SlideShare a Scribd company logo

Attack Surface Reduction for Web Services based on Authorization Patterns

Max Vogler
Max Vogler

During the design of a security architecture for a web application, the usage of security patterns can assist with fulfilling quality attributes, such as increasing reusability or safety. The attack surface is a common indicator for the safety of a web application, thus, reducing it is a problem during design. Today’s methods for attack surface reduction are not connected to security patterns and have an unknown impact on quality attributes, e.g., come with an undesirable trade-off in functionality. This talk introduces a systematic and deterministic method to reduce the attack surface of web services by deriving service interface methods from authorization patterns. Publication: http://www.thinkmind.org/index.php?view=article&articleid=securware_2014_9_10_30080 Authors: Roland Steinegger, Johannes Schäfer, Max Vogler, Sebastian Abeck

Internet
1 of 20
Download to read offline
Research Group Cooperation & Management, Institute of Telematics, Department of Informatics KIT – University of the State of Baden-Wuerttemberg and National Research Center of the Helmholtz Association www.kit.edu Attack Surface Reduction for Web Services based on Authorization Patterns Roland Steinegger, Johannes Schäfer, Max Vogler, Sebastian Abeck 20.11.2014 – SECURWARE 2014, Lisbon, Portugal
About the authors Roland Steinegger Johannes Schäfer Max Vogler Sebastian Abeck 2 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14
Outline Background Motivation Attack surface reduction 1. Set up Access Control Matrix 2. Derive Service Description 3. Create Web Service Comparison 3 Max Vogler 20.11.14 Attack Surface Reduction for Web Services based on Authorization Patterns
Background Attack Surface Reduction for Web Services based on Authorization Patterns Attack Surface: Indicator for vulnerability towards external attacks [1] [2] Authorization Patterns Attribute-Based Access Control [3] Role-Based Access Control [4] 4 Max Vogler 20.11.14 Attack Surface Reduction for Web Services based on Authorization Patterns
Background 5 Max Vogler 20.11.14 Attack Surface Reduction for Web Services based on Authorization Patterns
Background User profile operations Guest Authenticated User Profile Owner Admin Register View profile Edit profile 6 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14
Motivation HTTP-PUT-Request to www.example.com/users/42 @RequestMapping(method = PUT, value = "users/{id}") @PreAuthorize("isOwnerOf(#id) || isAdmin()") public JSONObject update() { if(getCurrentUser().isAdmin()) { // Administrator is updating a user account } else { // Update the user's own profile, limited to allowed fields } 7 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns } 20.11.14
Motivation Problems with authorization logic Duplicated Hard to test Opaque for clients è Attack surface is increased Idea: Split up authorization logic Goals Reduce attack surface Use authorization patterns Keep functionality 8 Max Vogler 20.11.14 Attack Surface Reduction for Web Services based on Authorization Patterns
Methodology Set up Access Control Matrix Derive Service Description Create Web Service 9 Max Vogler 20.11.14 Attack Surface Reduction for Web Services based on Authorization Patterns
Set up Access Control Matrix List resources and operations Resource r User profile C R U D 10 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14 User profile operations Guest Authenticated User Profile Owner Admin Register View profile Edit profile
Set up Access Control Matrix 11 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns List attributes Resource r Subject s User profile C R U D Guest(s) Authenticated(s) Owner(s, r) Admin(s) 20.11.14 User profile operations Guest Authenticated User Profile Owner Admin Register View profile Edit profile
Set up Access Control Matrix Fill out access control matrix Resource r 12 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns Subject s User profile C R U D Guest(s) ● Authenticated(s) ● Owner(s, r) ● ● Admin(s) ● ● 20.11.14 User profile operations Guest Authenticated User Profile Owner Admin Register View profile Edit profile
Derive Service Description User service CreateIfGuest ReadIfAuthenticated ReadIfOwner ReadIfAdmin UpdateIfOwner UpdateIfAdmin Resource r Split up operations è Improved testability, reduced attack surface 13 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns Subject s User profile C R U D Guest(s) ● Authenticated(s) ● Owner(s, r) ● ● Admin(s) ● ● 20.11.14
