overcoming access control in web apis
play

Overcoming access control in web APIs How to address security - PowerPoint PPT Presentation

Jun 08, 2023 •209 likes •719 views

Overcoming access control in web APIs How to address security concerns using Sanic Adam Hopkins 1 / 39 class Adam: def __init__(self): self.work = PacketFabric("Sr. Software Engineer") self.oss = Sanic("Core Maintainer")

  1. Overcoming access control in web APIs How to address security concerns using Sanic Adam Hopkins 1 / 39

  2. class Adam: def __init__(self): self.work = PacketFabric("Sr. Software Engineer") self.oss = Sanic("Core Maintainer") self.home = Israel("Negev") async def run(self, inputs: Union[Pretzels, Coffee]) -> None: while True: await self.work.do(inputs) await self.oss.do(inputs) def sleep(self): raise NotImplemented PacketFabric - Network-as-a-Service platform; private access to the cloud; secure connectivity between data centers Sanic Framework - Python 3.6+ asyncio enabled framework and server. Build fast. Run fast. GitHub - /ahopkins T witter - @admhpkns 1 / 39

  3. What we will NOT cover? TLS Password and other sensitive information storage Server security SQL injection Data validation 2 / 39

  4. 1. Authentication - Do I know who this person is? 2. Authorization - Should I let them in? no 401 Unauthorized 1. Logged in? no 403 Forbidden yes 2. Allow access? yes 200 OK 3 / 39

  5. @app.get("/protected") async def top_secret(request): return json({"foo":"bar"}) 4 / 39

  6. @app.get("/protected") async def top_secret(request): return json({"foo":"bar"}) curl localhost:8000/protected -i HTTP/1.1 200 OK Content-Length: 13 Content-Type: application/json Connection: keep-alive Keep-Alive: 5 {"foo":"bar"} 4 / 39

  7. async def do_protection(request): ... def protected(wrapped): def decorator(handler): async def decorated_function(request, *args, **kwargs): await do_protection(request) return await handler(request, *args, **kwargs) return decorated_function return decorator(wrapped) @app.get("/protected") @protected async def top_secret(request): return json({"foo": "bar"}) 5 / 39

  8. async def do_protection(request): ... @app.middleware('request') async def global_authentication(request): await do_protection(request) 6 / 39

  9. Remember! Status Code Status T ext Authentication 401 Unauthorized 🤕 Authorization 403 Forbidden ⛔ 7 / 39

  10. Remember! Status Code Status T ext Authentication 401 Unauthorized 🤕 Authorization 403 Forbidden ⛔ from sanic.exceptions import Forbidden, Unauthorized async def do_protection(request): if not await is_authenticated(request): raise Unauthorized("Who are you?") if not await is_authorized(request): raise Forbidden("You are not allowed") 7 / 39

  11. curl localhost:8000/protected -i HTTP/1.1 401 Unauthorized Content-Length: 49 Content-Type: application/json Connection: keep-alive Keep-Alive: 5 {"error":"Unauthorized","message":"Who are you?"} 8 / 39

  12. async def is_authenticated(request): """How are we going to authenticate requests?""" 9 / 39

  13. Common authentication strategies Basic Digest Bearer OAuth Session 10 / 39

  14. Common authentication strategies Basic Digest Bearer OAuth Session 11 / 39

  15. Forget what you know! 12 / 39

  16. T rain pass 🚅 Session based Non-session based Bearer Single Ride 🎠 All day pass 🎬 Point A to Point B Off and on at any stop 🚐 13 / 39

  17. Session based 🎠 aka Single Ride 🚅 Client Server Datastore /login using credentials /login using credentials persist session details persist session details session_id session_id /protected using session_id /protected using session_id confirm session_id confirm session_id OK OK protected resource protected resource Client Server Datastore 14 / 39

  18. Bearer Non-session based 🎬 All day pass 🚅 Client Server /login using credentials /login using credentials generate token generate token token token /protected using token /protected using token confirm authenticity, etc confirm authenticity, etc protected resource protected resource Client Server 15 / 39

  19. Hold that thought ... 16 / 39

  20. Let's decide on an auth strategy ... 1. Who will consume the API? Applications? Scripts? People? 2. Do you have control over the client? 3. Will this power a web browser frontend application? 17 / 39

