Segurança em APIs REST
Heitor Vital ● Áreas de Atuação o Cloud Computing twitter.com/heitorvital o Segurança Informação o Jogos slideshare.net/HeitorVital o Dispositivos Móveis o … labs.siteblindado.com sec@siteblindado.com.br ● Acadêmico o MBA FGV Kadu o Mestrado UFPE o Graduação UFPE
2014 Global Report on the Cost of Cyber Crime Stop Looking for the Silver Bullet: Start Thinking Like a Bad Guy 257 Empresas 2.081 Entrevistas 1.717 Incidentes $7.6M Média prejuízo 10.4% Crescimento Incidentes More info: 2014 Global Report on the Cost of Cyber Crime
Fonte: http://cloudtweaks.com/2013/10/cloud-infographic-2013-cyber-security-intelligence-index/
Attack Vector by Organizational Size TOPs 1. Web-based attacks 2. Denial of services 3. Malicious insiders
Site vs Plataforma
Let’s [try to] attack ...
Search Surface Detection ● Metadata/Doc o Swagger o RAML o API-Blueprint o I/O Docs ● Discovery ● Brute Force o Invalid data (type, size, length, null, HTTP header, XML bomb, upload file...) Exemplo: http://petstore.swagger.io/#!/pet/updatePet
Protocolo - HTTP
Protocolo - HTTPS http s ://example.com/controller/<id>/action? apiKey=a53f435643de32 Resolve ??
Authentication/Authorization API Keys Abstract OAuth 2.0 flow
Assessments
Injection Normal http://petstore.com/api/v1/pet/123 “SELECT ¡* ¡FROM ¡pets ¡WHERE ¡petID='” ¡+ ¡petId ¡+”‘”; ¡ “SELECT ¡* ¡FROM ¡pets ¡WHERE ¡petID ¡= ¡‘123’” ¡ Injection http://petstore.com/api/v1/pet/’%20or%20’1’=’1 ¡ “SELECT ¡* ¡FROM ¡pets ¡WHERE ¡petID='” ¡+ ¡petId ¡+”‘”; ¡ SELECT ¡* ¡FROM ¡pets ¡WHERE ¡petID ¡= ¡‘’ ¡ or ¡‘1’ ¡= ¡‘1’
XSS (cross site scripting) Solução Header response com ● Content-type: application/json ● x-content-type-options: nosniff Referencias: http://www.w2spconf.com/2013/papers/s3p1.pdf http://stackoverflow.com/questions/3146324/is-it-possible-to-xss-exploit-json-responses-with-proper-javascript-string-escap http://security.stackexchange.com/questions/42093/xss-prevention-for-restful-services
CSRF (cross site request forgery) Solução OAuth state Referências: http://www.twobotechnologies.com/blog/2014/02/importance-of-state-in-oauth2.html e http://hasselba.ch/blog/?p=1854
DoS/DDoS API Gateway ● Call quotas WAF o Calendar Period o Rolling Window ● Package Analysis ● Invalid Inputs ● IP Blacklist o XML Schema ● Region Blacklist o Blacklist Keywords o Blacklist patterns o Malformed messages
Plataforma Separation of Concerns ● Authentication / Authorization ● Logging ● Analytics ● Audit ● Rate Limit ● Payload ● Address Restrictions ● Invalid Inputs o XML Schema o Blacklist Keywords o Blacklist patterns o Malformed messages
Heitor Vital twitter.com/heitorvital slideshare.net/HeitorVital OBRIGADO !!! labs.siteblindado.com sec@siteblindado.com.br Kadu
Recommend
More recommend
