Skip to main content

API Security Architect

API Security Architect

source: https://apiacademy.co/category/api-tutorials/api-security/

1. Introduction to API security

1.1 API Audience

Private, Public, Partner

1.2 API Security Domain

EndUser, Administrators, Developers - several interconnection endpoints

APIs increase the attack surface 

1.3 Common Web Attacks

  • Cross-Site Scripting
  • Denial of Service
  • Man in the Middle
  • Cross-Site Request Forgery
  • SQL Injection
  • Overflow
    Security organization: OWASP Open Web Application Security Project

1.4 Mitigating API Threats

  • Rate Limiting
  • Message Validation
  • Encryption and Signing
    • TLS Trust Attacks
      • Certificate Authority Vulnerabilities
      • Human Vulnerabilities
      • Man in the Middle
  • Access Control
    • HTTP Access Control
      • Basic Authentication
      • Digest Authentication

1.5 Best Practices for API Security

  • Security - Authentication and Authorization
  • Protection - OWASP API vulnerabilities
  • Throttling - quota on requests and retries
  • Continuous API Monitoring
  • Resquest/Response Payload Validation
  • Error Handling

2. Introduction to OAuth 2.0

2.1 Introduction

OAuth 2.0 is an industry standard authorization protocol that permits a user to grant an application access to protected resources without exposing the user's password credentials

An OAuth token is issued and accepted for user authorization at the API endpoint.

The issue of having multiple parties in access control.

2.2 OAuth 2.0 Authorization Flow - Authorization Code

User <-> Application <-> API

2.2.1 Registration

2.2.2 Authorization and Resource Servers

2.2.3 Authorization Flow

User requests login to Application
Application sends Authorization Request to the API
API requests User consent confirmation
User permits authorization to API
API grants authorization code to Application

Application uses authorization code to retrieve the scoped access token from the Authorization server
Application uses the scoped access token to access the resources from the Resource server

2.3 The Evolution of OAuth

OAuth2 remains the best practice

2.4 OAuth 2.0 supports 4 grant types

2.4.1 Authorization Code
2.4.2 Implicit
2.4.3 Resource Owner Password Credentials
2.4.4 Client Credentials

3. OpenID Connect Overview

3.1 Intro

Designed to be an authentication and identity protocol
Built using OAuth 2 framework
Not to be confused with OpenID 2.0

3.2 OpenID Connect Identity

OpenID Connect applies OAuth to an identity resource
Identitys a set of attribute (bag of values)
One person can have multiple identities

OpenID connect provides authorized access to identity

3.2.1 ID Token

Acts like an encrypted fingerprint
Can be decoded to reveal user information for identity verification

3.2.2 Standard Claims

Email, address, phone, profile

3.3 OpenID Connect: Authentication Code Flow

Application sends authorization code to the Authorization Server
Authorization Server returns an Access Token and an ID Token to the Application
Application exchanges the Access Token and ID Token for resources with the Resource Server

3.4 Token versus Access Token

3.4.1 ID Token

New OAuth token defined in OpenID Connect
JWT containing claims about authentication status of end user
Indicates status of authentication

3.4.2 Access Token

Original OAuth token
Provides access to identity resource
Can used by client to retrieve additional user information

4. JSON Web Tokens

4.1 Introduction

  • JWT - A token format for securely transmitting information between parties
  • Javascript Object Signing and Encryption (JOSE) - Token, Signature, Encryption, Algorithms, Key
  • Anatomy: Header, Payload, Signature

4.2 Characteristics

  • Claim-based: authentication, authorization
  • Portability: can used in newly constructed message, stored on client
  • Message-level encryption
  • Message-level signature
  • Media type
  • Limited size
  • Reduce confusion
JWT is stateless
Can be used as ID Token
Can be used as Access Token
Can be used as Refresh Token

Scenario: the ID Token can have a 24hrs expiry and the Access Token can have a 30 mins expiry, hence the need for refresh.

