SlideShare a Scribd company logo

HTTP Services & REST API Security

Download as PPTX, PDF
Taiseer Joudeh, profile picture
Taiseer Joudeh

The document discusses the importance of HTTP service security for integrating with modern enterprise applications and devices. It highlights common security flaws in API design, such as hardcoding credentials and leaky APIs, and outlines methods for securing APIs, including basic and token-based authentication, as well as the OAuth 2.0 protocol. The document also emphasizes the need for secure practices and the potential complexities introduced by different authentication mechanisms.

Software
1 of 15
Downloaded 33 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
HTTP Services Security Taiseer Joudeh Corporate IT Manager at Aramex @tjoudeh http://bitoftech.net
Agenda • Why we are building HTTP Services? • Should I care about HTTP Service Security? • Live examples of Sloppy HTTP Services and Apps. • Ways to secure your API • Basic Authentication. • Token Based Authentication. • OAuth 2.0 Protocol, Roles and Flows. • Demo
Why we are building HTTP Services? • Enterprise wants to integrate with others, HTTP Services is your way. • (Mobile devices, Smart homes, Intelligent devices, IoT, etc...) all speaks HTTP. • New trends of building modern web application (SPA, JS Frameworks).
Should I care about HTTP Service Security? • Definitely! Your Web API is publicly accessible. • No Active Directory, no Windows Authentication. • When designing your Web API, security is a first class citizen. • Shall I build my own security model?
Sloppy HTTP Services and Apps • Case 1: • Hardcoding API Key in mobile applications, with fiddler proxy API Key was exposed. • Access checks are done on front-end. Backed-end server should never trust the UI.
Sloppy HTTP Services and Apps • Case 2: • Leaky API, returning hashed user passwords. • People tend to reuse passwords!
HTTP Services is stateless! • HTTP Service is stateless, no sessions between the client and the server. • Authentication should be done with each request from front-end to the back-end server.
Ways to secure your API • 1 - Basic Authentication (Very simple) • Client needs to send Username/Password with each request – Client will store credentials somewhere – Bad Idea? • Your password is your master key, if it is compromised, your account is compromised. • On the back-end server will validate credentials with each request, intentionally slow process, why? • Should be used over SSL only. • Try to avoid it as much as possible. • Any alternatives? GET /orders HTTP/1.1 Host: api.example.com Authorization: Basic dGFpc2VlcjpwYXNzd29yZA==
Ways to secure your API – Cont. • 2 – Token Based Authentication • How this happen? 1. Front-end presents username/password to (/token) end point. 2. Back-end server validates credentials. 3. Back-end server returns a magical string (Access Token) 4. Front-end presents Access Token with each request in the Authorization header using Bearer scheme. POST /token HTTP/1.1 Host: api.example.com grant_type=password &username=taiseer &password=password { "access_token": “YsSHs2rrsh8Vs8fggdsd44jssfVJ8h95sds", "token_type": "Bearer", "expires": 3600 } GET /orders HTTP/1.1 Host: api.example.com Authorization: Bearer YsSHs2rrsh8Vs8fggdsd44jssfVJ8h95sds
Ways to secure your API – Cont. • 2 – Token Based Authentication • What is Access Token? • Self contained data structure represented in string. • Contains information about user identity • Have lifetime and should expire • Should be signed, sometimes encrypted by the server. • Access Tokens like Cash, so SSL everywhere! • Access Token != Password (Token compromised, master key - password is safe)
Ways to secure your API – Cont. • 2 – Token Based Authentication – Cont. • Any drawbacks? • Self contained tokens are not revocable! • User changes password, access token still valid. • Solution? • Issue short lived access tokens (15 minutes). • Refresh Access Tokens silently using Refresh Tokens. • Refresh Tokens are revocable, you are in good shape! • Adds complexity to the front-end and the back-end!
OAuth 2.0 Protocol • OAuth 2.0 is set of spec. and standards to build on top of it. • Different flows to protect HTTP services. • Four main roles:
OAuth 2.0 Flows 1. Resource owner password credentials flow • Should be used with trusted clients (mobile apps you trust) 2. Implicit flow • Good for 3rd party mobile apps. • Client (mobile apps) never sees the password. 3. Authorization Code flow • Web server apps talking to each other. 4. Client Credentials flow • Machine to Machine (No human interaction).
Demo • Implementing the resource owner password credentials flow
Thank You!