Create Web Service User service Method URL Query parameters CreateIfGuest ReadIfAuthenticated ReadIfOwner ReadIfAdmin UpdateIfOwner UpdateIfAdmin 14 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14
Create Web Service User service Method URL Query parameters CreateIfGuest POST /users ?auth=Guest ReadIfAuthenticated GET /users ?auth=Authenticated ReadIfOwner GET /users ?auth=Owner ReadIfAdmin GET /users ?auth=Admin UpdateIfOwner PUT /users/{id} ?auth=Owner UpdateIfAdmin PUT /users/{id} ?auth=Admin 15 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14 Client chooses authorization level actively è Improved transparency, reduced attack surface
Create Web Service @Controller public class UserController { HTTP-PUT-Request to www.example.com/users/42?auth=Owner @RequestMapping(method = PUT, value = "users/{id}", params="auth=Owner") @PreAuthorize("isOwnerOf(#id)") public JSONObject updateIfOwner() { /* ... */ } HTTP-PUT-Request to www.example.com/users/42?auth=Admin @RequestMapping(method = PUT, value = "users/{id}", params="auth=Admin") @PreAuthorize("isAdmin()") public JSONObject updateIfAdmin() { /* ... */ } 16 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14
Comparison // Don't do it like this! @RequestMapping(method = PUT, value = "users/{id}") @PreAuthorize("isOwnerOf(#id) || isAdmin()") public JSONObject update() { // If is admin, allow editing all fields, if is owner, allow editing in a limited way } // Split up authorization like this: @RequestMapping(method = PUT, value = "users/{id}", params="auth=Owner") @PreAuthorize("isOwnerOf(#id)") public JSONObject updateIfOwner() { /* ... */ } @RequestMapping(method = PUT, value = "users/{id}", params="auth=Admin") @PreAuthorize("isAdmin()") public JSONObject updateIfAdmin() { /* ... */ } 17 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14
Set up Access Control Matrix Derive Service Description Create Web Service Comparison Traditional New public JSONObject update() public JSONObject updateIfOwner() public JSONObject updateIfAdmin() Opaque authorization logic Transparent authorization logic Duplicate authorization logic Partitioned authorization logic + Improved testability + Reduced attack surface – Difficulties with large number of similar roles 18 Max Vogler 20.11.14 Attack Surface Reduction for Web Services based on Authorization Patterns
Thank you Max Vogler max.vogler@student.kit.edu 19 Max Vogler 20.11.14 Attack Surface Reduction for Web Services based on Authorization Patterns
Sources R. Steinegger, J. Schäfer, M. Vogler, and S. Abeck, "Attack Surface Reduction for Web Services based on Authorization Patterns," In Proceedings of SECURWARE 2014 The Eighth International Conference on Emerging Security Information, Systems and Technologies, November 2014, pp. 194-201, ISBN 978-1-61208-376-6 [1] T. Heumann, J. Keller, and S. Türpe, “Quantifying the Attack Surface of a Web Application,” In Proceedings of Sicherheit 2010, vol. 170, 2010, pp. 305-316, ISBN: 978-3-88579-264-2 [2] M. Howard, “Attack Surface – Mitigate Security Risks by Minimizing the Code You Expose to Untrusted Users,” MSDN Magazine, November 2004. [Online]. Available from: http:// msdn.microsoft.com/en-us/magazine/cc163882.aspx [retrieved: 23.09.2014] [3] E. Yuan and J. Tong, “Attribute Based Access Control (ABAC) for Web Services,” in Proceedings of the International Conference on Web Services (ICWS), Jul. 2005, pp. 561–569, doi:10.1109/ICWS. 2005.25. [4] R. Steinegger, “Authentication and authorization patterns in existing security frameworks [Authentifizierungs- und Autorisierungsmuster in bestehenden Sicherheits-Frameworks],” diploma thesis, Karlsruhe Institute of Technology, Karlsruhe, Germany, 2012. German. 20 Max Vogler 20.11.14 Attack Surface Reduction for Web Services based on Authorization Patterns

Recommended

Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
vinoth kumar
 
OAuth2 Protocol with Grails Spring Security
OAuth2 Protocol with Grails Spring SecurityOAuth2 Protocol with Grails Spring Security
OAuth2 Protocol with Grails Spring Security
NexThoughts Technologies
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RS
Frank Kim
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
axykim00
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 
Securing RESTful Payment APIs Using OAuth 2
Securing RESTful Payment APIs Using OAuth 2Securing RESTful Payment APIs Using OAuth 2
Securing RESTful Payment APIs Using OAuth 2
Jonathan LeBlanc
 

