Secure Your REST API (The Right Way)

Les Hazlewood @lhazlewoodApache Shiro PMC Chair

CTO, Stormpathstormpath.com

Secure your REST API

(the right way)

.com• User Management and

Authentication API• Security for your applications• User security workflows• Security best practices• Developer tools, SDKs, libraries

HTTP Authentication...

... is all about the headers

Learn more at Stormpath.com

http://www.stormpath.com/

1. RequestGET /accounts/x2b4jX3l31uiL HTTP/1.1Host: api.acme.com



2. Challenge ResponseHTTP/1.1 401 UnauthorizedWWW-Authenticate: Basic realm=“name”



3. Resubmit RequestGET /accounts/x2b4jX3l31uiL HTTP/1.1Host: api.acme.comAuthorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==



Authorization Header Format

GET /accounts/x2b4jX3l31uiL HTTP/1.1Host: api.acme.comAuthorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

Scheme Name Scheme-specific Value

sp



4. Successful ResponseHTTP/1.1 200 OKContent-Type: application/json...

{ “email”: “[email protected]”, “givenName”: “Joe”, “surname”: Smith”, ...}



Example: Oauth 1.0aGET /accounts/1234 HTTP/1.1Host: api.acme.comAuthorization: OAuth realm="Photos", oauth_consumer_key="dpf43f3p2l4k3l03", oauth_signature_method="HMAC-SHA1", oauth_timestamp="137131200", oauth_nonce="wIjqoS", oauth_callback="http%3A%2F%2Fprinter.example.com%2Fready", oauth_signature="74KNZJeDHnMBp0EMJ9ZHt%2FXKycU%3D"



Example: Oauth 2GET /accounts/x2b4jX3l31uiL HTTP/1.1Host: api.acme.comAuthorization: Bearer mF_9.B5f-4.1JqM



Example: Oauth 2 MACGET /accounts/x2b4jX3l31uiL HTTP/1.1Host: api.acme.comAuthorization: MAC id="h480djs93hd8", nonce="264095:dj83hs9s”, mac="SLDJd4mg43cjQfElUs3Qub4L6xE="



Ok, now that’s out of the way

• Please avoid Basic Authc if you can.

• Favor HMAC-SHA256 digest algorithms over bearer token algorithms

• Use Oauth 1.0a or Oauth 2 (preferably MAC)

• Only use a custom scheme if you really, really know what you’re doing.



Status Codes



401 vs 403• 401 “Unauthorized” really means

Unauthenticated

“You need valid credentials for me to respond to this request”

• 403 “Forbidden” really means Unauthorized

“I understood your credentials, but so sorry, you’re not allowed!”



HTTP Authorization



HTTP Authorization• After authc, perform authz• Filter requests before invoking MVC

layer • Blanket security policies• Per-URI customization



HTTP Authorization: OAuth• OAuth is an authorization protocol,

NOT an authentication or SSO protocol.• “Can I see User X’s email address

please?” NOT:• “I want to authenticate User X w/ this

username and password”

• People still try to use OAuth for authentication (OpenId Connect)



HTTP Authorization: OAuth• When OAuth 2 is a good fit:• If your REST clients do NOT own the

data they are attempting to read

• When Oauth 2 isn’t as good of a fit:• If your REST client owns the data it is

reading• Could still be fine if you’re willing to

incur some additional overheadLearn more at Stormpath.com


HTTP Authorization: JWT• JWT = JSON Web Token

• Very new spec, but clean & simple

• JWTs can be digitally signed and/or encrypted, and are URL friendly.

• Can be used as Bearer Tokens and for SSO



Best Practices



API Keys



API Keys, Not Passwords• Entropy• Independence• Speed• Reduced Exposure• Traceability• Rotation



API Keys cont’d• Authenticate every request• Encrypt API Key secret values at rest.• Avoid Sessions (not RESTful)• Authc every request + no sessions =

no XSRF attacks



Identifiers



Identifiers/accounts/x2b4jX3l31uiL

Good

Not So Good/accounts/1234

Why?



Identifiers• Should be opaque• Secure Random or Random/Time

UUID• URL-friendly ‘Base62’ encoding• Avoid sequential numbers:• distribute ID generation load• mitigate fusking attacks



Query Injection



Query Injection

Vulnerable URL:foo.com/accounts?acctId=‘ or ‘1’=‘1

String query = “select * from accounts where acct_id = ‘” + request.getParameter(“acctId”) + “’”;

Solution• Use Parameterized Query API (Prepared

Statements).• If not available, escape special chars



Redirects and Forwards



Redirects and Forwards

• Avoid redirects and forwards if possible

• If used, validate the value and ensure authorized for the current user.

foo.com/redirect.jsp?url=evil.comfoo.com/whatever.jsp?fwd=admin.jsp



TLS



TLS• Use TLS for everything• Once electing to TLS:– Never revert– Never switch back and forth

• Cookies: set the ‘secure’ and ‘httpOnly’ flags for secure cookies

• Backend/infrastructure connections use TLS too



TLS Cont’d• Configure your SSL provider to only support

strong (FIPS 140-2 compliant) algorithms• Use Cipher Suites w/ Perfect Forward

Secrecy!–e.g. ECDHE_RSA_WITH_AES_256_GCM_SHA256

• Keep your TLS certificates valid• But beware, TLS isn’t foolproof– App-level encryption + TLS for most secure

results



Configuration



Configuration• CI: Security Testing• Security Patches• Regularly scan/audit• Same config in Dev, Prod, QA* – (Docker is great for this!)

• Externalize passwords/credentials

* Except credentials of course



Storage



Storage• Sensitive data encrypted at rest• Encrypt offsite backups• Strong algorithms/standards• Strong encryption keys and key mgt• Strong password hashing• External key storage• Encrypted file system (e.g. eCryptfs)



Thank You!• [email protected]• Twitter: @lhazlewood• https://stormpath.com



.com• Free for developers• Eliminate months of development• Automatic security best practices

Sign Up Now: Stormpath.com



Secure Your REST API (The Right Way)

Software

Transcript of Secure Your REST API (The Right Way)