common rest api securitypitfalls · §securing header-based mechanisms is also surprisingly...
TRANSCRIPT
![Page 1: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/1.jpg)
@PhilippeDeRyck
PhilippeDeRyck
COMMON RESTAPISECURITY PITFALLS
OWASPBeNeLux days2017
![Page 2: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/2.jpg)
POST/api/login{“username”:“philippe”,“password”:“Pass1234!”}
Loadtheapplication
![Page 3: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/3.jpg)
https://github.com/OWASP/Top10/blob/master/2017/drafts/OWASP%20Top%2010%20-%202017%20RC1-English.pdf
![Page 4: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/4.jpg)
ABOUT ME – PHILIPPE DE RYCK
§Mygoalistohelpyoubuildsecurewebapplications−Coursesandtrainingprograms− Talksatvariousdeveloperconferences− Slides,videosandblogpostsonhttps://www.websec.be
§ AuthoroftheWebSecurityFundamentalscourse− FreeonlinecourseontheedX platform−Allinfoonhttps://mooc.websec.be
§ CoursecuratorfortheSecAppDev course− Securitycoursetargetedtowardsdevelopers,architects,…−Week-longcoursetaughtbyinternationalexpertsintheirdomain
secappdev.org
![Page 5: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/5.jpg)
HTTPS
![Page 6: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/6.jpg)
OFFER YOUR APIOVER HTTPS
§ ThereisnovalidexcusetonotuseHTTPSanymore− Let’sEncryptoffersfreecertificatesforall−Performanceisnolongeranissue
§ APIsareaccesseddirectlyfromwithinanapplication−MakessettingupHTTPSeasier,asyoudonotneedtosupportaredirectfromHTTP− SimplydisableHTTPforyourAPIendpointsaltogether
§Network-basedattackscanstillattemptafallbacktoHTTP−ConfigureHTTPStrictTransportSecurity (HSTS)topreventthisfromhappening−HSTSwilltellthebrowsertouseHTTPSforeveryrequest,regardlessofthescheme
Strict-Transport-Security: max-age=31536000
![Page 7: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/7.jpg)
SECURITY PITFALL
AllowingaccesstoyourAPIoverHTTP
APIsareaccessedfromcode,sothereisnoneedtosupportaredirectfromHTTPtoHTTPS.LockyourAPIfurther
downbyenablingHSTS
![Page 8: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/8.jpg)
https://motherboard.vice.com/en_us/article/wjx3e4/t-mobile-website-allowed-hackers-to-access-your-account-data-with-just-your-phone-number
![Page 9: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/9.jpg)
https://www.codementor.io/olatundegaruba/nodejs-restful-apis-in-10-minutes-q0sgsfhbd
![Page 10: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/10.jpg)
INSECURE DIRECT OBJECT REFERENCES
§ Predictableidentifiersenabletheenumerationofresources−Dangerousifresourcesarenotshieldedbystrictauthorizationchecks−ManyAPIsonlycheckauthenticationstatus,butnotwhich userisauthenticated
§ Theonlypropermitigationisimplementingproperauthorizationchecks− E.g.checkingifthecurrentuseristheowneroftheresource
§ Theuseofnon-predictableidentifiersisacomplementarystrategy−UUIDsareagoodexampleofsuchanidentifier− Justbecarefulaboutusingthemasprimarykeysinthedatabase
![Page 11: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/11.jpg)
SECURITY PITFALL
Usinginsecuredirectobjectreferences
Alwayscomplementabasicauthenticationcheckwithappropriateauthorizationchecks(e.g.ownershipofaresource)
![Page 12: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/12.jpg)
1234
![Page 13: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/13.jpg)
1234
![Page 14: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/14.jpg)
1
2
3
4
![Page 15: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/15.jpg)
THE TRUST LEVELS OF SESSION DATA
§ Server-sidesessionsshareanIDwiththeclientandstoredataontheserver−AttacksonsessionmanagementfocusonguessingorstealingtheID− Thedatastoredintheserver-sidesessionobjectcanbeconsideredtrusted
§ Client-sidesessionsareacompletelydifferentparadigm− Theactualdataisstoredontheclient,soitcanbeeasilyaccessed− Thedatacomesinfromtheclient,andisuntrustedbydefault
§ Client-sidesessionsrequireadditionaldataprotectionmeasures−Mandatoryintegritycheckstodetecttamperingwiththedata−Optionalconfidentialitymechanismstopreventdisclosureofinformation
![Page 16: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/16.jpg)
SECURITY PITFALL
Mishandlingclient-sidesessiondata
Client-sidesessiondatacanbereadandmanipulated,soyouneedtoensureconfidentialityandintegrity
![Page 17: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/17.jpg)
https://jwt.io/
![Page 18: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/18.jpg)
JWTTOKENS IN PRACTICE
