  Avoid CSRF  Flexible  Interoperable
  • 14. JWT - Claims  Reserved  iss: issuer  sub: subject  aud: audience  exp: expiration time  nbf: not before time  iat: issued at time  jti: jwt id  Public  Registered at IANA  Private  Internal use  Document to clients
  • 15. JWS – Compact Serialization eyJ0eXAiOiJKV1QiLCJ hbGciOiJIUzI1NiJ9.e yJpc3MiOiJpc3N1ZXIu ZXhhbXBsZS5jb20iLCJ pYXQiOjE0Mjk2NTc0Nj UsImV4cCI6MTQyOTY1O DcwOCwiYXVkIjoid3d3 LmV4YW1wbGUuY29tIiw ic3ViIjoiZXJpY2tAZX hhbXBsZS5jb20iLCJHa XZlbk5hbWUiOiJFcmlj ayBUZWRlc2NoaSIsIlJ vbGVzIjpbInBvc3RzOn J3IiwiY29tbWVudHM6c iJdfQ.X4iwLqW2Bze2W lTxfn8v1EIqgfCRql6a VYSLpN22HSU JOSE Header Payload Signature
  • 16. JWS – Compact Serialization { "typ": "JWT", "alg": "HS256" } JOSE Header Payload Signature { "iss": "issuer.example.com", "iat": 1429657465, "exp": 1429658708, "aud": "www.example.com", "sub": "erick@example.com", "GivenName": "Erick Tedeschi", "Roles": [ "posts:rw", "comments:r" ] } HmacSha256( base64UrlEncode($header) . “.” . base64UrlEncode($payload), “secret”);
  • 20. Interwebs Cloud A Cloud B App Instance App Instance Key KeySame key Client US BR JWT Internet Facing Example UltraDNS myapp.com
  • 21. JWT Internal API Example Application A Private Key Application B Public Key PAYLOAD { "iss": "application A", "iat": 1429932376, "exp": 1429932676, // 5minutes "aud": "application B", "jti": "1234567890abcdef", "req": { "method": "POST" "path": "/api/v1/payment/pay" "data": hash(data) } } JWT Storage POST /api/v1/payment/pay Authorization: Bearer jwtH.jwtP.jwtS {'from':'xpto','to':'xyz','amount':66.66} Stores jwts until its expiration
  • 22. References • JOSE • JWT: https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32 • JWA: https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms • JWK: https://tools.ietf.org/html/draft-ietf-jose-json-web-key • JWS: https://tools.ietf.org/html/draft-ietf-jose-json-web-signature • JWE: https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-40 • PHP JWT Libraries • https://github.com/lcobucci/jwt(JWS with SharedSecret and RSA) • https://github.com/Spomky-Labs/jose (JW{T,A,K,SE} fully supported) • Do you want to create your own library? • Examples of protecting content using JWT: https://tools.ietf.org/html/draft-ietf-jose- cookbook-08 • Using JWTs as API Keys • https://auth0.com/blog/2014/12/02/using-json-web-tokens-as-api-keys/ • http://www.thread-safe.com/2014/05/wt-and-jose-have-won-special-european.html • https://securityblog.redhat.com/2015/04/01/jose-json-object-signing-and-encryption/
  • 23. GET /logout?token=f.i.n.i.s.h E-mail: erick@oerick.com Twitter: http://twitter.com/ericktedeschi LinkedIn: https://www.linkedin.com/in/ericktedeschi