More Related Content

What's hot (20)

PDF
Testing REST Web Services
Jan Algermissen
 
PPTX
D@W REST security
Gaurav Sharma
 
PPTX
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
 
PPTX
Rest API Security
Stormpath
 
PPTX
Token Authentication for Java Applications
Stormpath
 
PDF
SPUnite17 Who Are You and What Do You Want
NCCOMMS
 
PPTX
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
CA API Management
 
PPTX
OAuth in the new .NET world (OWIN)
Emad Alashi
 
PDF
OAuth Tokens
n|u - The Open Security Community
 
PDF
O365Con18 - Connect SharePoint Framework Solutions to API's secured with Azur...
NCCOMMS
 
PPTX
ECS 2018: Introduction to Azure Web Applications
Eric Shupps
 
PPTX
Using & Abusing APIs: An Examination of the API Attack Surface
CA API Management
 
PPTX
Azure staticwebapps
Udaiappa Ramachandran
 
PPTX
OAuth
Vijay Naik
 
PPTX
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
PPTX
API Security - Null meet
vinoth kumar
 
PPTX
Instant Security & Scalable User Management with Spring Boot
Stormpath
 
PPTX
Spring Boot Authentication...and More!
Stormpath
 
PDF
How to Harden the Security of Your .NET Website
DNN
 
PDF
CNIT 129S: Ch 5: Bypassing Client-Side Controls
Sam Bowne
 
Testing REST Web Services
Jan Algermissen
 
D@W REST security
Gaurav Sharma
 
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
 
Rest API Security
Stormpath
 
Token Authentication for Java Applications
Stormpath
 
SPUnite17 Who Are You and What Do You Want
NCCOMMS
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
CA API Management
 
OAuth in the new .NET world (OWIN)
Emad Alashi
 
OAuth Tokens
n|u - The Open Security Community
 
O365Con18 - Connect SharePoint Framework Solutions to API's secured with Azur...
NCCOMMS
 
ECS 2018: Introduction to Azure Web Applications
Eric Shupps
 
Using & Abusing APIs: An Examination of the API Attack Surface
CA API Management
 
Azure staticwebapps
Udaiappa Ramachandran
 
OAuth
Vijay Naik
 
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
API Security - Null meet
vinoth kumar
 
Instant Security & Scalable User Management with Spring Boot
Stormpath
 
Spring Boot Authentication...and More!
Stormpath
 
How to Harden the Security of Your .NET Website
DNN
 
CNIT 129S: Ch 5: Bypassing Client-Side Controls
Sam Bowne
 

Viewers also liked (20)

PPTX
Pentesting ReST API
Nutan Kumar Panda
 
PPTX
REST API testing with SpecFlow
Aiste Stikliute
 
PPTX
Getting Started with API Security Testing
SmartBear
 
PDF
Top 5 Ways To Increase API Adoption
ProgrammableWeb
 
PDF
Integrated social solutions, the power and pitfalls of mashups
Nordic APIs
 
PDF
Lessons Learned from Building Enterprise APIs (Gustaf Nyman)
Nordic APIs
 
PDF
Apinf Open Api Management
Taija Björklund
 
PDF
TDD for APIs in a Microservice World (Michael Kuehne Schlinkert)
Nordic APIs
 
PPTX
Platform Security that will Last for Decades (Travis Spencer)
Nordic APIs
 
PPTX
Microservices architecture overview v2
Dmitry Skaredov
 
PDF
API Management - Why it matters!
Sven Bernhardt
 
PPTX
Automated API pentesting using fuzzapi
Abhijeth D
 
PDF
How Spotify Payments Creates APIs to Manage Complexity (Horia Jurcut)
Nordic APIs
 
