Les Hazlewood @lhazlewood
Apache Shiro PMC Chair
CTO, Stormpath
stormpath.com
Secure your REST API
(the right way)
.com
• User Management and Authentication
API
• Security for your applications
• User security workflows
• Security best p...
HTTP Authentication...
... is all about the headers
Learn more at Stormpath.com
1. Request
GET /accounts/x2b4jX3l31uiL HTTP/1.1
Host: api.acme.com
Learn more at Stormpath.com
2. Challenge Response
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm=“name”
Learn more at Stormpath.com
3. Resubmit Request
GET /accounts/x2b4jX3l31uiL HTTP/1.1
Host: api.acme.com
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZ...
Authorization Header Format
GET /accounts/x2b4jX3l31uiL HTTP/1.1
Host: api.acme.com
Authorization: Basic QWxhZGRpbjpvcGVuI...
4. Successful Response
HTTP/1.1 200 OK
Content-Type: application/json
...
{
“email”: “jsmith@gmail.com”,
“givenName”: “Joe...
Example: Oauth 1.0a
GET /accounts/1234 HTTP/1.1
Host: api.acme.com
Authorization: OAuth realm="Photos",
oauth_consumer_key...
Example: Oauth 2
GET /accounts/x2b4jX3l31uiL HTTP/1.1
Host: api.acme.com
Authorization: Bearer mF_9.B5f-4.1JqM
Learn more ...
Example: Oauth 2 MAC
GET /accounts/x2b4jX3l31uiL HTTP/1.1
Host: api.acme.com
Authorization: MAC id="h480djs93hd8",
nonce="...
Ok, now that’s out of the way
• Please avoid Basic Authc if you can.
• Favor HMAC-SHA256 digest algorithms over
bearer tok...
Status Codes
Learn more at Stormpath.com
401 vs 403
• 401 “Unauthorized” really means
Unauthenticated
“You need valid credentials for me to respond to
this request...
HTTP Authorization
Learn more at Stormpath.com
HTTP Authorization
• After authc, perform authz
• Filter requests before invoking MVC layer
• Blanket security policies
• ...
HTTP Authorization: OAuth
• OAuth is an authorization protocol, NOT
an authentication or SSO protocol.
• “Can I see User X...
HTTP Authorization: OAuth
• When OAuth 2 is a good fit:
• If your REST clients do NOT own the data
they are attempting to ...
HTTP Authorization: JWT
• JWT = JSON Web Token
• Very new spec, but clean & simple
• JWTs can be digitally signed and/or
e...
Best Practices
Learn more at Stormpath.com
API Keys
Learn more at Stormpath.com
API Keys, Not Passwords
• Entropy
• Independence
• Speed
• Reduced Exposure
• Traceability
• Rotation
Learn more at Stormp...
API Keys cont’d
• Authenticate every request
• Encrypt API Key secret values at rest.
• Avoid Sessions (not RESTful)
• Aut...
Identifiers
Learn more at Stormpath.com
Identifiers
/accounts/x2b4jX3l31uiL
Good
Not So Good
/accounts/1234
Why?
Learn more at Stormpath.com
Identifiers
• Should be opaque
• Secure Random or Random/Time UUID
• URL-friendly ‘Base62’ encoding
• Avoid sequential num...
Query Injection
Learn more at Stormpath.com
Query Injection
Vulnerable URL:
foo.com/accounts?acctId=‘ or ‘1’=‘1
String query =
“select * from accounts where acct_id =...
Redirects and Forwards
Learn more at Stormpath.com
Redirects and Forwards
• Avoid redirects and forwards if possible
• If used, validate the value and ensure
authorized for ...
TLS
Learn more at Stormpath.com
TLS
• Use TLS for everything
• Once electing to TLS:
– Never revert
– Never switch back and forth
• Cookies: set the ‘secu...
TLS Cont’d
• Configure your SSL provider to only support
strong (FIPS 140-2 compliant) algorithms
• Use Cipher Suites w/ P...
Configuration
Learn more at Stormpath.com
Configuration
• CI: Security Testing
• Security Patches
• Regularly scan/audit
• Same config in Dev, Prod, QA*
– (Docker i...
Storage
Learn more at Stormpath.com
Storage
• Sensitive data encrypted at rest
• Encrypt offsite backups
• Strong algorithms/standards
• Strong encryption key...
Thank You!
• les@stormpath.com
• Twitter: @lhazlewood
• https://stormpath.com
Learn more at Stormpath.com
.com
• Free for developers
• Eliminate months of development
• Automatic security best practices
Sign Up Now: Stormpath.co...
Nächste SlideShare
Wird geladen in …5
×