  21. What we really want to know is... Direct API v. Browser Based API (or both) 18 / 39

  22. Direct API Browser Based API Fewer security concerns More security concerns (CSRF, XSS) Scripts, mobile apps, non- Web applications browser clients More techinically sophisticated Lesser techinically sophisticated users users API key or JWT Session ID or JWT $ curl https://foo.bar/protected fetch('https://foo.bar/protected').then(r => { console.log(response) }) Solved ✅ Unsolved � 19 / 39

  23. Browser Based API Concerns 1. How should the browser store the token? (XSS) Cookie, localStorage, sessionStorage, in memory 2. How should the browser send the token? (CSRF) Cookie, Authentication header 20 / 39

  24. T ypical recommendations Session based 🎠 Non-session based 🎬 Stored: Set-Cookie: token=<TOKEN> Stored: JS accessible Sent: Cookie: token=<TOKEN> Sent: Authorization: Bearer <TOKEN> Subject to CSRF Subject to XSS Fixed with: X-XSRF-TOKEN: <CSRFTOKEN> Unsolved � Solved ✅ 21 / 39

  25. How do we authenticate? Session based 🎠 v. Non-session based 🎬 Direct API v. Browser Based API (or both) API key v. Session ID v. JWT 22 / 39

  26. How do we authenticate? Session based 🎠 v. Non-session based 🎬 Direct API v. Browser Based API (or both) API key v. Session ID v. JWT Solutions: ✅ Direct API using API key in Authorization header ✅ Browser Based API using session ID in cookies 22 / 39

  27. How do we authenticate? Session based 🎠 v. Non-session based 🎬 Direct API v. Browser Based API (or both) API key v. Session ID v. JWT Solutions: ✅ Direct API using API key in Authorization header ✅ Browser Based API using session ID in cookies But what about: Both Direct API and Browser Based API? 22 / 39

  28. How do we authenticate? Session based 🎠 v. Non-session based 🎬 Direct API v. Browser Based API (or both) API key v. Session ID v. JWT Solutions: ✅ Direct API using API key in Authorization header ✅ Browser Based API using session ID in cookies But what about: Both Direct API and Browser Based API? Browser Based API using non-session tokens, aka JWT s? 22 / 39

  29. 23 / 39

  30. Anatomy of a JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibm FtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4f wpMeJf36POk6yJV_adQssw5c 24 / 39

  31. Anatomy of a JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 { "alg": "HS256", "typ": "JWT" } eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2 MjM5MDIyfQ { "sub": "1234567890", "name": "John Doe", "iat": 1516239022 } SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c signature 25 / 39

  32. Anatomy of a JWT Set-Cookie access_token= eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibm FtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ; Secure Set-Cookie access_token_signature= SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c; Secure; HttpOnly 26 / 39

  33. Anatomy of a JWT Set-Cookie access_token= eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibm FtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ; Secure Set-Cookie access_token_signature= SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c; Secure; HttpOnly 26 / 39

  34. Split JWT cookies header_payload, signature = access_token.rsplit(".", maxsplit=1) set_cookie( response, "access_token", header_payload, httponly=False ) set_cookie( response, "access_token_signature", signature, httponly=True, ) set_cookie( response, "csrf_token", generate_csrf_token(), httponly=False, ) # Do we even need this? Perhaps not! def set_cookie(response, key, value, config, httponly=None): response.cookies[key] = value response.cookies[key]["httponly"] = httponly response.cookies[key]["path"] = "/" response.cookies[key]["domain"] = "foo.bar" response.cookies[key]["expires"] = datetime(...) response.cookies[key]["secure"] = True 27 / 39

  35. We found a winner 🏇 Non-session Stateless JWT based 🎬 Stored: JS accessible 2 cookies Sent: 2 cookies Authorization: Bearer <TOKEN> Also, 1 token via Header for CSRF protection Subject to Secured from XSS Solved ✅ 28 / 39

  36. def extract_token(request): access_token = request.cookies.get("access_token") access_token_signature = request.cookies.get("access_token_signature") return f"{access_token}.{access_token_signature}" def is_authenticated(request): token = extract_token(request) try: jwt.decode(token, ...) except Exception: return False else: return True 29 / 39

  37. def do_protection(request): if not is_authenticated(request): raise Unauthorized("Who are you?") if not is_authorized(request): raise Forbidden("You are not allowed") if not is_pass_csrf(request): raise Forbidden("You CSRF thief!") 30 / 39

