Professional Documents
Culture Documents
REST API
WEB
A key constraint is that
communications are stateless;
there is no reliance on
previous transfers. The single
HTTP message contains all
the information required to
perform its action.
www.hesha.com
Employee
www.heshan.com/api/v1/empl
oyee/{id}
GET
www.heshan.com/api/v1/empl
oyee/{id}
POST
{
PUT
Name : GET
DELETE
"shan"
OPTIONS
"Address"
PATCH
HEAD
“DSfsdfsd
REST API
Privilege Management -
validation of actions that result
in privilege escalation should
require the satisfaction of
multiple conditions.
Idempotent API
Non Idempotent API
Idempotency essentially means
that the effect of a successfully
performed request on a server
resource is independent of the
number of times it is executed.
***
HTTP
The simplest way to handle authenti- cation is through the use of HTTP, where the username and password are sent alongside every API call.
API KEY AUTHENTICATION
This method creates unique keys for developers and passes them along- side every request. The API gener- ates a secret key that is a
long, difficult-to-guess string of numbers.
L
OAUTH AUTHENTICATION
This framework can orchestrate approvals automatically between the API owner and the service, or you can also authorize developers to obtain access on
their own.
OR... NO AUTHENTICATION
There's always the option of applying no authentication at all. This approach is commonly used in inter- nal APIs hosted on-premise but is
not a recommended practice.
Authorization : Bearer
absd@123455
OAuth Authentication
Authenticated
FACEBOOK
LOGIN FB
Rushcira
Delegated Authentication
OAuth 2.0
No Authentication
OAuth, OpenID
Connect
Authentication vs
Authorization
MyBucks Application
111
Authorization Request
Sarah
Authorization Grant
Authorization Grant
Access Token
Memorial Bank
Authorization Server
InterSystems
ttttt
Access Token
Protected Resource
Memorial Bank
Resource Server
InterSystems
Health Business | Government
access token + an ID token
(JWT)
https://jwt.io/
Most Advanced Way of
protecting
an API
ONE Way
Client Verified
•Replay Attack.
•Security Controls.
•Authentication Controls.
•Access Management.
Get
HTML
API Get
Raw
GET /api/document/3
32
85
&
BUA
2
An API is vulnerable if it:
Permits credential stuffing whereby the attacker has a list
of valid usernames and passwords.
•Permits attackers to perform a brute force attack on
the same user account, without presenting
captcha/account lockout mechanism.
•Permits weak passwords.
•Sends sensitive authentication details, such as auth
tokens and passwords in the URL.
•Doesn't validate the authenticity of tokens.
•Accepts unsigned/weakly signed JWT tokens
("alg":"none")/doesn't validate their expiration date.
•Uses plain text, non-encrypted, or weakly hashed
passwords.
•Uses weak encryption keys.
EDE
3
How To Prevent
LORARL
4
•Execution timeouts
How To Prevent
BFLA
5
LO
https://www.goo.com/api/v1/list?type=admin
Ask Question
How To Prevent
Mass Assignment
6
Scenario #1
{"user_name":"inons","age":24}
The request GET /api/v1/users/me includes an
additional credit_balance property:
{"user_name":"inons","age":24,"credit_balance":10}
The attacker replays the first request with the following
payload:
{"user_name":"attacker","age":60,"credit_balance":9
9999}
A video sharing portal allows users to upload content
and download content in different formats. An attacker
who explores the API found that the endpoint GET /
api/v1/videos/{video_id}/meta_data returns a JSON
object with the video's properties. One of the properties
is "mp4_conversion_params":"-v codec h264", which
indicates that the application uses a shell command to
convert the video. The attacker also found the
endpoint POST /api/v1/videos/new is vulnerable to
mass assignment and allows the client to set any
property of the video object. The attacker sets a
malicious value as follows:
"mp4_conversion_params":"-v codec h264 && format
C:/". This value will cause a shell command injection once
the attacker downloads the video as MP4.
How To Prevent
Security Misconfiguration
7
How To Prevent
Improper Assets
Management
The API might be vulnerable if:
9
How To Prevent