seguran a em apis rest heitor vital
play

Segurana em APIs REST Heitor Vital reas de Atuao o Cloud - PowerPoint PPT Presentation

Jun 11, 2023 •182 likes •412 views

Segurana em APIs REST Heitor Vital reas de Atuao o Cloud Computing twitter.com/heitorvital o Segurana Informao o Jogos slideshare.net/HeitorVital o Dispositivos Mveis o labs.siteblindado.com

  1. Segurança em APIs REST

  2. Heitor Vital ● Áreas de Atuação o Cloud Computing twitter.com/heitorvital o Segurança Informação o Jogos slideshare.net/HeitorVital o Dispositivos Móveis o … labs.siteblindado.com sec@siteblindado.com.br ● Acadêmico o MBA FGV Kadu o Mestrado UFPE o Graduação UFPE

  3. 2014 Global Report on the Cost of Cyber Crime Stop Looking for the Silver Bullet: Start Thinking Like a Bad Guy 257 Empresas 2.081 Entrevistas 1.717 Incidentes $7.6M Média prejuízo 10.4% Crescimento Incidentes More info: 2014 Global Report on the Cost of Cyber Crime

  7. Fonte: http://cloudtweaks.com/2013/10/cloud-infographic-2013-cyber-security-intelligence-index/

  8. Attack Vector by Organizational Size TOPs 1. Web-based attacks 2. Denial of services 3. Malicious insiders

  9. Site vs Plataforma

  10. Let’s [try to] attack ...

  11. Search Surface Detection ● Metadata/Doc o Swagger o RAML o API-Blueprint o I/O Docs ● Discovery ● Brute Force o Invalid data (type, size, length, null, HTTP header, XML bomb, upload file...) Exemplo: http://petstore.swagger.io/#!/pet/updatePet

  12. Protocolo - HTTP

  13. Protocolo - HTTPS http s ://example.com/controller/<id>/action? apiKey=a53f435643de32 Resolve ??

  14. Authentication/Authorization API Keys Abstract OAuth 2.0 flow

  15. Assessments

  16. Injection Normal http://petstore.com/api/v1/pet/123 “SELECT ¡* ¡FROM ¡pets ¡WHERE ¡petID='” ¡+ ¡petId ¡+”‘”; ¡ “SELECT ¡* ¡FROM ¡pets ¡WHERE ¡petID ¡= ¡‘123’” ¡ Injection http://petstore.com/api/v1/pet/’%20or%20’1’=’1 ¡ “SELECT ¡* ¡FROM ¡pets ¡WHERE ¡petID='” ¡+ ¡petId ¡+”‘”; ¡ SELECT ¡* ¡FROM ¡pets ¡WHERE ¡petID ¡= ¡‘’ ¡ or ¡‘1’ ¡= ¡‘1’

  17. XSS (cross site scripting) Solução Header response com ● Content-type: application/json ● x-content-type-options: nosniff Referencias: http://www.w2spconf.com/2013/papers/s3p1.pdf http://stackoverflow.com/questions/3146324/is-it-possible-to-xss-exploit-json-responses-with-proper-javascript-string-escap http://security.stackexchange.com/questions/42093/xss-prevention-for-restful-services

  18. CSRF (cross site request forgery) Solução OAuth state Referências: http://www.twobotechnologies.com/blog/2014/02/importance-of-state-in-oauth2.html e http://hasselba.ch/blog/?p=1854

  19. DoS/DDoS API Gateway ● Call quotas WAF o Calendar Period o Rolling Window ● Package Analysis ● Invalid Inputs ● IP Blacklist o XML Schema ● Region Blacklist o Blacklist Keywords o Blacklist patterns o Malformed messages

  21. Plataforma Separation of Concerns ● Authentication / Authorization ● Logging ● Analytics ● Audit ● Rate Limit ● Payload ● Address Restrictions ● Invalid Inputs o XML Schema o Blacklist Keywords o Blacklist patterns o Malformed messages

  22. Heitor Vital twitter.com/heitorvital slideshare.net/HeitorVital OBRIGADO !!! labs.siteblindado.com sec@siteblindado.com.br Kadu

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Preparing a REST API Rules of REST APIs, API patterns, Typical CRUD operations Rules for a REST

Preparing a REST API Rules of REST APIs, API patterns, Typical CRUD operations Rules for a REST

Preparing a REST API Rules of REST APIs, API patterns, Typical CRUD operations Rules for a REST API Recall : REST Representational State Transfer o REST is statelessit has no idea of any current user state or history o API

535 views • 17 slides
REST Web-based APIs REST Representational State Transfer Style of web software

REST Web-based APIs REST Representational State Transfer Style of web software

REST Web-based APIs REST Representational State Transfer Style of web software architecture that simplifies application Not a standard, but a design pattern REST Take all resources for web application (data, files, functions)

722 views • 22 slides
REST Services in Action: Using RESTful APIs with HPE NonStop Applications Todd Barth - NuWave

REST Services in Action: Using RESTful APIs with HPE NonStop Applications Todd Barth - NuWave

