22
Segurança em APIs REST

Seguranca de APIS

Embed Size (px)

DESCRIPTION

segurança de apis restful

Citation preview

  • Segurana em APIs REST

  • Heitor Vital

    reas de Atuao o Cloud Computing o Segurana Informao o Jogos o Dispositivos Mveis o

    Acadmico o MBA FGV o Mestrado UFPE o Graduao UFPE

    twitter.com/heitorvital

    slideshare.net/HeitorVital

    labs.siteblindado.com

    Kadu

    [email protected]

  • More info: 2014 Global Report on the Cost of Cyber Crime

    Stop Looking for the Silver Bullet: Start Thinking Like a Bad Guy

    2014 Global Report on the Cost of Cyber Crime

    257 Empresas

    2.081 Entrevistas

    1.717 Incidentes

    $7.6M Mdia prejuzo

    10.4% Crescimento Incidentes

  • Fonte: http://cloudtweaks.com/2013/10/cloud-infographic-2013-cyber-security-intelligence-index/

  • Attack Vector by Organizational Size

    TOPs

    1. Web-based attacks 2. Denial of services 3. Malicious insiders

  • Site vs Plataforma

  • Lets [try to] attack ...

  • Search Surface Detection Metadata/Doc

    o Swagger o RAML o API-Blueprint o I/O Docs

    Discovery Brute Force

    o Invalid dataExemplo: http://petstore.swagger.io/#!/pet/updatePet(type, size, length, null, HTTP header, XML bomb, upload file...)

  • Protocolo - HTTP

  • Protocolo - HTTPS

    https://example.com/controller//action?apiKey=a53f435643de32

    Resolve ??

  • Authentication/Authorization

    API Keys

    Abstract OAuth 2.0 flow

  • Assessments

  • InjectionNormal http://petstore.com/api/v1/pet/123 SELECT * FROM pets WHERE petID=' + petId +; SELECT * FROM pets WHERE petID = 123

    Injection http://petstore.com/api/v1/pet/%20or%201=1 SELECT * FROM pets WHERE petID=' + petId +; SELECT * FROM pets WHERE petID = or 1 = 1

  • XSS (cross site scripting)

    Soluo Header response com

    Content-type: application/json x-content-type-options: nosniff

    Referencias: http://www.w2spconf.com/2013/papers/s3p1.pdf http://stackoverflow.com/questions/3146324/is-it-possible-to-xss-exploit-json-responses-with-proper-javascript-string-escap http://security.stackexchange.com/questions/42093/xss-prevention-for-restful-services

  • CSRF (cross site request forgery)

    Referncias: http://www.twobotechnologies.com/blog/2014/02/importance-of-state-in-oauth2.html e http://hasselba.ch/blog/?p=1854

    Soluo OAuth state

  • DoS/DDoS

    WAF Package Analysis IP Blacklist Region Blacklist

    API Gateway Call quotas

    o Calendar Period o Rolling Window

    Invalid Inputs o XML Schema o Blacklist Keywords o Blacklist patterns o Malformed messages

  • Plataforma Separation of Concerns

    Authentication / Authorization

    Logging Analytics Audit Rate Limit Payload Address Restrictions Invalid Inputs

    o XML Schema o Blacklist Keywords o Blacklist patterns o Malformed messages

  • Heitor Vital

    OBRIGADO !!!

    twitter.com/heitorvital

    slideshare.net/HeitorVital

    labs.siteblindado.com

    Kadu

    [email protected]