§ JWTtokensonlyrepresentclaimstobeexchangedsecurely− Thedataisbase64-encoded,whichoffersnoprotectionatall− TheJWTspecssupportintegrity(signing)andconfidentiality(encryption)
§ ThedefaultmodeofoperationissigningJWTs− Thesignatureispartofthetoken,andcanonlybegeneratedbytheissuer−AvalidsignatureindicatesthatthedataoftheJWTtokenhasnotbeenchanged
§Manylibrariesofferdecodefunctionsthatdonotcheckintegrity− Failingtofullyunderstandtheimportanceofintegritywillcausemisuse−Decodingisalsoaloteasierthanverifyingtheintegrity
![Page 19: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/19.jpg)
https://github.com/auth0/java-jwt
![Page 20: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/20.jpg)
SECURITY PITFALL
NotverifyingtheintegrityofyourJWTtokens
ManyJWTlibrariesofferfunctionstogetthedatafromatokenwithoutverifyingitsintegrity.Neverusetheminthebackend
![Page 21: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/21.jpg)
Payloaddata
Payloaddata
sign verify
Signingwithasharedsecret Signingwithapublic/privatekeypair
Payloaddata
Payloaddata
sign verify
privatekey publickey
![Page 22: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/22.jpg)
SIGNATURE SCHEMES FOR JWTTOKENS
§ManydevelopersonlyknowaboutsigningJWTswithasharedsecret− Thisisperfectlyvalidwithinoneapplicationorevenwithinonetrustboundary−Breaksdownwhentokensneedtobeverifiedoutsideofyourtrustboundary
§ Thesharedsecretcanneverleaveyourbackendapplication−Donotshareitwithyourclientapplication,or“friendly”APIs− Ifyouneedverificationinthosecases,signtheJWTwithaprivatekeyinstead
§ Theissuershouldbetheonlyoneknowingtheprivatekey− Thepublickeycanbedistributedtoanyone− Tokensaresignedwiththeprivatekey,andverifiedwiththepublickey
![Page 23: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/23.jpg)
SECURITY PITFALL
UsingthewrongsignatureschemeonJWTtokens
SharedsecretsforverifyingJWTtokensareforusewithintheboundariesoftheapplication.Otherwise,useapublic/privatekeypair
![Page 24: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/24.jpg)
![Page 25: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/25.jpg)
![Page 26: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/26.jpg)
![Page 27: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/27.jpg)
https://connect2id.com/blog/using-openid-connect-to-make-assertions-about-end-users
![Page 28: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/28.jpg)
SECURITY PITFALL
Notpropagatingidentityinformation
Callsareoftendelegatedtointernalsystemsorservices.Ensurethattheseservicespossessallrelevantidentityinformationformaking
authorizationdecisionsandcreatinganaudittrail
![Page 29: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/29.jpg)
Cookie:JWT=eyJhbGciOiJIUzI1Ni…
Authorization:BeareryJhbGciOiJIUzI1Ni…
![Page 30: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/30.jpg)
THE PROPERTIES OF COOKIES
§ Cookiesareamess,buttheyarecompatiblewiththeweb−Browsersstoreandsendcookiesautomatically−Cookiesarepresentonallrequests,includingthosecomingfromDOMelements−CookiesarecompatiblewithwebmechanismssuchasCORS,SSE,WebSockets,…
§ Securingcookie-basedmechanismsrequiresalotofeffort−Cookiesecurityflagsneedtobeconfiguredcorrectly−Cookieprefixesofferadditionalsecurity,butrequiremodifyingthename−CookiesenableanastyattackcalledCross-SiteRequestForgery(CSRF)
§ Cookiesareanightmaretosupportinnon-webapplications
![Page 31: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/31.jpg)
THE PROPERTIES OF CUSTOM HEADERS
§ Customheadersarestraightforward,butcanbehardtouse−Nothandledautomatically,sotheapplicationneedstostoreandsendthevalue− ThebrowserwillnotattachittorequestscomingfromDOMelements− TheuseofmechanismssuchasCORS,SSE,WebSockets,… becomesmoredifficult
§ Securingheader-basedmechanismsisalsosurprisinglydifficult− Youhavetodecidewheretostorethedataintheclientapplication− You’relikelytomessupattachingtheheadertooutgoingrequests−ButthegoodnewsisthatcustomheadersdonotsufferfromCSRF
§ Customheadersareabreezetouseinnon-webapplications
![Page 32: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/32.jpg)
https://www.toptal.com/web/cookie-free-authentication-with-json-web-tokens-an-example-in-laravel-and-angularjs
![Page 33: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/33.jpg)
SECURITY PITFALL
Minimizingtheimpactofthetransportmechanism
CookiesareoftenfrowneduponinanAPIworld,andcustomheadersarepreferred.Bothhavevastlydifferentsecurityproperties,
somakesureyouunderstandthemfully
![Page 34: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/34.jpg)