Secure Your REST API (The Right Way)

189.049 Aufrufe

Veröffentlicht am

We already showed you how to build a Beautiful REST+JSON API(http://www.slideshare.net/stormpath/rest-jsonapis), but how do you secure your API? At Stormpath we spent 18 months researching best practices, implementing them in the Stormpath API, and figuring out what works. Here’s our playbook on how to secure a REST API.

Veröffentlicht in: Software

Secure Your REST API (The Right Way)

  1. 1. Les Hazlewood @lhazlewood Apache Shiro PMC Chair CTO, Stormpath stormpath.com Secure your REST API (the right way)
  2. 2. .com • User Management and Authentication API • Security for your applications • User security workflows • Security best practices • Developer tools, SDKs, libraries
  3. 3. HTTP Authentication...
  4. 4. ... is all about the headers Learn more at Stormpath.com
  5. 5. 1. Request GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Learn more at Stormpath.com
  6. 6. 2. Challenge Response HTTP/1.1 401 Unauthorized WWW-Authenticate: Basic realm=“name” Learn more at Stormpath.com
  7. 7. 3. Resubmit Request GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== Learn more at Stormpath.com
  8. 8. Authorization Header Format GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== Scheme Name Scheme-specific Value sp Learn more at Stormpath.com
  9. 9. 4. Successful Response HTTP/1.1 200 OK Content-Type: application/json ... { “email”: “jsmith@gmail.com”, “givenName”: “Joe”, “surname”: Smith”, ... } Learn more at Stormpath.com
  10. 10. Example: Oauth 1.0a GET /accounts/1234 HTTP/1.1 Host: api.acme.com Authorization: OAuth realm="Photos", oauth_consumer_key="dpf43f3p2l4k3l03", oauth_signature_method="HMAC-SHA1", oauth_timestamp="137131200", oauth_nonce="wIjqoS", oauth_callback="http%3A%2F%2Fprinter.example.com%2Fready", oauth_signature="74KNZJeDHnMBp0EMJ9ZHt%2FXKycU%3D" Learn more at Stormpath.com
  11. 11. Example: Oauth 2 GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Authorization: Bearer mF_9.B5f-4.1JqM Learn more at Stormpath.com
  12. 12. Example: Oauth 2 MAC GET /accounts/x2b4jX3l31uiL HTTP/1.1 Host: api.acme.com Authorization: MAC id="h480djs93hd8", nonce="264095:dj83hs9s”, mac="SLDJd4mg43cjQfElUs3Qub4L6xE=" Learn more at Stormpath.com
  13. 13. Ok, now that’s out of the way • Please avoid Basic Authc if you can. • Favor HMAC-SHA256 digest algorithms over bearer token algorithms • Use Oauth 1.0a or Oauth 2 (preferably MAC) • Only use a custom scheme if you really, really know what you’re doing. Learn more at Stormpath.com
  14. 14. Status Codes Learn more at Stormpath.com
  15. 15. 401 vs 403 • 401 “Unauthorized” really means Unauthenticated “You need valid credentials for me to respond to this request” • 403 “Forbidden” really means Unauthorized “I understood your credentials, but so sorry, you’re not allowed!” Learn more at Stormpath.com
  16. 16. HTTP Authorization Learn more at Stormpath.com
  17. 17. HTTP Authorization • After authc, perform authz • Filter requests before invoking MVC layer • Blanket security policies • Per-URI customization Learn more at Stormpath.com
  18. 18. HTTP Authorization: OAuth • OAuth is an authorization protocol, NOT an authentication or SSO protocol. • “Can I see User X’s email address please?” NOT: • “I want to authenticate User X w/ this username and password” • People still try to use OAuth for authentication (OpenId Connect) Learn more at Stormpath.com