Recommended

Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
vinoth kumar
 
OAuth2 Protocol with Grails Spring Security
OAuth2 Protocol with Grails Spring SecurityOAuth2 Protocol with Grails Spring Security
OAuth2 Protocol with Grails Spring Security
NexThoughts Technologies
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RS
Frank Kim
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
axykim00
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 
Securing RESTful Payment APIs Using OAuth 2
Securing RESTful Payment APIs Using OAuth 2Securing RESTful Payment APIs Using OAuth 2
Securing RESTful Payment APIs Using OAuth 2
Jonathan LeBlanc
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
Prabath Siriwardena
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Shreeraj Shah
 
User Authentication and Cloud Authorization in the Galaxy project: https://do...
User Authentication and Cloud Authorization in the Galaxy project: https://do...User Authentication and Cloud Authorization in the Galaxy project: https://do...
User Authentication and Cloud Authorization in the Galaxy project: https://do...
Vahid Jalili
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based Authentication
Stefan Achtsnit
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID Connect
Manish Pandit
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID Connect
CloudIDSummit
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
Sanjoy Kumar Roy
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
Richard Metzler
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
jeremysbrown
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
Amila Paranawithana
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
Oracle Corporation
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
leahculver
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview
anikristo
 
Pantallas escaneo Sitio Web
Pantallas escaneo Sitio WebPantallas escaneo Sitio Web
Pantallas escaneo Sitio Web
andres1422
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache Shiro
Marakana Inc.
 
Authorization iii
Authorization iiiAuthorization iii
Authorization iii
sonia merchant
 
RIA services exposing & consuming queries
RIA services exposing & consuming queriesRIA services exposing & consuming queries
RIA services exposing & consuming queries
iedotnetug
 
Single Sign-On security issue in Cloud Computing
Single Sign-On security issue in Cloud ComputingSingle Sign-On security issue in Cloud Computing
Single Sign-On security issue in Cloud Computing
Rahul Roshan
 

More Related Content

What's hot

Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Shreeraj Shah
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based Authentication
Stefan Achtsnit
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
 

What's hot (20)

Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
 
User Authentication and Cloud Authorization in the Galaxy project: https://do...
User Authentication and Cloud Authorization in the Galaxy project: https://do...User Authentication and Cloud Authorization in the Galaxy project: https://do...
User Authentication and Cloud Authorization in the Galaxy project: https://do...
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based Authentication
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID Connect
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID Connect
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview
 
Pantallas escaneo Sitio Web
Pantallas escaneo Sitio WebPantallas escaneo Sitio Web
Pantallas escaneo Sitio Web
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache Shiro
 
Authorization iii
Authorization iiiAuthorization iii
Authorization iii
 

Similar to Attack Surface Reduction for Web Services based on Authorization Patterns

Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
amiable_indian
 
Denied! Securing your Application with Better User Authorization
Denied! Securing your Application with Better User AuthorizationDenied! Securing your Application with Better User Authorization
Denied! Securing your Application with Better User Authorization
Brian Childress
 
Chapter5-Bypass-ClientSide-Control-Presentation.pptx
Chapter5-Bypass-ClientSide-Control-Presentation.pptxChapter5-Bypass-ClientSide-Control-Presentation.pptx
Chapter5-Bypass-ClientSide-Control-Presentation.pptx
ilhamilyas5
 
Jasigsakai12 columbia-customizes-cas
Jasigsakai12 columbia-customizes-casJasigsakai12 columbia-customizes-cas
Jasigsakai12 columbia-customizes-cas
ellentuck
 
A Validation Model of Data Input for Web Services
A Validation Model of Data Input for Web ServicesA Validation Model of Data Input for Web Services
A Validation Model of Data Input for Web Services
Rafael Brinhosa
 
Web 2.0 Tech Talk
Web 2.0 Tech TalkWeb 2.0 Tech Talk
Web 2.0 Tech Talk
pooyad
 

Similar to Attack Surface Reduction for Web Services based on Authorization Patterns (20)

