Web API Security
- 2. Who am I
2
Stefaan Seys
Security Expert at ZIONSECURITY
Postdoc researcher at KU Leuven / COSIC
COSIC
- 3. Outline
3
(no exponential graphs on nr of attacks, etc.)
High level security architecture and objectives
API security threats and prevention
Authentication and SSL/TLS
History revisited
Messages to take home
- 5. End-to-End
Security Components
5
API ServiceConsumer
Threat Protection
Authentication /
Authorization
Logging /
Auditing
Security
Analytics
Confidentiality
Development
Access
Identity Service
Authentication /
Authorization
Confidentiality
Identity Service
API Consumption Security API Exposure Security
Threat Protection
- 6. Who is the Consumer?
6
API Service
Browser or Browser plug-in
Mobile App
Back-end Service
Not possible to hide
long-term secrets.
Very tempting to hide
long-term secrets.
OK to use long-term
secrets.
- 8. Discovery
8
Public APIs are designed to be used by ‘external’
parties
Documentation
API descriptors in standard formats
URI-style: Swagger, RAML, API-Blueprint, I/O Docs, etc.
SOAP: WSDL/XML-Schema
Hypermedia: JSON-LD, Siren, Hydra, etc.
This obviously helps in the discovery phase
- 9. Swagger example
9
"paths": {
"/pet/{petId}": {
"delete": {
"tags": ["pet"],
"summary": "Deletes a pet",
"description": "",
"operationId": "deletePet",
"produces": ["application/json", "application/xml"],
"security": [{
"petstore_auth": ["write:pets", "read:pets"]
}]
"parameters": [{
"name": "petId",
"in": "path",
"description": "Pet id to delete",
"required": true,
"type": "integer",
"format": "int64"
}],
. . .
Attack point
HTTP method, how does it handle
unspecified methods?
OAUTH 2: which implementation?,
known vulnerabilities? How does it
validate tokens?
Scopes?
Is access validated? Link between user
and petId? Are IDs random? Injection?
XSS?
What if we do not set the ��petId”? What
if we do not give an int? Or > int64 max
size?
- 10. “Classic Discovery” in case the API is secret
10
What about just keeping your API secret?
Local Proxy or network sniffer
Guess / brute-force APIs
http://api.*.com/api/v?/*.json
- 11. Public API with a secret API key…
11
March 2014
Issue was already reported to them in 2010...
- 12. Story
12
Install the official Android App
Extract the APK file and install on an emulator
Use TCPDUMP to listen to traffic from App
Start App, enter garbage at login page
GET
/handler.php?CritickerKey=xxxxx&Function=UserSignin&UserName=asdf
asdf&Password=6d2dedb5b9e02d466a8d98b4c4398b1d
The Criticker API has a call to get the list of users!
GET handler.php?CritickerKey=xxxxx&Function=AccountUsers
And a call to request the current password! In
plaintext!!
GET
handler.php?CritickerKey=xxxxx&Function=LookupPassword&UserId=xxx
xx
- 13. What did they do wrong?
13
They created an API with “useless”, dangerous and
documented features
Call to get list of all users?
Call to get password of a any user?
Passwords are stored in plain text on the server
They use plain HTTP (no SSL)
The “key” is sent over the network with every call
- 14. Secret API with docs in error message
14
Basic authentication (over SSL, no cert pinning)
With static fixed username/password for all users
(embedded in App)
Only ‘authentication’ is the userID
This userID is sequential (not random)
Returns a help file if you send a wrong API request
- 16. Fuzzing and invalid input
16
http://api.openweathermap.org/data/2.5/weather?id=2172797
Attack vector:
Replace the id parameter with “randomly” generated
value
Purpose:
Get information through error message
Prevention
Ensure generic, consistent and correct error
messages that do not reveal any additional
information
- 17. Malicious Input
17
Attack vector
Craft malicious input that targets specific message parser,
implementation weakness, etc.
Vulnerable parser will recursively replace &lol9;
Resulting in a billion ‘lol’s; taking up 3GByte of RAM
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ELEMENT lolz (#PCDATA)>
<!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>
- 18. Malicious Input
18
Purpose
Attempt to put server in insecure state (if lucky)
Crash server
Prevention
Only use proven parsers
Patch your system
Input validation and sanitation
- 20. (SQL) Injection
20
Purpose
If used for authentication: get access without credentials
Dump database
Clear database
Prevention
Never use String operations to create ‘semi-structured”
data objects such as SQL queries, JSON, XML, Xpath,
etc.
Use a parameterized API to construct the object instead
If not available: carefully ensure escaping all special
characters depending on the syntax of the interpreter
- 21. Cross Site Scripting (XSS)
21
Persistent XSS
API Server
1. Inject malicious
script
Prevention
Use context-aware
auto-escaping
When?