THE UNDERESTIMATED THREAT OF CSRF
websec.be
anysite.io
loginasPhilippe
Welcomepage
Showmessages
Latestmessages
Showobligatorycatpics
Kittensfromhell
![Page 35: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/35.jpg)
https://arstechnica.com/information-technology/2014/03/hackers-hijack-300000-plus-wireless-routers-make-malicious-changes/
![Page 36: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/36.jpg)
CROSS-SITE REQUEST FORGERY
§ CSRFexistsbecausethebrowserhandlescookiesveryliberally− Theyareautomaticallyattachedtoanyoutgoingrequest−Bydefault,there’snomechanismtoindicatethesourceorintentofarequest
§ManyAPIsareunawarethatanycontextcansendrequests−GETandPOSTrequestsareeasytotriggerusingDOMelementsorXHR−PUTandDELETErequestsareadifferentstory−DefendingagainstCSRFrequiresexplicitactionbythedeveloper
§ AtraditionalCSRFdefenseisusinghiddenformtokens
![Page 37: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/37.jpg)
DEFENDING YOUR APIAGAINST CSRFwebsec.be
anysite.io
loginasPhilippe
Welcome,Philippe
Postmessage
Surething,Philippe
Showobligatorycatpics
Kittensfromhell
POST …Cookie: SID=123, XSRF-TOKEN=abcX-XSRF-TOKEN: abc
CookievalueiscopiedtoaheaderbyJavaScriptcode
![Page 38: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/38.jpg)
THE RELATION BETWEEN CSRFAND CORS
§ Cross-originHTTPrequestshavealwaysexistedintheweb− Examplesareloadingimagesfromotherorigins,orsubmittingformsacrossorigins
§ CSRFmattersinanAPIsupporting“traditional”HTTPrequests−GET/POSTrequestswithtraditionalcontenttypesandnocustomheaders− TheserequestscaneasilybeforgedusingtraditionalHTMLelements
§ APIsusing“non-traditional”HTTPrequestsfallundertheprotectionofCORS− SucharequestcanonlybesentfromJavaScriptusingXMLHttpRequest− SucharequesttriggerstheCross-OriginResourceSharing(CORS) securitypolicy− Sucharequestwillonlybeallowediftheserverexplicitlyapprovesit
![Page 39: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/39.jpg)
Content-Type:application/json
X-Show-Me:TheMoney
![Page 40: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/40.jpg)
SECURITY PITFALL
UnderestimatingtheprevalenceofCSRFCSRFattacksexistwhencookiesareusedforkeepingsessionstate.Verifyifyou’revulnerableandimplementappropriatedefenses.
Ifyoudonotusecookies,youdonotneedtoworryaboutCSRF
![Page 41: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/41.jpg)
/users/1’%20OR%20’1’=‘1
statement = conn.prepareStatement("SELECT * FROM BeersWHERE name LIKE ?");
statement.setString(0, parameter);
![Page 42: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/42.jpg)
INPUT VALIDATION IS AN IMPORTANT FIRST LINE OF DEFENSE
§ Limitingthenumberofvalidinputsreducestheattacksurface−Untrusteddatashouldbevalidatedbeforeusingit− Therestrictionsthatcanbeimposeddependonthetypeofcontent
§ Bestpracticesforinputvalidation−Onlyacceptcontenttypesthatyouexpect,andrejecteverythingelse−Validateeveryinputagainstitsexpecteddatatype− Imposesensiblelengthrestrictions,andalwayssetastrictupperbound−Alwaysuseasecureparsertoprocessinput
![Page 43: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/43.jpg)
BUT INPUT VALIDATION ONLY GETS YOU SO FAR
§ Inputvalidationtargetssymptoms,nottherootcauseoftheissue− Injectionneedstobeaddressedinthecode,notattheinputlevel
§Oncethedataiscomplexenough,validationbypasseswillexist−Validationorsanitizationishardtogetright,sodonotsolelyrelyonthem−AgoodexamplearethehugeXSSfilterevasioncheatsheets
§ Andsometimes,it’sjustnottheAPI’sresponsibility−Cross-sitescriptinginwebapplicationsistheperfectexample− TheAPIhasnoideawherethedatawillbeused,soitcannotrenderitsafe− Theclient-sideapplicationneedstohandlethis,ase.g.Angulardoesoutofthebox
![Page 44: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/44.jpg)
SECURITY PITFALL
Overorunderestimatinginputvalidation
Eventhoughinputvalidationisagoodfirstlineofdefense,itwillfailastheonlydefense.Donotrelyoninputvalidationalone
![Page 45: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/45.jpg)
QuestionEverythingHowisthisdifferentfromwhatweusedtodo?
Dowereallyunderstandwhatwe’redoing?
Havewevalidatedtheintegrityandformatofthatdata?
…
![Page 46: COMMON REST API SECURITYPITFALLS · §Securing header-based mechanisms is also surprisingly difficult −You have to decide where to store the data in the client application −You’re](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed73f51d37f9f58ca6a8b47/html5/thumbnails/46.jpg)
NOW IT’S UP TO YOU …
Secure Share@PhilippeDeRyck