  38. def is_authorized(request): """How shall we do this?""" 31 / 39

  39. Structured Scopes user:read:write namespace:action(s) 32 / 39

  40. Structured Scopes user:read:write namespace:action(s) user:read 32 / 39

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Network impact of Web access to device APIs W3C Workshop on Security for Access to Device APIs

Network impact of Web access to device APIs W3C Workshop on Security for Access to Device APIs

Network impact of Web access to device APIs W3C Workshop on Security for Access to Device APIs from the Web December 10-11, 2008 Mat Ford http://www.isoc.org Background ISOC is focused on continued operation of the global Internet

512 views • 12 slides
Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct accesses to object are authorized a scheme for mapping users to allowed actions Protection objects : system resources for which protection is

576 views • 21 slides
Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of Access Control Discretionary acces control Mandatory access control Real systems: Unix Access Control Model Access control Access

817 views • 47 slides
Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control? How Is Access Determined? Who Determines Access? Forms of Access Control SELinux Booleans iptables File Access Control Lists Apache Access Control

711 views • 36 slides
1 General Access Control General Access Control Control of access to memory relatively easy:

1 General Access Control General Access Control Control of access to memory relatively easy:

Role of Access Control Before closing back doors we need to close front doors Access control: determines access to files &amp; processes in OS Fall 2008 We will return to these themes throughout the course Fall 2008 CS

512 views • 6 slides
SYSTEM DIAGRAMS Door Entry &amp; Access Control ACCESS CONTROL ACCESS CONTROL Allowing

SYSTEM DIAGRAMS Door Entry &amp; Access Control ACCESS CONTROL ACCESS CONTROL Allowing

SYSTEM DIAGRAMS Door Entry &amp; Access Control ACCESS CONTROL ACCESS CONTROL Allowing residents / staff access to site areas Main entrance Vehicle entrances Pedestrian entrances Gate / Barrier entrance Bin / Bike / Refuge

336 views • 14 slides
Overview Basic Principles Access Control Methodologies Controls Access Control Designs

Overview Basic Principles Access Control Methodologies Controls Access Control Designs

Overview Basic Principles Access Control Methodologies Controls Access Control Designs Access Control Administration Accountability Chapter 2 Access Control Models Identification and Authentication Methods Lecturer:

708 views • 9 slides
Overcoming barriers for effective control Rhododendron Control Stories: Snowdonia National Park

Overcoming barriers for effective control Rhododendron Control Stories: Snowdonia National Park

Overcoming barriers for effective control Rhododendron Control Stories: Snowdonia National Park and Rhododendron Partnership Geraint Williams Celtic Rainforests Project Officer Stem injection and cut &amp; burn techniques Windrowing cut

299 views • 12 slides
Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control

Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control

Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control Introduction to Computer Security Access control, contd Announcements intermission Stephen McCamant Capability-based access control University

380 views • 7 slides
D2: Access Control #2: Access cess Contr trol ol Similar to OWASP Top 10 Insufficient

D2: Access Control #2: Access cess Contr trol ol Similar to OWASP Top 10 Insufficient

D2: Access Control #2: Access cess Contr trol ol Similar to OWASP Top 10 Insufficient access control and authentication checks Insecure access control methods Private, internal functions and data are accessible through a

547 views • 11 slides
Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP is a

Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP is a

Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP is a simple, modular approach to networked access control with scalability in mind. Easy management from a central location PC from anywhere with an

196 views • 9 slides
Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of achieving confiden5ality and integrity) Who can access What Objects : Subjects : Files/ Programs/ Sockets/ User/ process/ applica5on Hardware/

985 views • 46 slides
Beautiful REST + JSON APIs Les Hazlewood, @lhazlewood Founder &amp; CTO, Stormpath About

Beautiful REST + JSON APIs Les Hazlewood, @lhazlewood Founder &amp; CTO, Stormpath About

Beautiful REST + JSON APIs Les Hazlewood, @lhazlewood Founder &amp; CTO, Stormpath About Stormpath User Management API for Developers Registration and Login User Profiles Role Based Access Control (RBAC) Permissions

1.26k views • 86 slides
Outline Basics of access control Unix-style access control CSci 5271 Introduction to Computer

Outline Basics of access control Unix-style access control CSci 5271 Introduction to Computer