REST Services in Action: Using RESTful APIs with HPE NonStop Applications Todd Barth - NuWave Andrew Price - NuWave Agenda REST API Overview Market Adoption APIs in Financial Services NuWave REST-based Middleware Overview

465 views • 30 slides
DDD &amp; REST Domain-Driven APIs for the web Oliver Gierke / olivergierke 2 Background

DDD &amp; REST Domain-Driven APIs for the web Oliver Gierke / olivergierke 2 Background

DDD &amp; REST Domain-Driven APIs for the web Oliver Gierke / olivergierke 2 Background 3 Spring Data REST Spring Data Spring HATEOAS Repositories &amp; Hypermedia Aggregates for Spring MVC 4 REST CRUD via HTTP 5

1.17k views • 55 slides
REST APIs with NodeJS Winter Semester 2016/17 Tobias Seitz Ludwig-Maximilians-Universitt

REST APIs with NodeJS Winter Semester 2016/17 Tobias Seitz Ludwig-Maximilians-Universitt

Practical Course: Web Development REST APIs with NodeJS Winter Semester 2016/17 Tobias Seitz Ludwig-Maximilians-Universitt Mnchen Practical Course Web Development WS 16/17 - 04 - 1 Todays Agenda APIs What is it? REST

849 views • 39 slides
Writing REST APIs with OpenAPI and Swagger Ada Stphane Carrez FOSDEM 2018 OpenAPI and Swagger

Writing REST APIs with OpenAPI and Swagger Ada Stphane Carrez FOSDEM 2018 OpenAPI and Swagger

Writing REST APIs with OpenAPI and Swagger Ada Stphane Carrez FOSDEM 2018 OpenAPI and Swagger Ada Introduction to OpenAPI and Swagger Writing a REST Ada client Writing a REST Ada server Handling security with OAuth2 Demo

970 views • 37 slides
REST: From GET to HATEOAS or how to create RESTful APIs 2 Who

REST: From GET to HATEOAS or how to create RESTful APIs 2 Who

JPoint REST: From GET to HATEOAS or how to create RESTful APIs 2 Who am I? ~ just some java guy ~ Jos Dirksen Interests Books Architect @ JPoint Java &amp;

942 views • 53 slides
Beautiful REST + JSON APIs Les Hazlewood, @lhazlewood Founder &amp; CTO, Stormpath About

Beautiful REST + JSON APIs Les Hazlewood, @lhazlewood Founder &amp; CTO, Stormpath About

Beautiful REST + JSON APIs Les Hazlewood, @lhazlewood Founder &amp; CTO, Stormpath About Stormpath User Management API for Developers Registration and Login User Profiles Role Based Access Control (RBAC) Permissions

1.26k views • 86 slides
Outline What is ReST ? Constraints in ReST REST Architecture Components Features of

Outline What is ReST ? Constraints in ReST REST Architecture Components Features of

Outline What is ReST ? Constraints in ReST REST Architecture Components Features of ReST applications Example of requests in REST &amp; SOAP Complex REST request REST Server response Real REST examples REST Design

603 views • 34 slides
RESTful APIs REST Representational State Transfer architectural style, set of design constraints

RESTful APIs REST Representational State Transfer architectural style, set of design constraints

CS 498RK SPRING 2019 RESTful APIs REST Representational State Transfer architectural style, set of design constraints coined in Roy T. Fieldings dissertation (2000) the Web is the largest implementation three important technologies: HTTP,

714 views • 55 slides
RESTful APIs REST Representational State Transfer Architectural style, set of design constraints

RESTful APIs REST Representational State Transfer Architectural style, set of design constraints

CS 498RK SPRING 2020 RESTful APIs REST Representational State Transfer Architectural style, set of design constraints Coined in Roy T. Fieldings dissertation (2000) The Web is the largest implementation Three important technologies: HTTP,

809 views • 55 slides
RESTful APIs REST Representational State Transfer architectural style, set of design constraints

RESTful APIs REST Representational State Transfer architectural style, set of design constraints

CS 498RK FALL 2016 RESTful APIs REST Representational State Transfer architectural style, set of design constraints coined in Roy T. Fieldings dissertation (2000) the Web is the largest implementation three important technologies: HTTP,

585 views • 54 slides
BUILDING BEAUTIFUL REST APIs with Flask, Swagger UI and Flask-RESTPlus Micha Karzy ski

BUILDING BEAUTIFUL REST APIs with Flask, Swagger UI and Flask-RESTPlus Micha Karzy ski

BUILDING BEAUTIFUL REST APIs with Flask, Swagger UI and Flask-RESTPlus Micha Karzy ski EuroPython 2016 ABOUT ME My name is Micha Karzy ski (thats Polish for Mike) I blog at http://michal.karzynski.pl Short URL:

495 views • 34 slides
WWW HTTP, Ajax, APIs, REST HTTP Hypertext Transfer Protocol Request Web Client HTTP Server

WWW HTTP, Ajax, APIs, REST HTTP Hypertext Transfer Protocol Request Web Client HTTP Server

WWW HTTP, Ajax, APIs, REST HTTP Hypertext Transfer Protocol Request Web Client HTTP Server WSGI Response Python Web Application Connectionless Media Independent Stateless WSGI : Web Server Gateway Interface 2 HTTP Methods

395 views • 28 slides
Design &amp; Test First Workflow For REST APIs How can REST API specification projects help us?

