Applying Security Controls on REST APIs

@ericktedeschi

Apr 2015

Disclaimer

Information shared in this presentation does not represents any position or opinions of

Walmart Global E-Commerce BR

Agenda

• Unauthorized x forbidden status code

• Rate Limiting / Throttle Control

• Protecting IDs

• JWT – Authentication/Authorization

• Internet Facing Example

• Internal API Example

Unauthorized x forbidden status code

References:

http://tools.ietf.org/html/rfc2616#section-10.4.2

Trying to reach aresource with invalid

authorization or withoutauthorization

Bro, no matterWho you are, I will

Not respond to you.

Trying to reach aresource with invalid

authorization or withoutauthorization

Bro, no matterWho you are, I will

Not respond to you.

References:

http://tools.ietf.org/html/rfc2616#section-10.4.2

Unauthorized x forbidden status code

Rate Limiting / Throttle Control

Rate Limiting / Throttle Control

Common Headers Used

Time Window: 1 Hour

X-RateLimit-Limit: 500X-RateLimit-Remaining: 253X-RateLimit-Reset: 1429962300

RFC6586Additional HTTP Status Code

429 Too Many Requests

References:

http://tools.ietf.org/html/rfc6585#section-4http://stackoverflow.com/questions/16022624/examples-of-http-api-rate-limiting-http-response-headers

Rate Limiting / Throttle Control

“this is a sample code snippet just to a better understanding. In production env, please improve it."

Library used: https://github.com/fustundag/tokenbucket

Rate Limiting / Throttle Control

Recommendations

Choose an algorithm (e.g. Token Bucket, Leaky Bucket, your own…) Parameterized (application/API properties.ini) Avoid to use a storage that abuses I/O

Good Hazelcast Redis Memcached

Bad Relational SQL FILE/Session (oh my God)

GET may have different limit when compared to POST, PUT, DELETE Monitoring (SOC – Security Operations Center)

Top Requesters Average of how many 429 were returned

References:

http://tools.ietf.org/html/rfc6585#section-4http://stackoverflow.com/questions/16022624/examples-of-http-api-rate-limiting-http-response-headers

Protecting IDs

Source: http://www.securityinform.com/2014/06/12/gmail-token-vulnerability-could-have-exposed-every-email-addresses-hosted-on-google/

https://mail.google.com/mail/mdd-f825a3f2b2-fulano.ciclano%40gmail.com-ccD8J0x6P6JNSLS36vR6Z_sHAb3

Protecting IDs

“The intent of UUIDs is to enable distributed systems to uniquely identify information without significant central coordination”

Source: http://en.wikipedia.org/wiki/Universally_unique_identifier

• Avoid sequential / guessable identification

/api/v1/user/234

• Use something like UUID instead

/api/v1/user/123e4567-e89b-12d3-a456-426655440000

• Avoid to use sensitive information in query params

/api/v1/customer/phone/551130304040

JOSÉ

JWTJSON Web Token

JWAJSON Web Algorithms

JWKJSON Web Key

JWSJSON Web Signature

JWEJSON Web Encryption

integr i ty confidenti a l i ty

JavaScript Object Signing and Encryption

JWT Characteristics

Stateless

URL-Safe

Intended for space constrained environments

HTTP Headers (like Authorization)

URI Query Parameters

Avoid CSRF

Flexible

Interoperable

JWT - Claims

Reserved iss: issuer sub: subject aud: audience exp: expiration timenbf: not before time iat: issued at time jti: jwt id

PublicRegistered at IANA

Private Internal useDocument to clients

JWS – Compact Serialization

eyJ0eXAiOiJKV1QiLCJ

hbGciOiJIUzI1NiJ9.e

yJpc3MiOiJpc3N1ZXIu

ZXhhbXBsZS5jb20iLCJ

pYXQiOjE0Mjk2NTc0Nj

UsImV4cCI6MTQyOTY1O

DcwOCwiYXVkIjoid3d3

LmV4YW1wbGUuY29tIiw

ic3ViIjoiZXJpY2tAZX

hhbXBsZS5jb20iLCJHa

XZlbk5hbWUiOiJFcmlj

ayBUZWRlc2NoaSIsIlJ

vbGVzIjpbInBvc3RzOn

J3IiwiY29tbWVudHM6c

iJdfQ.X4iwLqW2Bze2W

lTxfn8v1EIqgfCRql6a

VYSLpN22HSU

JOSE Header

Payload

Signature

JWS – Compact Serialization{

"typ": "JWT",

"alg": "HS256"

}

JOSE Header

Payload

Signature

{

"iss": "issuer.example.com",

"iat": 1429657465,

"exp": 1429658708,

"aud": "www.example.com",

"sub": "erick@example.com",

"GivenName": "Erick Tedeschi",

"Roles": [

"posts:rw",

"comments:r"

]

}

HmacSha256(

base64UrlEncode($header) . “.” .

base64UrlEncode($payload),

“secret”);

Session Based Flow

JWT Internet Facing Example

JWT Internet Facing Example

Interwebs

Cloud A Cloud B

AppInstance

AppInstance

Key KeySamekey

Client

US BR

JWT Internet Facing Example

UltraDNS myapp.com

JWT Internal API Example

Application A

Private Key

Application B

Public Key

PAYLOAD

{

"iss": "application A",

"iat": 1429932376,

"exp": 1429932676, // 5minutes

"aud": "application B",

"jti": "1234567890abcdef",

"req": {

"method": "POST"

"path": "/api/v1/payment/pay"

"data": hash(data)

}

}

JWTStorage

POST /api/v1/payment/payAuthorization: Bearer jwtH.jwtP.jwtS

{'from':'xpto','to':'xyz','amount':66.66}

Stores jwts until itsexpiration

References

• JOSE• JWT: https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32• JWA: https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms• JWK: https://tools.ietf.org/html/draft-ietf-jose-json-web-key• JWS: https://tools.ietf.org/html/draft-ietf-jose-json-web-signature• JWE: https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-40

• PHP JWT Libraries• https://github.com/lcobucci/jwt (JWS with SharedSecret and RSA)• https://github.com/Spomky-Labs/jose (JW{T,A,K,SE} fully supported)

• Do you want to create your own library?• Examples of protecting content using JWT: https://tools.ietf.org/html/draft-ietf-jose-

cookbook-08• Using JWTs as API Keys

• https://auth0.com/blog/2014/12/02/using-json-web-tokens-as-api-keys/• http://www.thread-safe.com/2014/05/wt-and-jose-have-won-special-european.html• https://securityblog.redhat.com/2015/04/01/jose-json-object-signing-and-encryption/

GET /logout?token=f.i.n.i.s.h

E-mail: erick@oerick.comTwitter: http://twitter.com/ericktedeschiLinkedIn: https://www.linkedin.com/in/ericktedeschi