RIA services exposing & consuming queries
RIA services exposing & consuming queriesRIA services exposing & consuming queries
RIA services exposing & consuming queries
 
Single Sign-On security issue in Cloud Computing
Single Sign-On security issue in Cloud ComputingSingle Sign-On security issue in Cloud Computing
Single Sign-On security issue in Cloud Computing
 
State management
State managementState management
State management
 
Introduction to CloudStack API
Introduction to CloudStack APIIntroduction to CloudStack API
Introduction to CloudStack API
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Denied! Securing your Application with Better User Authorization
Denied! Securing your Application with Better User AuthorizationDenied! Securing your Application with Better User Authorization
Denied! Securing your Application with Better User Authorization
 
MongoDB.local Berlin: App development in a Serverless World
MongoDB.local Berlin: App development in a Serverless WorldMongoDB.local Berlin: App development in a Serverless World
MongoDB.local Berlin: App development in a Serverless World
 
Understanding the Sitecore Architecture
Understanding the Sitecore ArchitectureUnderstanding the Sitecore Architecture
Understanding the Sitecore Architecture
 
Chapter5-Bypass-ClientSide-Control-Presentation.pptx
Chapter5-Bypass-ClientSide-Control-Presentation.pptxChapter5-Bypass-ClientSide-Control-Presentation.pptx
Chapter5-Bypass-ClientSide-Control-Presentation.pptx
 
Dot net training bangalore
Dot net training bangaloreDot net training bangalore
Dot net training bangalore
 
XCS110_All_Slides.pdf
XCS110_All_Slides.pdfXCS110_All_Slides.pdf
XCS110_All_Slides.pdf
 
Jasigsakai12 columbia-customizes-cas
Jasigsakai12 columbia-customizes-casJasigsakai12 columbia-customizes-cas
Jasigsakai12 columbia-customizes-cas
 
A Validation Model of Data Input for Web Services
A Validation Model of Data Input for Web ServicesA Validation Model of Data Input for Web Services
A Validation Model of Data Input for Web Services
 
MongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDBMongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDB
 
Web Mining
Web Mining Web Mining
Web Mining
 
Input validation slides of web application workshop
Input validation slides of web application workshopInput validation slides of web application workshop
Input validation slides of web application workshop
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordel
 
Security in NodeJS applications
Security in NodeJS applicationsSecurity in NodeJS applications
Security in NodeJS applications
 
Web Application Scanning 101
Web Application Scanning 101Web Application Scanning 101
Web Application Scanning 101
 
Web 2.0 Tech Talk
Web 2.0 Tech TalkWeb 2.0 Tech Talk
Web 2.0 Tech Talk
 

Recently uploaded

一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书
一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书
一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书
AS
 
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
Fir
 
一比一定制加州大学欧文分校毕业证学位证书
一比一定制加州大学欧文分校毕业证学位证书一比一定制加州大学欧文分校毕业证学位证书
一比一定制加州大学欧文分校毕业证学位证书
A
 
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
AS
 
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
musaddumba454
 
原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样
AS
 
一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理
A
 
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
hfkmxufye
 
一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理
SS
 
一比一定制美国罗格斯大学毕业证学位证书
一比一定制美国罗格斯大学毕业证学位证书一比一定制美国罗格斯大学毕业证学位证书
一比一定制美国罗格斯大学毕业证学位证书
A
 
一比一原版美国北卡罗莱纳大学毕业证如何办理
一比一原版美国北卡罗莱纳大学毕业证如何办理一比一原版美国北卡罗莱纳大学毕业证如何办理
一比一原版美国北卡罗莱纳大学毕业证如何办理
A
 
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
AS
 
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
AS
 

Recently uploaded (20)

一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书
一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书
一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书
 
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
 
一比一定制加州大学欧文分校毕业证学位证书
一比一定制加州大学欧文分校毕业证学位证书一比一定制加州大学欧文分校毕业证学位证书
一比一定制加州大学欧文分校毕业证学位证书
 
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
 
Thank You Luv I’ll Never Walk Alone Again T shirts
Thank You Luv I’ll Never Walk Alone Again T shirtsThank You Luv I’ll Never Walk Alone Again T shirts
Thank You Luv I’ll Never Walk Alone Again T shirts
 