- 22. Cross Site Request Forgery (CSRF)
22
MyFace.com
Authenticated Session
Victim lured to visit attacker’s site
<a href=“https://www.myface.com/
update.php?relationship=Single%2
0and%20Desperate>Free beer</a>
POST
- 23. Cross Site Request Forgery (CSRF)
23
Purpose
Force end-user to execute a state-changing request (as
attacker never sees response).
Change user’s email address, reset password, transfer
funds, …
Prevention
Include a per request random authentication code that is
verified on the server (once!)
- 24. CSRF does not apply to APIs…
24
Normally SOAP and REST API authentication is not
done through a session (cookie)
Instead, every API call contains authentication
information
In a URL parameter
In the HTTP header (Oauth)
Part of the XML body (SOAP)
If you stick to these principles and use proper
authentication/authorization model, CSRF does not
apply.
- 26. Authentication
26
Basic/Digest authentication
Uses HTTP headers to identify users
WS-Security SAML and Username Tokens
SOAP/XML based authentication, passes credentials and assertions in
SOAP message headers, optionally signed and encrypted
API Key based authentication
each request to an API contains a key uniquely identifying the client
OAuth 1.x/2
HTTP-based interactions and flows that authorize usage of HTTP
resources (API, Web, etc). OAuth indirectly includes a step for
authentication but makes no claims on how that authentication should be
done.
JSON web tokens
- 27. Username / password ?
27
Apple Celebrity photo hack
Hidden API to find your phone
https://fmipmobile.icloud.com/fmipservice/device/
<apple_id>/initClient
Basic Authentication through SSL tunnel
<apple_id> : <password>
So far so good…
Server does not limit the number of attempts…
Same password for all you i-things on Apple (iCloud)
- 28. SSL’s Role
28
SSL – The Good
Secures the actual client authentication; as majority of
web authentication is based on passwords/tokens
Compatible with vast amount of clients and servers
‘Easy’ to set up (hard to do right)
Removes crypto burden from application developers
- 29. SSL’s Role
29
SSL – The Bad
Compatibility -> Complexity -> Vulnerabilities
For APIs it is also mostly the only crypto layer
If broken -> huge impact
“But we are using SSL…”: it does not magically make
your site secure…
If used with server side certs only, client side authentication is
not in scope
Transport layer security -> does not prevent many application
layer problems (injection, XSS, etc.)
- 31. OWASP Top 10 – A History
31
2004 2007 2010 2013
A1 Unvalidated Input A1 Cross Site Scripting (XSS) A1 Injection A1 Injection
A2 Broken Access Control A2 Injection Flaws A2 Cross Site Scripting (XSS) A2
Broken Authentication and
Session Management
A3
Broken Authentication and
Session Management
A3 Malicious File Execution A3
Broken Authentication and
Session Management
A3 Cross-Site Scripting (XSS)
A4 Cross Site Scripting A4
Insecure Direct Object
Reference
A4
Insecure Direct Object
References
A4
Insecure Direct Object
References
A5 Buffer Overflow A5
Cross Site Request Forgery
(CSRF)
A5
Cross Site Request Forgery
(CSRF)
A5 Security Misconfiguration
A6 Injection Flaws A6
Information Leakage and
Improper Error Handling
A6 Security Misconfiguration A6 Sensitive Data Exposure
A7 Improper Error Handling A7
Broken Authentication and
Session Management
A7
Insecure Cryptographic
Storage
A7
Missing Function Level
Access Control
A8 Insecure Storage A8
Insecure Cryptographic
Storage
A8
Failure to Restrict URL
Access
A8
Cross-Site Request
Forgery (CSRF)
A9 Application Denial of Service A9 Insecure Communications A9
Insufficient Transport Layer
Protection
A9
Using Components with
Known Vulnerabilities
A10
Insecure Configuration
Management
A10
Failure to Restrict URL
Access
A10
Unvalidated Redirects and
Forwards
A10
Unvalidated Redirects and
Forwards
[Jim DelGrosso]
- 33. Messages to take home
33
Security is very difficult to get right
Do not reinvent or worse, “improve” the wheel yourself
Web API’s suffer more or less from the same general
‘issues’ as web applications
However, API ‘structure’ allows for dedicated security
enforcement point
Messaging (Request/Response)
Authentication
Authorization
Tailor (authentication mechanism) to your consumer
Take your SSL setup seriously
- 37. What’s Up with SSL?
37
BEAST (2011, CBC padding crypto attack, <TLS1.1)
RC4 (2013, 223 encryptions required, RC4)
BREACH (2013, clever crypto attack, universal)
Heartbleed (2014, openssl buffer overread, 1.0.1 to
1.0.1f)
POODLE (2014, ~BEAST, SSL3.0, TLS?)
FREAK (2015, RSA_EXPORT factoring, various)
Who says you can trust
root certificates in your browser?
177 root certs in Firefox
- 38. Cross Site Scripting (XSS)
38
Reflective XSS
API Server
Prevention
Use context-aware
auto-escaping
When?