Web Based APIs have become a powerful tool for reaching end users in an increasingly fragmented market. The emergence of public and private APIs have introduced new challenges in identity management and access control. Attend this session to get a crash course in Web APIs, the risks they introduce and the emerging standards that can make them safer to use (including OAuth 2 and Open ID Connect)
11. Web APIs
Language Independent
APIs are constrained by the syntax of the web
Most API Design principles can be applied
Some design principles are unique to Web APIs
25. Established mechanisms, tools and frameworks
HTTP and URI security mechanisms
Similar to URI style, new challenges with links
Starts in HTTP, need visibility in new protocol
48. API Attack Example:
SQL Injection Attacks: APIs
GET http://host.com/aresource?token=
%E2%80%98or%20%E2%80%981%3D1
GET http://host.com/aresource?token=‘ or ‘1=1
select * from tokens where token = ‘’ or ‘1=1’;
49. APIs May Be A Direct Conduit
49
HTTP
Server
App
Server
Database
App
Objects
Often:
• Self-documenting
• Closely mapped to object space
50. SQL Injection Attack - Mitigation
Sanitize inputs
Validate request and response data
Limit data size
60. XSS API Example
60
Attacker
Web App Server
(browser+APIs)
Victim: Web
Browser
Client
<SCRIPT …>
1. API injects
script in
3. Browser loads
content with
embedded script
2. Server fails to
perform FIEO: Filter
Input, Escape Output
API
61. Cross Site Scripting: Mitigation
Whitelist tags if you can (i.e. where the validation space is
small and concise)
Blacklist dangerous tags like <SCRIPT>
Always perform FIEO (Filter Input, Escape Output)
Learn more: http://xssed.com
61
75. Examples:
- Guessing application ID by brute force
- Retrieving application ID by sniffing traffic
- Cracking application to retrieve application ID
App Spoofing
76. how can I protect identity on a mobile device?
104. Authorization Code Grant
104
Client Application
Resource Owner
Using
Application
Resource Server
I Wish I could access
my resources through
this application…
105. Authorization Code Grant
105
Client Application
Resource Owner
Using
Application
Resource Server
…but I don’t trust this
app enough to give it
my credentials.
107. Authorization Code Grant
Initiation
107
Client Application
Resource Owner Authorization Server
Resource Server
User Agent
Issue GET
request via
User-Agent
response_type
client_id
redirect_uri
scope
state
108. OAuth 2 Authorization Request
response_type – indicates grant type
client_id –application identifier
redirect_uri (optional) – address which the UA can use to respond to client
scope (optional) – space delimited string: what the client wants to do
state (optional)– opaque string used to defeat CSRF attacks
Sample Authorization GET URL:
https://azserver/oauth2/authorize?response_type=code&client_id=my_id&state=state&r
edirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fcallback
109. Authorization Code Grant
Resource Owner Authentication
109
Client Application
Resource Owner Authorization Server
Resource Server
User Agent
Send
User
Authentication
Form
?
Authenticate
111. Authorization Code Grant
Receipt of Authorization Code
111
Client Application
Resource Owner Authorization Server
Resource Server
User Agent
Redirect
User-Agent
Client
Application
! Redirected
To
Client
Application
code
state
302
112. Authorization Code Grant
Access Token Request
112
Client Application
Resource Owner Authorization Server
Resource Server
Request
Access
Token
Return
Access
Token
and Optional
Refresh Token
grant_type
code
redirect_uri
client_id
200
AZ Code
AZ Code
113. Authorization Code Grant
Access Protected Resource
113
Client Application
Resource Owner Authorization Server
Resource Server
Request
Resource
Using
Application
Return
Resource
200
115. Authorization Code Grant
Initiation
115
Client Application
Resource Owner Authorization Server
Resource Server
User Agent
Issue GET
request via
User-Agent
response_type
client_id
redirect_uri
scope
state
116. Authorization Code Grant
Receipt of Authorization Code
116
Resource Owner Authorization Server
Resource Server
User Agent
Redirect
User-Agent
Client
Application
Redirected
To
Client
Application
code
state
302