PPT
Why APIs are not SOA++
Apigee | Google Cloud
 
PPTX
The Hitch Pitch Deck
Hitch
 
PDF
Pentesting RESTful WebServices v1.0
n|u - The Open Security Community
 
PPTX
API Management in Digital Transformation
Aditya Thatte
 
PDF
API Testing
Bikash Sharma
 
PDF
The Architecture of an API Platform
Johannes Ridderstedt
 
PPTX
Api testing
Keshav Kashyap
 
Pentesting ReST API
Nutan Kumar Panda
 
REST API testing with SpecFlow
Aiste Stikliute
 
Getting Started with API Security Testing
SmartBear
 
Top 5 Ways To Increase API Adoption
ProgrammableWeb
 
Integrated social solutions, the power and pitfalls of mashups
Nordic APIs
 
Lessons Learned from Building Enterprise APIs (Gustaf Nyman)
Nordic APIs
 
Apinf Open Api Management
Taija Björklund
 
TDD for APIs in a Microservice World (Michael Kuehne Schlinkert)
Nordic APIs
 
Platform Security that will Last for Decades (Travis Spencer)
Nordic APIs
 
Microservices architecture overview v2
Dmitry Skaredov
 
API Management - Why it matters!
Sven Bernhardt
 
Automated API pentesting using fuzzapi
Abhijeth D
 
How Spotify Payments Creates APIs to Manage Complexity (Horia Jurcut)
Nordic APIs
 
Why APIs are not SOA++
Apigee | Google Cloud
 
The Hitch Pitch Deck
Hitch
 
Pentesting RESTful WebServices v1.0
n|u - The Open Security Community
 
API Management in Digital Transformation
Aditya Thatte
 
API Testing
Bikash Sharma
 
The Architecture of an API Platform
Johannes Ridderstedt
 
Api testing
Keshav Kashyap
 
Ad

Similar to HTTP Services & REST API Security (20)

PPTX
REST API Security: OAuth 2.0, JWTs, and More!
Stormpath
 
PPT
Securing RESTful API
Muhammad Zbeedat
 
PDF
Protecting your APIs with OAuth 2.0
Ubisecure
 
PPTX
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
PDF
API Security Best Practices & Guidelines
Prabath Siriwardena
 
PPTX
Web api security
9xdot
 
PDF
Securing APIs with OAuth 2.0
Kai Hofstetter
 
PPTX
Securing APIs using OAuth 2.0
Adam Lewis
 
PDF
API Security Best Practices & Guidelines
Prabath Siriwardena
 
PPTX
How to build Simple yet powerful API.pptx
Channa Ly
 
PDF
API SECURITY
Tubagus Rizky Dharmawan
 
PPTX
Unit 3_detailed_automotiving_mobiles.pptx
VijaySasanM21IT
 
PPTX
Secure rest api on microservices vws2016
Quý Nguyễn Minh
 
PPTX
OAuth
Adi Challa
 
PDF
RESTful Day 5
Akhil Mittal
 
PDF
OAuth2
SPARK MEDIA
 
PPTX
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Nilanjan Roy
 
PPTX
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
CA API Management
 
PDF
Authentication and authorization in res tful infrastructures
Corley S.r.l.
 
PPTX
API Security : Patterns and Practices
Prabath Siriwardena
 
REST API Security: OAuth 2.0, JWTs, and More!
Stormpath
 
Securing RESTful API
Muhammad Zbeedat
 
Protecting your APIs with OAuth 2.0
Ubisecure
 
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
API Security Best Practices & Guidelines
Prabath Siriwardena
 
Web api security
9xdot
 
Securing APIs with OAuth 2.0
Kai Hofstetter
 
Securing APIs using OAuth 2.0
Adam Lewis
 
API Security Best Practices & Guidelines
Prabath Siriwardena
 
How to build Simple yet powerful API.pptx
Channa Ly
 
API SECURITY
Tubagus Rizky Dharmawan
 
Unit 3_detailed_automotiving_mobiles.pptx
VijaySasanM21IT
 
Secure rest api on microservices vws2016
Quý Nguyễn Minh
 
OAuth
Adi Challa
 
RESTful Day 5
Akhil Mittal
 
OAuth2
SPARK MEDIA
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Nilanjan Roy
 
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
CA API Management
 
Authentication and authorization in res tful infrastructures
Corley S.r.l.
 
