docSlides
download 
Denúncia Transcrição
Slides
Segurança em APIs REST Heitor Vital ● Áreas de Atuação o Cloud Computing o Segurança Informação o Jogos o Dispositivos Móveis o … ● Acadêmico o MBA FGV o Mestrado UFPE o Graduação UFPE twitter.com/heitorvital slideshare.net/HeitorVital labs.siteblindado.com [email protected] Kadu 2014 Global Report on the Cost of Cyber Crime Stop Looking for the Silver Bullet: Start Thinking Like a Bad Guy 257 Empresas 2.081 Entrevistas 1.717 Incidentes $7.6M Média prejuízo 10.4% Crescimento Incidentes More info: 2014 Global Report on the Cost of Cyber Crime Fonte: http://cloudtweaks.com/2013/10/cloud-infographic-2013-cyber-security-intelligence-index/ Attack Vector by Organizational Size TOPs 1. Web-based attacks 2. Denial of services 3. Malicious insiders Site vs Plataforma Let’s [try to] attack ... Search Surface Detection ● Metadata/Doc o Swagger o RAML o API-Blueprint o I/O Docs ● Discovery ● Brute Force o Invalid data (type, size, length, null, HTTP header, XML bomb, upload file...) Exemplo: http://petstore.swagger.io/#!/pet/updatePet Protocolo - HTTP Protocolo - HTTPS https://example.com/controller/<id>/action?apiKey=a53f435643de32 Resolve ?? Authentication/Authorization API Keys Abstract OAuth 2.0 flow Assessments Injection Normal http://petstore.com/api/v1/pet/123 “SELECT * FROM pets WHERE petID='” + petId +”‘”; “SELECT * FROM pets WHERE petID = ‘123’” Injection http://petstore.com/api/v1/pet/’%20or%20’1’=’1 “SELECT * FROM pets WHERE petID='” + petId +”‘”; SELECT * FROM pets WHERE petID = ‘’ or ‘1’ = ‘1’ XSS (cross site scripting) Solução Header response com ● Content-type: application/json ● x-content-type-options: nosniff Referencias: http://www.w2spconf.com/2013/papers/s3p1.pdf http://stackoverflow.com/questions/3146324/is-it-possible-to-xss-exploit-json-responses-with-proper-javascript-string-escap http://security.stackexchange.com/questions/42093/xss-prevention-for-restful-services CSRF (cross site request forgery) Solução OAuth state Referências: http://www.twobotechnologies.com/blog/2014/02/importance-of-state-in-oauth2.html e http://hasselba.ch/blog/?p=1854 DoS/DDoS WAF ● Package Analysis ● IP Blacklist ● Region Blacklist API Gateway ● Call quotas o Calendar Period o Rolling Window ● Invalid Inputs o o o o XML Schema Blacklist Keywords Blacklist patterns Malformed messages Plataforma Separation of Concerns ● Authentication / Authorization ● Logging ● Analytics ● Audit ● Rate Limit ● Payload ● Address Restrictions ● Invalid Inputs o o o o XML Schema Blacklist Keywords Blacklist patterns Malformed messages Heitor Vital twitter.com/heitorvital slideshare.net/HeitorVital OBRIGADO !!! labs.siteblindado.com [email protected] Kadu
GJID. KI AF
timesofindia.indiatimes