qcon sp 2015 - segurança em apis rest

Segurança em APIs REST

Heitor Vital

● Áreas de Atuação o Cloud Computing o Segurança Informação o Jogos o Dispositivos Móveis o …

● Acadêmico o MBA FGV o Mestrado UFPE o Graduação UFPE

twitter.com/heitorvital

slideshare.net/HeitorVital

labs.siteblindado.com

Kadu

[email protected]

More info: 2014 Global Report on the Cost of Cyber Crime

Stop Looking for the Silver Bullet: Start Thinking Like a Bad Guy

2014 Global Report on the Cost of Cyber Crime

257 Empresas

2.081 Entrevistas

1.717 Incidentes

$7.6M Média prejuízo

10.4% Crescimento Incidentes

http://www8.hp.com/h20195/v2/GetDocument.aspx?docname=4AA5-5207ENW

Fonte: http://cloudtweaks.com/2013/10/cloud-infographic-2013-cyber-security-intelligence-index/

http://cloudtweaks.com/2013/10/cloud-infographic-2013-cyber-security-intelligence-index/

Attack Vector by Organizational Size

TOPs

1. Web-based attacks 2. Denial of services 3. Malicious insiders

Site vs Plataforma

Let’s [try to] attack ...

Search Surface Detection● Metadata/Doc

o Swagger o RAML o API-Blueprint o I/O Docs

● Discovery ● Brute Force

o Invalid dataExemplo: http://petstore.swagger.io/#!/pet/updatePet(type, size, length, null, HTTP header, XML bomb, upload file...)

http://petstore.swagger.io/#!/pet/updatePet

Protocolo - HTTP

Protocolo - HTTPS

https://example.com/controller/<id>/action?apiKey=a53f435643de32

Resolve ??

https://example.com/controller/123/action?apiKey=a53f435643de32




Authentication/Authorization

API Keys

Abstract OAuth 2.0 flow

Assessments

InjectionNormal http://petstore.com/api/v1/pet/123 “SELECT * FROM pets WHERE petID='” + petId +”‘”; “SELECT * FROM pets WHERE petID = ‘123’”

Injection http://petstore.com/api/v1/pet/’%20or%20’1’=’1 “SELECT * FROM pets WHERE petID='” + petId +”‘”; SELECT * FROM pets WHERE petID = ‘’ or ‘1’ = ‘1’

http://petstore.com/api/v1/pet/123

XSS (cross site scripting)

Solução Header response com

● Content-type: application/json ● x-content-type-options: nosniff

Referencias: http://www.w2spconf.com/2013/papers/s3p1.pdf http://stackoverflow.com/questions/3146324/is-it-possible-to-xss-exploit-json-responses-with-proper-javascript-string-escap http://security.stackexchange.com/questions/42093/xss-prevention-for-restful-services

http://www.w2spconf.com/2013/papers/s3p1.pdf

http://stackoverflow.com/questions/3146324/is-it-possible-to-xss-exploit-json-responses-with-proper-javascript-string-escap

http://security.stackexchange.com/questions/42093/xss-prevention-for-restful-services

CSRF (cross site request forgery)

Referências: http://www.twobotechnologies.com/blog/2014/02/importance-of-state-in-oauth2.html e http://hasselba.ch/blog/?p=1854

Solução OAuth state

http://www.twobotechnologies.com/blog/2014/02/importance-of-state-in-oauth2.html

http://hasselba.ch/blog/?p=1854

http://tools.ietf.org/html/rfc6749#section-10.12

DoS/DDoS

WAF ● Package Analysis ● IP Blacklist ● Region Blacklist

API Gateway ● Call quotas

o Calendar Period o Rolling Window

● Invalid Inputs o XML Schema o Blacklist Keywords o Blacklist patterns o Malformed messages

Plataforma Separation of Concerns

● Authentication / Authorization

● Logging ● Analytics ● Audit ● Rate Limit ● Payload ● Address Restrictions ● Invalid Inputs

o XML Schema o Blacklist Keywords o Blacklist patterns o Malformed messages

Heitor Vital

OBRIGADO !!!

twitter.com/heitorvital

slideshare.net/HeitorVital

labs.siteblindado.com

Kadu

[email protected]

qcon sp 2015 - segurança em apis rest

Technology