Skip to main content

API Security Architect

API Security Architect

source: https://apiacademy.co/category/api-tutorials/api-security/

1. Introduction to API security

1.1 API Audience

Private, Public, Partner

1.2 API Security Domain

EndUser, Administrators, Developers - several interconnection endpoints

APIs increase the attack surface 

1.3 Common Web Attacks

  • Cross-Site Scripting
  • Denial of Service
  • Man in the Middle
  • Cross-Site Request Forgery
  • SQL Injection
  • Overflow
    Security organization: OWASP Open Web Application Security Project

1.4 Mitigating API Threats

  • Rate Limiting
  • Message Validation
  • Encryption and Signing
    • TLS Trust Attacks
      • Certificate Authority Vulnerabilities
      • Human Vulnerabilities
      • Man in the Middle
  • Access Control
    • HTTP Access Control
      • Basic Authentication
      • Digest Authentication

1.5 Best Practices for API Security

  • Security - Authentication and Authorization
  • Protection - OWASP API vulnerabilities
  • Throttling - quota on requests and retries
  • Continuous API Monitoring
  • Resquest/Response Payload Validation
  • Error Handling

2. Introduction to OAuth 2.0

2.1 Introduction

OAuth 2.0 is an industry standard authorization protocol that permits a user to grant an application access to protected resources without exposing the user's password credentials

An OAuth token is issued and accepted for user authorization at the API endpoint.

The issue of having multiple parties in access control.

2.2 OAuth 2.0 Authorization Flow - Authorization Code

User <-> Application <-> API

2.2.1 Registration

2.2.2 Authorization and Resource Servers

2.2.3 Authorization Flow

User requests login to Application
Application sends Authorization Request to the API
API requests User consent confirmation
User permits authorization to API
API grants authorization code to Application

Application uses authorization code to retrieve the scoped access token from the Authorization server
Application uses the scoped access token to access the resources from the Resource server

2.3 The Evolution of OAuth

OAuth2 remains the best practice

2.4 OAuth 2.0 supports 4 grant types

2.4.1 Authorization Code
2.4.2 Implicit
2.4.3 Resource Owner Password Credentials
2.4.4 Client Credentials

3. OpenID Connect Overview

3.1 Intro

Designed to be an authentication and identity protocol
Built using OAuth 2 framework
Not to be confused with OpenID 2.0

3.2 OpenID Connect Identity

OpenID Connect applies OAuth to an identity resource
Identitys a set of attribute (bag of values)
One person can have multiple identities

OpenID connect provides authorized access to identity

3.2.1 ID Token

Acts like an encrypted fingerprint
Can be decoded to reveal user information for identity verification

3.2.2 Standard Claims

Email, address, phone, profile

3.3 OpenID Connect: Authentication Code Flow

Application sends authorization code to the Authorization Server
Authorization Server returns an Access Token and an ID Token to the Application
Application exchanges the Access Token and ID Token for resources with the Resource Server

3.4 Token versus Access Token

3.4.1 ID Token

New OAuth token defined in OpenID Connect
JWT containing claims about authentication status of end user
Indicates status of authentication

3.4.2 Access Token

Original OAuth token
Provides access to identity resource
Can used by client to retrieve additional user information

4. JSON Web Tokens

4.1 Introduction

  • JWT - A token format for securely transmitting information between parties
  • Javascript Object Signing and Encryption (JOSE) - Token, Signature, Encryption, Algorithms, Key
  • Anatomy: Header, Payload, Signature

4.2 Characteristics

  • Claim-based: authentication, authorization
  • Portability: can used in newly constructed message, stored on client
  • Message-level encryption
  • Message-level signature
  • Media type
  • Limited size
  • Reduce confusion
JWT is stateless
Can be used as ID Token
Can be used as Access Token
Can be used as Refresh Token

Scenario: the ID Token can have a 24hrs expiry and the Access Token can have a 30 mins expiry, hence the need for refresh.

4.3 JWT Advantages in a Nutshell

  • Signed & Encrypted
  • Stateless
  • Self-contained
  • Compact
  • Easily passed arround
  • Protocol versatility
  • Language-agnostic
  • Common data format
  • Ideal for REST/HTTP APIs

4.3 JWT Challenges

  • Token Revocation
  • Data stored in the JWT is readable by the client
  • Known bug - fixed
Response: don't make verifications using JWT header only, use claims, key size, short timout

5. Addressing OAuth 2.0 Threats

5.1 Client Threat Models

  • Obtaining client secrets
  • Obtaining refresh tokens
  • Obtaining access tojens
  • Phishing using compromised or embedded browser
  • Open redirection on client

Application Access Control

  • Move the credentials to a server
  • Implementing monitoring and detection
  • Establish credentials during client installation

5.2 OAuth 2.0 Endpoint Threats

  • Phishing by counterfeit authorization server
  • Interception of traffic to resource server
  • User unintentionally grants too much access scope
  • Malicious client obtains existing authorization by fraud
  • Open redirection

5.3 OAuth 2.0 Token Threats

  • Eavesdropping access tokens
  • Obtaining access tokens from authorization server database
  • Disclosure of client credentials during transmission
  • Obtaining client secret from authorization server database
  • Obtaining client secret by online guessing
Labels:

Comments

Post a Comment

Popular posts from this blog

SOLID (4/5) - Interface segregation principle

Interface segregation principle In the field of software engineering, the interface-segregation principle (ISP) states that no client should be forced to depend on methods it does not use. ISP splits interfaces that are very large into smaller and more specific ones so that clients will only have to know about the methods that are of interest to them. Such shrunken interfaces are also called role interfaces. ISP is intended to keep a system decoupled and thus easier to refactor, change, and redeploy. using   System ; namespace   interfacesegregation {      public   class   Document       {     }      public   interface   IMachine       {          void   Print ( Document   d );          void   Scan ( Document   d );     ...
Post a Comment
Read more

C# Extension Methods

 C# Extension Methods Extension methods      public   static   class   ExtensionMethods     {          public   static   Stopwatch   Measure ( this   Func < int >  f )         {              var   sw  =  new   Stopwatch ();              sw . Start ();              f ();              sw . Stop ();              return   sw ;         }          public   static   void   Save ( this   ISerializable   s...
Post a Comment
Read more

Configuring Ubuntu

Ubuntu Server Setting up a static IP // https://linuxhint.com/setup_static_ip_address_ubuntu/ // find the network interface name - eg: "enp9s0" ip a sudo nano /etc/netplan/00-installer-config.yaml network: version: 2 ethernets: ens33: addresses: [192.168.1.124/24] gateway4: 192.168.1.254 nameservers: addresses: [1.1.1.1, 8.8.8.8] Connecting to Server ssh root@server_ip_address Create a new user with admin rights adduser username usermod -aG sudo username sudo reboot Disabling Root Login and Limit login attempts(sshd_config) sudo vim /etc/ssh/sshd_config PermitRootLogin no LoginGraceTime 120 # allow only 1 login attempt per connection MaxAuthTries 1 sudo service sshd restart System update sudo apt-get update sudo apt-get upgrade Firewall sudo ufw status sudo ufw allow ssh sudo ufw allow http sudo ufw allow https sudo ufw enable sudo ufw status .NET Core wget https://packages.microsoft.com/config/ubuntu/20.10/packages-microsoft-prod.deb -O packages-...
Post a Comment
Read more