API Security : Patterns and Practices
Prabath Siriwardena
 
Ad

Recently uploaded (20)

PDF
Adobe Illustrator Crack Full Download (Latest Version 2025) Pre-Activated
imang66g
 
PDF
AWS_Agentic_AI_in_Indian_BFSI_A_Strategic_Blueprint_for_Customer.pdf
siddharthnetsavvies
 
PDF
Balancing Resource Capacity and Workloads with OnePlan – Avoid Overloading Te...
OnePlan Solutions
 
PPTX
Farrell__10e_ch04_PowerPoint.pptx Programming Logic and Design slides
bashnahara11
 
PDF
Generating Union types w/ Static Analysis
K. Matthew Dupree
 
PDF
Why Are More Businesses Choosing Partners Over Freelancers for Salesforce.pdf
Cymetrix Software
 
PPTX
Presentation about Database and Database Administrator
abhishekchauhan86963
 
PDF
How to Download and Install ADT (ABAP Development Tools) for Eclipse IDE | SA...
SAP Vista, an A L T Z E N Company
 
PPTX
Online Contractor Induction and Safety Induction Training Software
SHEQ Network Limited
 
PPTX
TRAVEL APIs | WHITE LABEL TRAVEL API | TOP TRAVEL APIs
philipnathen82
 
PPTX
Operations Profile SPDX_Update_20250711_Example_05_03.pptx
Shane Coughlan
 
PPTX
Chess King 25.0.0.2500 With Crack Full Free Download
cracked shares
 
PPTX
Employee salary prediction using Machine learning Project template.ppt
bhanuk27082004
 
PDF
Supabase Meetup: Build in a weekend, scale to millions
Carlo Gilmar Padilla Santana
 
PDF
Salesforce Pricing Update 2025: Impact, Strategy & Smart Cost Optimization wi...
GetOnCRM Solutions
 
PDF
Enhancing Security in VAST: Towards Static Vulnerability Scanning
ESUG
 
PDF
Infrastructure planning and resilience - Keith Hastings.pptx.pdf
Safe Software
 
PPTX
SAP Public Cloud PPT , SAP PPT, Public Cloud PPT
sonawanekundan2024
 
PPT
Why Reliable Server Maintenance Service in New York is Crucial for Your Business
Sam Vohra
 
PDF
How Attendance Management Software is Revolutionizing Education.pdf
Pikmykid
 
Adobe Illustrator Crack Full Download (Latest Version 2025) Pre-Activated
imang66g
 
AWS_Agentic_AI_in_Indian_BFSI_A_Strategic_Blueprint_for_Customer.pdf
siddharthnetsavvies
 
Balancing Resource Capacity and Workloads with OnePlan – Avoid Overloading Te...
OnePlan Solutions
 
Farrell__10e_ch04_PowerPoint.pptx Programming Logic and Design slides
bashnahara11
 
Generating Union types w/ Static Analysis
K. Matthew Dupree
 
Why Are More Businesses Choosing Partners Over Freelancers for Salesforce.pdf
Cymetrix Software
 
Presentation about Database and Database Administrator
abhishekchauhan86963
 
How to Download and Install ADT (ABAP Development Tools) for Eclipse IDE | SA...
SAP Vista, an A L T Z E N Company
 
Online Contractor Induction and Safety Induction Training Software
SHEQ Network Limited
 
TRAVEL APIs | WHITE LABEL TRAVEL API | TOP TRAVEL APIs
philipnathen82
 
Operations Profile SPDX_Update_20250711_Example_05_03.pptx
Shane Coughlan
 
Chess King 25.0.0.2500 With Crack Full Free Download
cracked shares
 
Employee salary prediction using Machine learning Project template.ppt
bhanuk27082004
 
Supabase Meetup: Build in a weekend, scale to millions
Carlo Gilmar Padilla Santana
 
Salesforce Pricing Update 2025: Impact, Strategy & Smart Cost Optimization wi...
GetOnCRM Solutions
 
Enhancing Security in VAST: Towards Static Vulnerability Scanning
ESUG
 
Infrastructure planning and resilience - Keith Hastings.pptx.pdf
Safe Software
 
SAP Public Cloud PPT , SAP PPT, Public Cloud PPT
sonawanekundan2024
 
Why Reliable Server Maintenance Service in New York is Crucial for Your Business
Sam Vohra
 
