apis y seguridad
TRANSCRIPT
Enlighten your software
¿API primero? Seguridad primero: lo que necesitas saber para crear APIs seguras
Fernando Perales
<me>
Fernando Perales
Software Engineer @ Crowd InteractiveFLOSS Advocate
/(.*) metal and 🍺 lover/Passionate about web development and lean
startup
FerPeralesM
FerPerales
</me>
Why an API?
http://www.apiacademy.co/sites/default/files/Web-APIs-v5_0.png
API first
When to not API first
Extracted from
monolithic
Goingmobile
PublicAPI
Decisions
Technology
SOAP vs REST
XML vs JSON
Let's gofor...
REST +JSON
REST
Roy Fielding
“REST's client–server separation of concerns simplifies component
implementation, reduces the complexity of connector semantics, improves the
effectiveness of performance tuning, and increases the scalability of pure server
components.”
Architectural constraints
Client-server
https://en.wikipedia.org/wiki/Client%E2%80%93server_model#/media/File:Client-server-model.svg
Stateless
Cacheable
Layered system
Code on demand
(optional)
Uniform interface
REST is an architectural style, not an standard
Considerations for APIs
(and pretty much, every system)
Correctness
Performance
Reliability
Robustness
Scalability
Security
Security
Security
Why shouldI care?
Commonmisperceptions
I'm nota big company
Nobody willcare about my
data
My API is notpublic
I didn'tknow
Ignorantia juris non excusat
owasp.org
Let'sstart
Know what you arefighting
http://fc04.deviantart.net/fs71/i/2013/107/9/5/it_s_dangerous_to_go_alone_by_michaelmayne-d621qgq.png
OWASP WASC Web Hacking Incidents Database Project
Denial of Service
An attempt to make a machine or network resource
unavailable to its intended users.
https://en.wikipedia.org/wiki/Denial-of-service_attack
Can be from malicious
users
Or legit users trying to take advantage
How to dealWith?
Throttle / limitrequest
Rack::Attack
kickstarter/rack-attack
Return: HTTP code 429
How to test?
Apache Benchmark
httpd.apache.org/docs/2.2/programs/ab.html
ab -c 5 -n 100 http://127.0.0.1:3000/login
SQLinjections
SQL injection is a code injection technique, used to attack data-
driven applications, in which malicious SQL statements are inserted into an entry field for
execution
https://en.wikipedia.org/wiki/SQL_injection
http://example.com/api/v1/user/123
“SELECT * FROM users WHERE userID='”
+ user_id +”‘”;
“SELECT * FROM users WHERE usetID =
‘123’”
Consider this:
http://example.com/api/v1/user/’%20or
%20’1’=’1
SELECT * FROM users WHERE
userID = ‘’ or ‘1’ = ‘1’
PredictableResourcelocation
An attack technique used to uncover hidden web site content and
functionality. By making educated guesses, the attack is a brute force
search looking for content that is not intended for public viewing.
http://www.infosecpro.com/applicationsecurity/a54.htm
example.com/v1/users/1
example.com/v1/users/1
UUID
example.com/v1/users/1
example.com/v1/users/de305d54-75b4-431b-adb2-eb6b9e546014
Who doesthis?
Charges:ch_16KD5K2eZvKYlo2
Cm5vtG9HJ
Cards:card_16KD5F2eZvKYlo
2CzRqSKsIR
Transactions:txn_16Hn2s2eZvKYlo2
CSKkdbSPq
Unintendeddisclosure ofinformation
Letting unauthorized users to access information they shouldn't
It has happened to
me �
and many others
How to dealwith this?
Apply authentication to your API as
well
And respond with the minimal
information needed
Protip:
API interactionsfrom client to
server are still user input
This happened
to
Several times...
NOTE: Does not work anymore
Meet Charles
Charles can be used as a man-in-the-middle HTTPS proxy, enabling
you to view in plain text the communication between web browser and SSL web server.
�
(._. U)
Wrapping up
Requirements
Knowledge
Prevention
Monitoring
Awareness
Questions?