segurança em apis rest - · pdf fileheitor vital áreas de atuação...
TRANSCRIPT
Segurança em APIs REST
Heitor Vital
● Áreas de Atuação o Cloud Computing o Segurança Informação o Jogos o Dispositivos Móveis o …
● Acadêmico o MBA FGV o Mestrado UFPE o Graduação UFPE
twitter.com/heitorvital
slideshare.net/HeitorVital
labs.siteblindado.com
Kadu
More info: 2014 Global Report on the Cost of Cyber Crime
Stop Looking for the Silver Bullet: Start Thinking Like a Bad Guy
2014 Global Report on the Cost of Cyber Crime
257 Empresas
2.081 Entrevistas
1.717 Incidentes
$7.6M Média prejuízo
10.4% Crescimento Incidentes
Fonte: http://cloudtweaks.com/2013/10/cloud-infographic-2013-cyber-security-intelligence-index/
Attack Vector by Organizational Size
TOPs
1. Web-based attacks 2. Denial of services 3. Malicious insiders
Site vs Plataforma
Let’s [try to] attack ...
Search Surface Detection● Metadata/Doc
o Swagger o RAML o API-Blueprint o I/O Docs
● Discovery ● Brute Force
o Invalid dataExemplo: http://petstore.swagger.io/#!/pet/updatePet(type, size, length, null, HTTP header, XML bomb, upload file...)
Protocolo - HTTP
Protocolo - HTTPS
https://example.com/controller/<id>/action?apiKey=a53f435643de32
Resolve ??
Authentication/Authorization
API Keys
Abstract OAuth 2.0 flow
Assessments
InjectionNormal http://petstore.com/api/v1/pet/123 “SELECT * FROM pets WHERE petID='” + petId +”‘”; “SELECT * FROM pets WHERE petID = ‘123’”
Injection http://petstore.com/api/v1/pet/’%20or%20’1’=’1 “SELECT * FROM pets WHERE petID='” + petId +”‘”; SELECT * FROM pets WHERE petID = ‘’ or ‘1’ = ‘1’
XSS (cross site scripting)
Solução Header response com
● Content-type: application/json ● x-content-type-options: nosniff
Referencias: http://www.w2spconf.com/2013/papers/s3p1.pdf http://stackoverflow.com/questions/3146324/is-it-possible-to-xss-exploit-json-responses-with-proper-javascript-string-escap http://security.stackexchange.com/questions/42093/xss-prevention-for-restful-services
CSRF (cross site request forgery)
Referências: http://www.twobotechnologies.com/blog/2014/02/importance-of-state-in-oauth2.html e http://hasselba.ch/blog/?p=1854
Solução OAuth state
DoS/DDoS
WAF ● Package Analysis ● IP Blacklist ● Region Blacklist
API Gateway ● Call quotas
o Calendar Period o Rolling Window
● Invalid Inputs o XML Schema o Blacklist Keywords o Blacklist patterns o Malformed messages
Plataforma Separation of Concerns
● Authentication / Authorization
● Logging ● Analytics ● Audit ● Rate Limit ● Payload ● Address Restrictions ● Invalid Inputs
o XML Schema o Blacklist Keywords o Blacklist patterns o Malformed messages
Heitor Vital
OBRIGADO !!!
twitter.com/heitorvital
slideshare.net/HeitorVital
labs.siteblindado.com
Kadu