apis y seguridad

Enlighten your software

¿API primero? Seguridad primero: lo que necesitas saber para crear APIs seguras

Fernando Perales

<me>

Fernando Perales

Software Engineer @ Crowd InteractiveFLOSS Advocate

/(.*) metal and 🍺 lover/Passionate about web development and lean

startup

FerPeralesM

FerPerales

</me>

Why an API?

http://www.apiacademy.co/sites/default/files/Web-APIs-v5_0.png

API first

When to not API first

Extracted from

monolithic

Goingmobile

PublicAPI

Decisions

Technology

SOAP vs REST

XML vs JSON

Let's gofor...

REST +JSON

REST

Roy Fielding

“REST's client–server separation of concerns simplifies component

implementation, reduces the complexity of connector semantics, improves the

effectiveness of performance tuning, and increases the scalability of pure server

components.”

Architectural constraints

Client-server

https://en.wikipedia.org/wiki/Client%E2%80%93server_model#/media/File:Client-server-model.svg

Stateless

Cacheable

Layered system

Code on demand

(optional)

Uniform interface

REST is an architectural style, not an standard

Considerations for APIs

(and pretty much, every system)

Correctness

Performance

Reliability

Robustness

Scalability

Security

Security

Security

Why shouldI care?

Commonmisperceptions

I'm nota big company

Nobody willcare about my

data

My API is notpublic

I didn'tknow

Ignorantia juris non excusat

owasp.org

Let'sstart

Know what you arefighting

http://fc04.deviantart.net/fs71/i/2013/107/9/5/it_s_dangerous_to_go_alone_by_michaelmayne-d621qgq.png

OWASP WASC Web Hacking Incidents Database Project

Denial of Service

An attempt to make a machine or network resource

unavailable to its intended users.

https://en.wikipedia.org/wiki/Denial-of-service_attack

Can be from malicious

users

Or legit users trying to take advantage

How to dealWith?

Throttle / limitrequest

Rack::Attack

kickstarter/rack-attack

Return: HTTP code 429

How to test?

Apache Benchmark

httpd.apache.org/docs/2.2/programs/ab.html

ab -c 5 -n 100 http://127.0.0.1:3000/login

SQLinjections

SQL injection is a code injection technique, used to attack data-

driven applications, in which malicious SQL statements are inserted into an entry field for

execution

https://en.wikipedia.org/wiki/SQL_injection

http://example.com/api/v1/user/123

“SELECT * FROM users WHERE userID='”

+ user_id +”‘”;

“SELECT * FROM users WHERE usetID =

‘123’”

Consider this:

http://example.com/api/v1/user/’%20or

%20’1’=’1

SELECT * FROM users WHERE

userID = ‘’ or ‘1’ = ‘1’

PredictableResourcelocation

An attack technique used to uncover hidden web site content and

functionality. By making educated guesses, the attack is a brute force

search looking for content that is not intended for public viewing.

http://www.infosecpro.com/applicationsecurity/a54.htm

example.com/v1/users/1

example.com/v1/users/1

UUID

example.com/v1/users/1

example.com/v1/users/de305d54-75b4-431b-adb2-eb6b9e546014

Who doesthis?

Charges:ch_16KD5K2eZvKYlo2

Cm5vtG9HJ

Cards:card_16KD5F2eZvKYlo

2CzRqSKsIR

Transactions:txn_16Hn2s2eZvKYlo2

CSKkdbSPq

Unintendeddisclosure ofinformation

Letting unauthorized users to access information they shouldn't

It has happened to

me �

and many others

How to dealwith this?

Apply authentication to your API as

well

And respond with the minimal

information needed

Protip:

API interactionsfrom client to

server are still user input

This happened

to

Several times...

NOTE: Does not work anymore

Meet Charles

Charles can be used as a man-in-the-middle HTTPS proxy, enabling

you to view in plain text the communication between web browser and SSL web server.

�

(._. U)

Wrapping up

Requirements

Knowledge

Prevention

Monitoring

Awareness

Questions?

Thanks! me@ferperales.net

FerPeralesM