Segurana em APIs REST Heitor Vital reas de Atuao o Cloud - - PowerPoint PPT Presentation

▶

Jun 11, 2023 182 likes •412 views

Segurana em APIs REST Heitor Vital reas de Atuao o Cloud Computing twitter.com/heitorvital o Segurana Informao o Jogos slideshare.net/HeitorVital o Dispositivos Mveis o labs.siteblindado.com

SLIDE 1

Segurança em APIs REST

SLIDE 2

Heitor Vital

Áreas de Atuação
Cloud Computing
Segurança Informação
Jogos
Dispositivos Móveis
…
Acadêmico
MBA FGV
Mestrado UFPE
Graduação UFPE

twitter.com/heitorvital slideshare.net/HeitorVital labs.siteblindado.com Kadu

sec@siteblindado.com.br

SLIDE 3

More info: 2014 Global Report on the Cost of Cyber Crime

Stop Looking for the Silver Bullet: Start Thinking Like a Bad Guy

2014 Global Report on the Cost of Cyber Crime

257 Empresas 2.081 Entrevistas 1.717 Incidentes $7.6M Média prejuízo 10.4% Crescimento Incidentes

SLIDE 4

SLIDE 5

SLIDE 6

SLIDE 7

Fonte: http://cloudtweaks.com/2013/10/cloud-infographic-2013-cyber-security-intelligence-index/

SLIDE 8

Attack Vector by Organizational Size

TOPs

1. Web-based attacks
2. Denial of services
3. Malicious insiders

SLIDE 9

Site vs Plataforma

SLIDE 10

Let’s [try to] attack ...

SLIDE 11

Search Surface Detection

Metadata/Doc
Swagger
RAML
API-Blueprint
I/O Docs
Discovery
Brute Force
Invalid data

Exemplo: http://petstore.swagger.io/#!/pet/updatePet

(type, size, length, null, HTTP header, XML bomb, upload file...)

SLIDE 12

Protocolo - HTTP

SLIDE 13

Protocolo - HTTPS

https://example.com/controller/<id>/action?apiKey=a53f435643de32

Resolve ??

SLIDE 14

Authentication/Authorization

API Keys

Abstract OAuth 2.0 flow

SLIDE 15

Assessments

SLIDE 16

Injection

Normal

http://petstore.com/api/v1/pet/123 “SELECT ¡* ¡FROM ¡pets ¡WHERE ¡petID='” ¡+ ¡petId ¡+”‘”; ¡ “SELECT ¡* ¡FROM ¡pets ¡WHERE ¡petID ¡= ¡‘123’” ¡

Injection

http://petstore.com/api/v1/pet/’%20or%20’1’=’1 ¡ “SELECT ¡* ¡FROM ¡pets ¡WHERE ¡petID='” ¡+ ¡petId ¡+”‘”; ¡ SELECT ¡* ¡FROM ¡pets ¡WHERE ¡petID ¡= ¡‘’ ¡or ¡‘1’ ¡= ¡‘1’

SLIDE 17

XSS (cross site scripting)

Solução Header response com

Content-type: application/json
x-content-type-options: nosniff

Referencias: http://www.w2spconf.com/2013/papers/s3p1.pdf http://stackoverflow.com/questions/3146324/is-it-possible-to-xss-exploit-json-responses-with-proper-javascript-string-escap http://security.stackexchange.com/questions/42093/xss-prevention-for-restful-services

SLIDE 18

CSRF (cross site request forgery)

Referências: http://www.twobotechnologies.com/blog/2014/02/importance-of-state-in-oauth2.html e http://hasselba.ch/blog/?p=1854

Solução OAuth state

SLIDE 19

DoS/DDoS

WAF

Package Analysis
IP Blacklist
Region Blacklist

API Gateway

Call quotas
Calendar Period
Rolling Window
Invalid Inputs
XML Schema
Blacklist Keywords
Blacklist patterns
Malformed messages

SLIDE 20

SLIDE 21

Plataforma Separation of Concerns

Authentication /

Authorization

Logging
Analytics
Audit
Rate Limit
Payload
Address Restrictions
Invalid Inputs
XML Schema
Blacklist Keywords
Blacklist patterns
Malformed messages

SLIDE 22

Heitor Vital

OBRIGADO !!!

twitter.com/heitorvital slideshare.net/HeitorVital labs.siteblindado.com Kadu

sec@siteblindado.com.br