Upload
erick-belluci-tedeschi
View
596
Download
2
Tags:
Embed Size (px)
Citation preview
Disclaimer
Information shared in this presentation does not represents any position or opinions of
Walmart Global E-Commerce BR
Agenda
• Unauthorized x forbidden status code
• Rate Limiting / Throttle Control
• Protecting IDs
• JWT – Authentication/Authorization
• Internet Facing Example
• Internal API Example
Unauthorized x forbidden status code
References:
http://tools.ietf.org/html/rfc2616#section-10.4.2
Trying to reach aresource with invalid
authorization or withoutauthorization
Bro, no matterWho you are, I will
Not respond to you.
Trying to reach aresource with invalid
authorization or withoutauthorization
Bro, no matterWho you are, I will
Not respond to you.
References:
http://tools.ietf.org/html/rfc2616#section-10.4.2
Unauthorized x forbidden status code
Rate Limiting / Throttle Control
Common Headers Used
Time Window: 1 Hour
X-RateLimit-Limit: 500X-RateLimit-Remaining: 253X-RateLimit-Reset: 1429962300
RFC6586Additional HTTP Status Code
429 Too Many Requests
References:
http://tools.ietf.org/html/rfc6585#section-4http://stackoverflow.com/questions/16022624/examples-of-http-api-rate-limiting-http-response-headers
Rate Limiting / Throttle Control
“this is a sample code snippet just to a better understanding. In production env, please improve it."
Library used: https://github.com/fustundag/tokenbucket
Rate Limiting / Throttle Control
Recommendations
Choose an algorithm (e.g. Token Bucket, Leaky Bucket, your own…) Parameterized (application/API properties.ini) Avoid to use a storage that abuses I/O
Good Hazelcast Redis Memcached
Bad Relational SQL FILE/Session (oh my God)
GET may have different limit when compared to POST, PUT, DELETE Monitoring (SOC – Security Operations Center)
Top Requesters Average of how many 429 were returned
References:
http://tools.ietf.org/html/rfc6585#section-4http://stackoverflow.com/questions/16022624/examples-of-http-api-rate-limiting-http-response-headers
Protecting IDs
Source: http://www.securityinform.com/2014/06/12/gmail-token-vulnerability-could-have-exposed-every-email-addresses-hosted-on-google/
https://mail.google.com/mail/mdd-f825a3f2b2-fulano.ciclano%40gmail.com-ccD8J0x6P6JNSLS36vR6Z_sHAb3
Protecting IDs
“The intent of UUIDs is to enable distributed systems to uniquely identify information without significant central coordination”
Source: http://en.wikipedia.org/wiki/Universally_unique_identifier
• Avoid sequential / guessable identification
/api/v1/user/234
• Use something like UUID instead
/api/v1/user/123e4567-e89b-12d3-a456-426655440000
• Avoid to use sensitive information in query params
/api/v1/customer/phone/551130304040
JOSÉ
JWTJSON Web Token
JWAJSON Web Algorithms
JWKJSON Web Key
JWSJSON Web Signature
JWEJSON Web Encryption
integr i ty confidenti a l i ty
JavaScript Object Signing and Encryption
JWT Characteristics
Stateless
URL-Safe
Intended for space constrained environments
HTTP Headers (like Authorization)
URI Query Parameters
Avoid CSRF
Flexible
Interoperable
JWT - Claims
Reserved iss: issuer sub: subject aud: audience exp: expiration timenbf: not before time iat: issued at time jti: jwt id
PublicRegistered at IANA
Private Internal useDocument to clients
JWS – Compact Serialization
eyJ0eXAiOiJKV1QiLCJ
hbGciOiJIUzI1NiJ9.e
yJpc3MiOiJpc3N1ZXIu
ZXhhbXBsZS5jb20iLCJ
pYXQiOjE0Mjk2NTc0Nj
UsImV4cCI6MTQyOTY1O
DcwOCwiYXVkIjoid3d3
LmV4YW1wbGUuY29tIiw
ic3ViIjoiZXJpY2tAZX
hhbXBsZS5jb20iLCJHa
XZlbk5hbWUiOiJFcmlj
ayBUZWRlc2NoaSIsIlJ
vbGVzIjpbInBvc3RzOn
J3IiwiY29tbWVudHM6c
iJdfQ.X4iwLqW2Bze2W
lTxfn8v1EIqgfCRql6a
VYSLpN22HSU
JOSE Header
Payload
Signature
JWS – Compact Serialization{
"typ": "JWT",
"alg": "HS256"
}
JOSE Header
Payload
Signature
{
"iss": "issuer.example.com",
"iat": 1429657465,
"exp": 1429658708,
"aud": "www.example.com",
"sub": "[email protected]",
"GivenName": "Erick Tedeschi",
"Roles": [
"posts:rw",
"comments:r"
]
}
HmacSha256(
base64UrlEncode($header) . “.” .
base64UrlEncode($payload),
“secret”);
Interwebs
Cloud A Cloud B
AppInstance
AppInstance
Key KeySamekey
Client
US BR
JWT Internet Facing Example
UltraDNS myapp.com
JWT Internal API Example
Application A
Private Key
Application B
Public Key
PAYLOAD
{
"iss": "application A",
"iat": 1429932376,
"exp": 1429932676, // 5minutes
"aud": "application B",
"jti": "1234567890abcdef",
"req": {
"method": "POST"
"path": "/api/v1/payment/pay"
"data": hash(data)
}
}
JWTStorage
POST /api/v1/payment/payAuthorization: Bearer jwtH.jwtP.jwtS
{'from':'xpto','to':'xyz','amount':66.66}
Stores jwts until itsexpiration
References
• JOSE• JWT: https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32• JWA: https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms• JWK: https://tools.ietf.org/html/draft-ietf-jose-json-web-key• JWS: https://tools.ietf.org/html/draft-ietf-jose-json-web-signature• JWE: https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-40
• PHP JWT Libraries• https://github.com/lcobucci/jwt (JWS with SharedSecret and RSA)• https://github.com/Spomky-Labs/jose (JW{T,A,K,SE} fully supported)
• Do you want to create your own library?• Examples of protecting content using JWT: https://tools.ietf.org/html/draft-ietf-jose-
cookbook-08• Using JWTs as API Keys
• https://auth0.com/blog/2014/12/02/using-json-web-tokens-as-api-keys/• http://www.thread-safe.com/2014/05/wt-and-jose-have-won-special-european.html• https://securityblog.redhat.com/2015/04/01/jose-json-object-signing-and-encryption/
GET /logout?token=f.i.n.i.s.h
E-mail: [email protected]: http://twitter.com/ericktedeschiLinkedIn: https://www.linkedin.com/in/ericktedeschi