Outline Basics of access control Unix-style access control CSci 5271 Introduction to Computer Security Announcements intermission Day 10: OS security: access control Multilevel and mandatory access control Stephen McCamant University of

324 views • 10 slides
Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of achieving confidentiality and integrity) Who can access What Objects : Subjects : Files/ Programs/ Sockets/ User/ process/ application

1.31k views • 50 slides
International Encryption Control: Navigating Differing Regulations and Exceptions Overcoming

International Encryption Control: Navigating Differing Regulations and Exceptions Overcoming

Presenting a live 90-minute webinar with interactive Q&amp;A International Encryption Control: Navigating Differing Regulations and Exceptions Overcoming Licensing and Classification Challenges and Implementing a Global Compliance Program

435 views • 42 slides
Making the Move from IaaS to IaaS+ Chip Childers VP

Making the Move from IaaS to IaaS+ Chip Childers VP

Making the Move from IaaS to IaaS+ Chip Childers VP Product Strategy for CumuLogic @chipchilders | www.cumulogic.com IaaS+ Acronym 1) a combinaEon

790 views • 16 slides
On computation of HOMFLY polynomials of Montesinos links Masahiko Murakami Nihon University

On computation of HOMFLY polynomials of Montesinos links Masahiko Murakami Nihon University

On computation of HOMFLY polynomials of Montesinos links Masahiko Murakami Nihon University December 18th, 2013 1 Masahiko Murakami (Nihon University) On computation of HOMFLY polynomials of Montesinos links December 18th, 2013 1 / 37

756 views • 42 slides
Content p Paradox of choice and information overload p Personalization p Recommender

Content p Paradox of choice and information overload p Personalization p Recommender

Recommender Systems Francesco Ricci Free University of Bozen-Bolzano fricci@unibz.it Content p Paradox of choice and information overload p Personalization p Recommender system p Step 1: Preference elicitation p Step 2: Preference

749 views • 47 slides
The Solution to the Partition Reconstruction Problem Maria Monks monks@mit.edu AMS/MAA Joint

The Solution to the Partition Reconstruction Problem Maria Monks monks@mit.edu AMS/MAA Joint

The Solution to the Partition Reconstruction Problem Maria Monks monks@mit.edu AMS/MAA Joint Mathematics Meetings - San Diego, CA p.1/14 Definitions and Notation A partition of a positive integer n is an sequence [ 1 , 2 , . . . ,

515 views • 33 slides
Taut Foliations and Heegard Floer L-Spaces Antonio Alfieri University of Pisa ECSTATIC, June

Taut Foliations and Heegard Floer L-Spaces Antonio Alfieri University of Pisa ECSTATIC, June

Taut Foliations and Heegard Floer L-Spaces Antonio Alfieri University of Pisa ECSTATIC, June 2015 Antonio Alfieri Taut Foliations and Heegard Floer L-Spaces Foliation Theory in Low Dimensional Topology Antonio Alfieri Taut Foliations and

420 views • 21 slides
Introductory Statistics Day 24 One sample means - Confidence Intervals 4.3 One sample

Introductory Statistics Day 24 One sample means - Confidence Intervals 4.3 One sample

Introductory Statistics Day 24 One sample means - Confidence Intervals 4.3 One sample means -Confidence Intervals Background information If you conduct a hypothesis test and reject the null hypothesis, use a 1 confidence interval to

432 views • 5 slides
Stable double point numbers of pairs of spherical curves Sumika Kobayashi Department of

Stable double point numbers of pairs of spherical curves Sumika Kobayashi Department of

Introduction Preliminaries Results Stable double point numbers of pairs of spherical curves Sumika Kobayashi Department of Mathmatics Guraduate school of Humanities and Sciences Nara Womens University 2018/12/23 Sumika Kobayashi

316 views • 31 slides
CURVES AND CODES by John R. Kerl A Thesis Presented in Partial Fulfillment of the Requirements

CURVES AND CODES by John R. Kerl A Thesis Presented in Partial Fulfillment of the Requirements

CURVES AND CODES by John R. Kerl A Thesis Presented in Partial Fulfillment of the Requirements for the Degree Master of Arts ARIZONA STATE UNIVERSITY April 2005 1 Overview Coding Theory Algebraic Geometry (key: Riemann-Roch)

430 views • 25 slides

More recommend