How Attendance Management Software is Revolutionizing Education.pdf
Pikmykid
 

HTTP Services & REST API Security

  • 1. HTTP Services Security Taiseer Joudeh Corporate IT Manager at Aramex @tjoudeh http://bitoftech.net
  • 2. Agenda • Why we are building HTTP Services? • Should I care about HTTP Service Security? • Live examples of Sloppy HTTP Services and Apps. • Ways to secure your API • Basic Authentication. • Token Based Authentication. • OAuth 2.0 Protocol, Roles and Flows. • Demo
  • 3. Why we are building HTTP Services? • Enterprise wants to integrate with others, HTTP Services is your way. • (Mobile devices, Smart homes, Intelligent devices, IoT, etc...) all speaks HTTP. • New trends of building modern web application (SPA, JS Frameworks).
  • 4. Should I care about HTTP Service Security? • Definitely! Your Web API is publicly accessible. • No Active Directory, no Windows Authentication. • When designing your Web API, security is a first class citizen. • Shall I build my own security model?
  • 5. Sloppy HTTP Services and Apps • Case 1: • Hardcoding API Key in mobile applications, with fiddler proxy API Key was exposed. • Access checks are done on front-end. Backed-end server should never trust the UI.
  • 6. Sloppy HTTP Services and Apps • Case 2: • Leaky API, returning hashed user passwords. • People tend to reuse passwords!
  • 7. HTTP Services is stateless! • HTTP Service is stateless, no sessions between the client and the server. • Authentication should be done with each request from front-end to the back-end server.
  • 8. Ways to secure your API • 1 - Basic Authentication (Very simple) • Client needs to send Username/Password with each request – Client will store credentials somewhere – Bad Idea? • Your password is your master key, if it is compromised, your account is compromised. • On the back-end server will validate credentials with each request, intentionally slow process, why? • Should be used over SSL only. • Try to avoid it as much as possible. • Any alternatives? GET /orders HTTP/1.1 Host: api.example.com Authorization: Basic dGFpc2VlcjpwYXNzd29yZA==
  • 9. Ways to secure your API – Cont. • 2 – Token Based Authentication • How this happen? 1. Front-end presents username/password to (/token) end point. 2. Back-end server validates credentials. 3. Back-end server returns a magical string (Access Token) 4. Front-end presents Access Token with each request in the Authorization header using Bearer scheme. POST /token HTTP/1.1 Host: api.example.com grant_type=password &username=taiseer &password=password { "access_token": “YsSHs2rrsh8Vs8fggdsd44jssfVJ8h95sds", "token_type": "Bearer", "expires": 3600 } GET /orders HTTP/1.1 Host: api.example.com Authorization: Bearer YsSHs2rrsh8Vs8fggdsd44jssfVJ8h95sds
  • 10. Ways to secure your API – Cont. • 2 – Token Based Authentication • What is Access Token? • Self contained data structure represented in string. • Contains information about user identity • Have lifetime and should expire • Should be signed, sometimes encrypted by the server. • Access Tokens like Cash, so SSL everywhere! • Access Token != Password (Token compromised, master key - password is safe)
  • 11. Ways to secure your API – Cont. • 2 – Token Based Authentication – Cont. • Any drawbacks? • Self contained tokens are not revocable! • User changes password, access token still valid. • Solution? • Issue short lived access tokens (15 minutes). • Refresh Access Tokens silently using Refresh Tokens. • Refresh Tokens are revocable, you are in good shape! • Adds complexity to the front-end and the back-end!
  • 12. OAuth 2.0 Protocol • OAuth 2.0 is set of spec. and standards to build on top of it. • Different flows to protect HTTP services. • Four main roles:
  • 13. OAuth 2.0 Flows 1. Resource owner password credentials flow • Should be used with trusted clients (mobile apps you trust) 2. Implicit flow • Good for 3rd party mobile apps. • Client (mobile apps) never sees the password. 3. Authorization Code flow • Web server apps talking to each other. 4. Client Credentials flow • Machine to Machine (No human interaction).
  • 14. Demo • Implementing the resource owner password credentials flow