Design &amp; Test First Workflow For REST APIs How can REST API specification projects help us?

Design &amp; Test First Workflow For REST APIs How can REST API specification projects help us? @mrksdck hand copy workflow design code test document @mrksdck hand copy workflow design code test document :(

633 views • 34 slides
StreamDM: Advanced data science with Spark Streaming Heitor Murilo Gomes and Albert Bifet About

StreamDM: Advanced data science with Spark Streaming Heitor Murilo Gomes and Albert Bifet About

StreamDM: Advanced data science with Spark Streaming Heitor Murilo Gomes and Albert Bifet About me Heitor Murilo Gomes PhD in Computer Science Adaptive Random Forests for evolving data stream classification A Survey on Ensemble

703 views • 24 slides
Monthly Security Bulletin Briefing (July 2013) Teresa Ghiorzoe Security Program Manager LATAM

Monthly Security Bulletin Briefing (July 2013) Teresa Ghiorzoe Security Program Manager LATAM

Monthly Security Bulletin Briefing (July 2013) Teresa Ghiorzoe Security Program Manager LATAM Blog de Seguridad: http://blogs.technet.com/b/seguridad/ Twitter: LATAMSRC GBS Security Worldwide Programs 1 Security Advisories July 2013 New

413 views • 27 slides
DC GIS Steering Committee November 2014 10:00 AM 12:00 PM 200 I Street SE, 5 th Floor

DC GIS Steering Committee November 2014 10:00 AM 12:00 PM 200 I Street SE, 5 th Floor

DC GIS Steering Committee November 2014 10:00 AM 12:00 PM 200 I Street SE, 5 th Floor Washington, DC 20003 Conference Room: 5009 Agenda Introductions and Establish Quorum Approve Minutes 8/21/2014 DC GIS News OCTO GIS News

1.1k views • 93 slides
Software Systems by Incorporating Security Knowledge Stefan Grtner and Kurt Schneider Software

Software Systems by Incorporating Security Knowledge Stefan Grtner and Kurt Schneider Software

Maintaining Requirements for Long-Living Software Systems by Incorporating Security Knowledge Stefan Grtner and Kurt Schneider Software Engineering Group, Leibniz Universitt Hannover, Germany Thomas Ruhroth, Jens Brger, and Jan Jrjens

480 views • 24 slides
The Future of E-Commerce is More Web-like Ian Jacobs W3C I. What the Web Means for Commerce

The Future of E-Commerce is More Web-like Ian Jacobs W3C I. What the Web Means for Commerce

The Future of E-Commerce is More Web-like Ian Jacobs W3C I. What the Web Means for Commerce Source: merchandisingmatters.com New Zealand E-Commerce Source: Nielsen New Zealand E-Commerce Report 2016 E-Commerce Rising Proportion of Retail

861 views • 45 slides
Ramy Ahmed Fathy, PhD Vice Chairman of ITU-T SG20 Director, Digital Services Planning and Risk

Ramy Ahmed Fathy, PhD Vice Chairman of ITU-T SG20 Director, Digital Services Planning and Risk

ITU Workshop Smart Sustainable Cities (Samarqand - Uzbekistan 1- 2 June 2017) Trustworthy ICT: The notion of Trust, Security, and Privacy Ramy Ahmed Fathy, PhD Vice Chairman of ITU-T SG20 Director, Digital Services Planning and Risk Assessment

758 views • 52 slides
An Empirical Study of PHP Feature Usage: A Static Analysis Perspective Mark Hills, Paul Klint,

An Empirical Study of PHP Feature Usage: A Static Analysis Perspective Mark Hills, Paul Klint,

An Empirical Study of PHP Feature Usage: A Static Analysis Perspective Mark Hills, Paul Klint, and Jurgen J. Vinju CWI, Software Analysis and Transformation (SWAT) ISSTA 2013 Lugano, Switzerland July 16-18, 2013 http://www.rascal-mpl.org

857 views • 46 slides
Securing Digital Fintech Platform Value Proposition and Security Challenges Agus F. Abdillah

Securing Digital Fintech Platform Value Proposition and Security Challenges Agus F. Abdillah

Securing Digital Fintech Platform Value Proposition and Security Challenges Agus F. Abdillah Jakarta - 28 th Nov, 2018 1 Securing Fintech 1 Introduction 2 What Being Platform Means? AGENDA What is Value Proposition for Digital 3

353 views • 18 slides
Crosstalk - How can we avoid it - Herv Grabas Mutual Inductance and Capacitance Crosstalk

Crosstalk - How can we avoid it - Herv Grabas Mutual Inductance and Capacitance Crosstalk

Crosstalk - How can we avoid it - Herv Grabas Mutual Inductance and Capacitance Crosstalk is the coupling of energy from one line to another via: Mutual capacitance (electric field) Mutual inductance (magnetic field) Mutual Inductance, L

967 views • 29 slides

More recommend