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
 
原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样
 
一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理
 
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
 
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
 
Dan Quinn Commanders Feather Dad Hat Hoodie
Dan Quinn Commanders Feather Dad Hat HoodieDan Quinn Commanders Feather Dad Hat Hoodie
Dan Quinn Commanders Feather Dad Hat Hoodie
 
一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理
 
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
 
一比一定制美国罗格斯大学毕业证学位证书
一比一定制美国罗格斯大学毕业证学位证书一比一定制美国罗格斯大学毕业证学位证书
一比一定制美国罗格斯大学毕业证学位证书
 
一比一原版美国北卡罗莱纳大学毕业证如何办理
一比一原版美国北卡罗莱纳大学毕业证如何办理一比一原版美国北卡罗莱纳大学毕业证如何办理
一比一原版美国北卡罗莱纳大学毕业证如何办理
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
 
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
 
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
 
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
 

Attack Surface Reduction for Web Services based on Authorization Patterns

  • 1. Research Group Cooperation & Management, Institute of Telematics, Department of Informatics KIT – University of the State of Baden-Wuerttemberg and National Research Center of the Helmholtz Association www.kit.edu Attack Surface Reduction for Web Services based on Authorization Patterns Roland Steinegger, Johannes Schäfer, Max Vogler, Sebastian Abeck 20.11.2014 – SECURWARE 2014, Lisbon, Portugal
  • 2. About the authors Roland Steinegger Johannes Schäfer Max Vogler Sebastian Abeck 2 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14
  • 3. Outline Background Motivation Attack surface reduction 1. Set up Access Control Matrix 2. Derive Service Description 3. Create Web Service Comparison 3 Max Vogler 20.11.14 Attack Surface Reduction for Web Services based on Authorization Patterns
  • 4. Background Attack Surface Reduction for Web Services based on Authorization Patterns Attack Surface: Indicator for vulnerability towards external attacks [1] [2] Authorization Patterns Attribute-Based Access Control [3] Role-Based Access Control [4] 4 Max Vogler 20.11.14 Attack Surface Reduction for Web Services based on Authorization Patterns
  • 5. Background 5 Max Vogler 20.11.14 Attack Surface Reduction for Web Services based on Authorization Patterns
  • 6. Background User profile operations Guest Authenticated User Profile Owner Admin Register View profile Edit profile 6 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14
  • 7. Motivation HTTP-PUT-Request to www.example.com/users/42 @RequestMapping(method = PUT, value = "users/{id}") @PreAuthorize("isOwnerOf(#id) || isAdmin()") public JSONObject update() { if(getCurrentUser().isAdmin()) { // Administrator is updating a user account } else { // Update the user's own profile, limited to allowed fields } 7 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns } 20.11.14
  • 8. Motivation Problems with authorization logic Duplicated Hard to test Opaque for clients è Attack surface is increased Idea: Split up authorization logic Goals Reduce attack surface Use authorization patterns Keep functionality 8 Max Vogler 20.11.14 Attack Surface Reduction for Web Services based on Authorization Patterns
  • 9. Methodology Set up Access Control Matrix Derive Service Description Create Web Service 9 Max Vogler 20.11.14 Attack Surface Reduction for Web Services based on Authorization Patterns
  • 10. Set up Access Control Matrix List resources and operations Resource r User profile C R U D 10 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14 User profile operations Guest Authenticated User Profile Owner Admin Register View profile Edit profile
  • 11. Set up Access Control Matrix 11 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns List attributes Resource r Subject s User profile C R U D Guest(s) Authenticated(s) Owner(s, r) Admin(s) 20.11.14 User profile operations Guest Authenticated User Profile Owner Admin Register View profile Edit profile
  • 12. Set up Access Control Matrix Fill out access control matrix Resource r 12 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns Subject s User profile C R U D Guest(s) ● Authenticated(s) ● Owner(s, r) ● ● Admin(s) ● ● 20.11.14 User profile operations Guest Authenticated User Profile Owner Admin Register View profile Edit profile
