Upload
shopcasas-mkt-imobiliario
View
239
Download
2
Embed Size (px)
DESCRIPTION
segurança de apis restful
Citation preview
Segurana em APIs REST
Heitor Vital
reas de Atuao o Cloud Computing o Segurana Informao o Jogos o Dispositivos Mveis o
Acadmico o MBA FGV o Mestrado UFPE o Graduao UFPE
twitter.com/heitorvital
slideshare.net/HeitorVital
labs.siteblindado.com
Kadu
More info: 2014 Global Report on the Cost of Cyber Crime
Stop Looking for the Silver Bullet: Start Thinking Like a Bad Guy
2014 Global Report on the Cost of Cyber Crime
257 Empresas
2.081 Entrevistas
1.717 Incidentes
$7.6M Mdia prejuzo
10.4% Crescimento Incidentes
Fonte: http://cloudtweaks.com/2013/10/cloud-infographic-2013-cyber-security-intelligence-index/
Attack Vector by Organizational Size
TOPs
1. Web-based attacks 2. Denial of services 3. Malicious insiders
Site vs Plataforma
Lets [try to] attack ...
Search Surface Detection Metadata/Doc
o Swagger o RAML o API-Blueprint o I/O Docs
Discovery Brute Force
o Invalid dataExemplo: http://petstore.swagger.io/#!/pet/updatePet(type, size, length, null, HTTP header, XML bomb, upload file...)
Protocolo - HTTP
Protocolo - HTTPS
https://example.com/controller//action?apiKey=a53f435643de32
Resolve ??
Authentication/Authorization
API Keys
Abstract OAuth 2.0 flow
Assessments
InjectionNormal http://petstore.com/api/v1/pet/123 SELECT * FROM pets WHERE petID=' + petId +; SELECT * FROM pets WHERE petID = 123
Injection http://petstore.com/api/v1/pet/%20or%201=1 SELECT * FROM pets WHERE petID=' + petId +; SELECT * FROM pets WHERE petID = or 1 = 1
XSS (cross site scripting)
Soluo Header response com
Content-type: application/json x-content-type-options: nosniff
Referencias: http://www.w2spconf.com/2013/papers/s3p1.pdf http://stackoverflow.com/questions/3146324/is-it-possible-to-xss-exploit-json-responses-with-proper-javascript-string-escap http://security.stackexchange.com/questions/42093/xss-prevention-for-restful-services
CSRF (cross site request forgery)
Referncias: http://www.twobotechnologies.com/blog/2014/02/importance-of-state-in-oauth2.html e http://hasselba.ch/blog/?p=1854
Soluo OAuth state
DoS/DDoS
WAF Package Analysis IP Blacklist Region Blacklist
API Gateway Call quotas
o Calendar Period o Rolling Window
Invalid Inputs o XML Schema o Blacklist Keywords o Blacklist patterns o Malformed messages
Plataforma Separation of Concerns
Authentication / Authorization
Logging Analytics Audit Rate Limit Payload Address Restrictions Invalid Inputs
o XML Schema o Blacklist Keywords o Blacklist patterns o Malformed messages
Heitor Vital
OBRIGADO !!!
twitter.com/heitorvital
slideshare.net/HeitorVital
labs.siteblindado.com
Kadu