4.3 JWT Advantages in a Nutshell

  • Signed & Encrypted
  • Stateless
  • Self-contained
  • Compact
  • Easily passed arround
  • Protocol versatility
  • Language-agnostic
  • Common data format
  • Ideal for REST/HTTP APIs

4.3 JWT Challenges

  • Token Revocation
  • Data stored in the JWT is readable by the client
  • Known bug - fixed
Response: don't make verifications using JWT header only, use claims, key size, short timout

5. Addressing OAuth 2.0 Threats

5.1 Client Threat Models

  • Obtaining client secrets
  • Obtaining refresh tokens
  • Obtaining access tojens
  • Phishing using compromised or embedded browser
  • Open redirection on client

Application Access Control

  • Move the credentials to a server
  • Implementing monitoring and detection
  • Establish credentials during client installation

5.2 OAuth 2.0 Endpoint Threats

  • Phishing by counterfeit authorization server
  • Interception of traffic to resource server
  • User unintentionally grants too much access scope
  • Malicious client obtains existing authorization by fraud
  • Open redirection

5.3 OAuth 2.0 Token Threats

  • Eavesdropping access tokens
  • Obtaining access tokens from authorization server database
  • Disclosure of client credentials during transmission
  • Obtaining client secret from authorization server database
  • Obtaining client secret by online guessing
Labels:

Comments

Post a Comment

Popular posts from this blog

API Security

API Security source:  https://www.apisecuniversity.com/ Tools Kali Linux https://www.kali.org/ $ sudo apt update -y $ sudo apt upgrade -y $ sudo apt dist-upgrade -y $ sudo apt autoremove -y Passive API Reconnaissance Google Dorking Finds all publicly available WordPress API user directories. inurl:"/wp-json/wp/v2/users" Finds publicly available API key files. intitle:"index.of" intext:"api.txt" Finds potentially interesting API directories. inurl:"/api/v1" intext:"index of /" Finds all sites with a XenAPI SQL injection vulnerability. (This query was posted in 2016; four years later, there are currently 141,000 results.) ext:php inurl:"api.php?action=" This is one of my favorite queries. It lists potentially exposed API keys. intitle:"index of" api_key OR "api key" OR apiKey -pool GitDorking filename:swagger.json extension: .json TruffleHog $ sudo docker run -it -v "$PWD:/pwd" trufflesecurity/truf
Post a Comment
Read more

XML Webservice (ASMX) - SOAP Request and Response Invocation logging

You are an integration developer. Eventualy you came into the state where there is nothing else you can debug, and you have to check which SOAP request it is built on the request, and which SOAP response you are getting from the server. C# XML Webservice (ASMX) - SOAP Request and Response Invocation logging In the legaccy .NET framework System.Web.Services , this means using soapExtensions to help you intersept the interaction with the webservice. This is done like so:  public class TraceExtension : SoapExtension     {         Stream oldStream;         Stream newStream;         string filename;         // Save the Stream representing the SOAP request or SOAP response into          // a local memory buffer.          public override Stream ChainStream(Stream stream)         {             oldStream = stream;             newStream = new MemoryStream();             return newStream;         }         // When the SOAP extension is accessed for the first time, the XML Web
Post a Comment
Read more

Agile Leadership

Agile LeaderShip Reference: IPMA Reference Guide ICB4 in an Agile World https://www.ipma.world/news/ipma-reference-guide-icb4-agile-world/ 1. Perspective 1.1 Strategy Description: Change Blurred vision Agile strategy Emergent Create and adapt Giving meaning to work Key Competence Indicators Align agile teams with the organisational mission and vision Identify and exploit opportunities to influence organisational strategy Develop and ensure the ongoing validity of the business/organisational justification Determine, assess, and review critical success factors Determine, assess, and review key performance indicators Examples of Measures Reflects the mission and vision of the organisation Identifies new opportunities and threats which could alter the strategy Uses the CSFs for managing stakeholders Uses information systems for strategic performance 1.2 Governance, structures, and processes Description: Challenges Lean organisation Customer value Agile working Different structures Key Comp
Post a Comment
Read more