  • 13. Derive Service Description User service CreateIfGuest ReadIfAuthenticated ReadIfOwner ReadIfAdmin UpdateIfOwner UpdateIfAdmin Resource r Split up operations è Improved testability, reduced attack surface 13 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns Subject s User profile C R U D Guest(s) ● Authenticated(s) ● Owner(s, r) ● ● Admin(s) ● ● 20.11.14
  • 14. Create Web Service User service Method URL Query parameters CreateIfGuest ReadIfAuthenticated ReadIfOwner ReadIfAdmin UpdateIfOwner UpdateIfAdmin 14 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14
  • 15. Create Web Service User service Method URL Query parameters CreateIfGuest POST /users ?auth=Guest ReadIfAuthenticated GET /users ?auth=Authenticated ReadIfOwner GET /users ?auth=Owner ReadIfAdmin GET /users ?auth=Admin UpdateIfOwner PUT /users/{id} ?auth=Owner UpdateIfAdmin PUT /users/{id} ?auth=Admin 15 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14 Client chooses authorization level actively è Improved transparency, reduced attack surface
  • 16. Create Web Service @Controller public class UserController { HTTP-PUT-Request to www.example.com/users/42?auth=Owner @RequestMapping(method = PUT, value = "users/{id}", params="auth=Owner") @PreAuthorize("isOwnerOf(#id)") public JSONObject updateIfOwner() { /* ... */ } HTTP-PUT-Request to www.example.com/users/42?auth=Admin @RequestMapping(method = PUT, value = "users/{id}", params="auth=Admin") @PreAuthorize("isAdmin()") public JSONObject updateIfAdmin() { /* ... */ } 16 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14
  • 17. Comparison // Don't do it like this! @RequestMapping(method = PUT, value = "users/{id}") @PreAuthorize("isOwnerOf(#id) || isAdmin()") public JSONObject update() { // If is admin, allow editing all fields, if is owner, allow editing in a limited way } // Split up authorization like this: @RequestMapping(method = PUT, value = "users/{id}", params="auth=Owner") @PreAuthorize("isOwnerOf(#id)") public JSONObject updateIfOwner() { /* ... */ } @RequestMapping(method = PUT, value = "users/{id}", params="auth=Admin") @PreAuthorize("isAdmin()") public JSONObject updateIfAdmin() { /* ... */ } 17 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14
  • 18. Set up Access Control Matrix Derive Service Description Create Web Service Comparison Traditional New public JSONObject update() public JSONObject updateIfOwner() public JSONObject updateIfAdmin() Opaque authorization logic Transparent authorization logic Duplicate authorization logic Partitioned authorization logic + Improved testability + Reduced attack surface – Difficulties with large number of similar roles 18 Max Vogler 20.11.14 Attack Surface Reduction for Web Services based on Authorization Patterns
  • 19. Thank you Max Vogler max.vogler@student.kit.edu 19 Max Vogler 20.11.14 Attack Surface Reduction for Web Services based on Authorization Patterns
  • 20. Sources R. Steinegger, J. Schäfer, M. Vogler, and S. Abeck, "Attack Surface Reduction for Web Services based on Authorization Patterns," In Proceedings of SECURWARE 2014 The Eighth International Conference on Emerging Security Information, Systems and Technologies, November 2014, pp. 194-201, ISBN 978-1-61208-376-6 [1] T. Heumann, J. Keller, and S. Türpe, “Quantifying the Attack Surface of a Web Application,” In Proceedings of Sicherheit 2010, vol. 170, 2010, pp. 305-316, ISBN: 978-3-88579-264-2 [2] M. Howard, “Attack Surface – Mitigate Security Risks by Minimizing the Code You Expose to Untrusted Users,” MSDN Magazine, November 2004. [Online]. Available from: http:// msdn.microsoft.com/en-us/magazine/cc163882.aspx [retrieved: 23.09.2014] [3] E. Yuan and J. Tong, “Attribute Based Access Control (ABAC) for Web Services,” in Proceedings of the International Conference on Web Services (ICWS), Jul. 2005, pp. 561–569, doi:10.1109/ICWS. 2005.25. [4] R. Steinegger, “Authentication and authorization patterns in existing security frameworks [Authentifizierungs- und Autorisierungsmuster in bestehenden Sicherheits-Frameworks],” diploma thesis, Karlsruhe Institute of Technology, Karlsruhe, Germany, 2012. German. 20 Max Vogler 20.11.14 Attack Surface Reduction for Web Services based on Authorization Patterns