  19. 19. HTTP Authorization: OAuth • When OAuth 2 is a good fit: • If your REST clients do NOT own the data they are attempting to read • When Oauth 2 isn’t as good of a fit: • If your REST client owns the data it is reading • Could still be fine if you’re willing to incur some additional overhead Learn more at Stormpath.com
  20. 20. HTTP Authorization: JWT • JWT = JSON Web Token • Very new spec, but clean & simple • JWTs can be digitally signed and/or encrypted, and are URL friendly. • Can be used as Bearer Tokens and for SSO Learn more at Stormpath.com
  21. 21. Best Practices Learn more at Stormpath.com
  22. 22. API Keys Learn more at Stormpath.com
  23. 23. API Keys, Not Passwords • Entropy • Independence • Speed • Reduced Exposure • Traceability • Rotation Learn more at Stormpath.com
  24. 24. API Keys cont’d • Authenticate every request • Encrypt API Key secret values at rest. • Avoid Sessions (not RESTful) • Authc every request + no sessions = no XSRF attacks Learn more at Stormpath.com
  25. 25. Identifiers Learn more at Stormpath.com
  26. 26. Identifiers /accounts/x2b4jX3l31uiL Good Not So Good /accounts/1234 Why? Learn more at Stormpath.com
  27. 27. Identifiers • Should be opaque • Secure Random or Random/Time UUID • URL-friendly ‘Base62’ encoding • Avoid sequential numbers: • distribute ID generation load • mitigate fusking attacks Learn more at Stormpath.com
  28. 28. Query Injection Learn more at Stormpath.com
  29. 29. Query Injection Vulnerable URL: foo.com/accounts?acctId=‘ or ‘1’=‘1 String query = “select * from accounts where acct_id = ‘” + request.getParameter(“acctId”) + “’”; Solution • Use Parameterized Query API (Prepared Statements). • If not available, escape special chars Learn more at Stormpath.com
  30. 30. Redirects and Forwards Learn more at Stormpath.com
  31. 31. Redirects and Forwards • Avoid redirects and forwards if possible • If used, validate the value and ensure authorized for the current user. foo.com/redirect.jsp?url=evil.com foo.com/whatever.jsp?fwd=admin.jsp Learn more at Stormpath.com
  32. 32. TLS Learn more at Stormpath.com
  33. 33. TLS • Use TLS for everything • Once electing to TLS: – Never revert – Never switch back and forth • Cookies: set the ‘secure’ and ‘httpOnly’ flags for secure cookies • Backend/infrastructure connections use TLS too Learn more at Stormpath.com
  34. 34. TLS Cont’d • Configure your SSL provider to only support strong (FIPS 140-2 compliant) algorithms • Use Cipher Suites w/ Perfect Forward Secrecy! –e.g. ECDHE_RSA_WITH_AES_256_GCM_SHA256 • Keep your TLS certificates valid • But beware, TLS isn’t foolproof – App-level encryption + TLS for most secure results Learn more at Stormpath.com
  35. 35. Configuration Learn more at Stormpath.com
  36. 36. Configuration • CI: Security Testing • Security Patches • Regularly scan/audit • Same config in Dev, Prod, QA* – (Docker is great for this!) • Externalize passwords/credentials * Except credentials of course Learn more at Stormpath.com
  37. 37. Storage Learn more at Stormpath.com
  38. 38. Storage • Sensitive data encrypted at rest • Encrypt offsite backups • Strong algorithms/standards • Strong encryption keys and key mgt • Strong password hashing • External key storage • Encrypted file system (e.g. eCryptfs) Learn more at Stormpath.com
  39. 39. Thank You! • les@stormpath.com • Twitter: @lhazlewood • https://stormpath.com Learn more at Stormpath.com
  40. 40. .com • Free for developers • Eliminate months of development • Automatic security best practices Sign Up Now: Stormpath.com Learn more at Stormpath.com

×