Taiseer Joudeh, profile picture
Uploaded byTaiseer Joudeh
PPTX, PDF3,116 views

HTTP Services & REST API Security

The document discusses the importance of HTTP service security for integrating with modern enterprise applications and devices. It highlights common security flaws in API design, such as hardcoding credentials and leaky APIs, and outlines methods for securing APIs, including basic and token-based authentication, as well as the OAuth 2.0 protocol. The document also emphasizes the need for secure practices and the potential complexities introduced by different authentication mechanisms.

Embed presentation

Downloaded 33 times
HTTP Services Security Taiseer Joudeh Corporate IT Manager at Aramex @tjoudeh http://bitoftech.net
Agenda • Why we are building HTTP Services? • Should I care about HTTP Service Security? • Live examples of Sloppy HTTP Services and Apps. • Ways to secure your API • Basic Authentication. • Token Based Authentication. • OAuth 2.0 Protocol, Roles and Flows. • Demo
Why we are building HTTP Services? • Enterprise wants to integrate with others, HTTP Services is your way. • (Mobile devices, Smart homes, Intelligent devices, IoT, etc...) all speaks HTTP. • New trends of building modern web application (SPA, JS Frameworks).
Should I care about HTTP Service Security? • Definitely! Your Web API is publicly accessible. • No Active Directory, no Windows Authentication. • When designing your Web API, security is a first class citizen. • Shall I build my own security model?
Sloppy HTTP Services and Apps • Case 1: • Hardcoding API Key in mobile applications, with fiddler proxy API Key was exposed. • Access checks are done on front-end. Backed-end server should never trust the UI.
Sloppy HTTP Services and Apps • Case 2: • Leaky API, returning hashed user passwords. • People tend to reuse passwords!
HTTP Services is stateless! • HTTP Service is stateless, no sessions between the client and the server. • Authentication should be done with each request from front-end to the back-end server.
Ways to secure your API • 1 - Basic Authentication (Very simple) • Client needs to send Username/Password with each request – Client will store credentials somewhere – Bad Idea? • Your password is your master key, if it is compromised, your account is compromised. • On the back-end server will validate credentials with each request, intentionally slow process, why? • Should be used over SSL only. • Try to avoid it as much as possible. • Any alternatives? GET /orders HTTP/1.1 Host: api.example.com Authorization: Basic dGFpc2VlcjpwYXNzd29yZA==
Ways to secure your API – Cont. • 2 – Token Based Authentication • How this happen? 1. Front-end presents username/password to (/token) end point. 2. Back-end server validates credentials. 3. Back-end server returns a magical string (Access Token) 4. Front-end presents Access Token with each request in the Authorization header using Bearer scheme. POST /token HTTP/1.1 Host: api.example.com grant_type=password &username=taiseer &password=password { "access_token": “YsSHs2rrsh8Vs8fggdsd44jssfVJ8h95sds", "token_type": "Bearer", "expires": 3600 } GET /orders HTTP/1.1 Host: api.example.com Authorization: Bearer YsSHs2rrsh8Vs8fggdsd44jssfVJ8h95sds
Ways to secure your API – Cont. • 2 – Token Based Authentication • What is Access Token? • Self contained data structure represented in string. • Contains information about user identity • Have lifetime and should expire • Should be signed, sometimes encrypted by the server. • Access Tokens like Cash, so SSL everywhere! • Access Token != Password (Token compromised, master key - password is safe)
Ways to secure your API – Cont. • 2 – Token Based Authentication – Cont. • Any drawbacks? • Self contained tokens are not revocable! • User changes password, access token still valid. • Solution? • Issue short lived access tokens (15 minutes). • Refresh Access Tokens silently using Refresh Tokens. • Refresh Tokens are revocable, you are in good shape! • Adds complexity to the front-end and the back-end!
OAuth 2.0 Protocol • OAuth 2.0 is set of spec. and standards to build on top of it. • Different flows to protect HTTP services. • Four main roles:
OAuth 2.0 Flows 1. Resource owner password credentials flow • Should be used with trusted clients (mobile apps you trust) 2. Implicit flow • Good for 3rd party mobile apps. • Client (mobile apps) never sees the password. 3. Authorization Code flow • Web server apps talking to each other. 4. Client Credentials flow • Machine to Machine (No human interaction).
Demo • Implementing the resource owner password credentials flow
Thank You!

More Related Content

PPTX
Build Modern Web Apps Using ASP.NET Web API and AngularJS
byTaiseer Joudeh
 
PPTX
Azure Mobile Services
byTaiseer Joudeh
 
PDF
Securty Testing For RESTful Applications
bySource Conference
 
PDF
The Ultimate Guide to Mobile API Security
byStormpath
 
PPTX
Api security
byteodorcotruta
 
PDF
Protecting Your APIs Against Attack & Hijack
byCA API Management
 
PPTX
What's new in visual studio 2013
byTaiseer Joudeh
 
PDF
Build a REST API for your Mobile Apps using Node.js
byStormpath
 
Build Modern Web Apps Using ASP.NET Web API and AngularJS
byTaiseer Joudeh
 
Azure Mobile Services
byTaiseer Joudeh
 
Securty Testing For RESTful Applications
bySource Conference
 
The Ultimate Guide to Mobile API Security
byStormpath
 
Api security
byteodorcotruta
 
Protecting Your APIs Against Attack & Hijack
byCA API Management
 
What's new in visual studio 2013
byTaiseer Joudeh
 
Build a REST API for your Mobile Apps using Node.js
byStormpath
 

What's hot

PDF
Testing REST Web Services
byJan Algermissen
 
PPTX
D@W REST security
byGaurav Sharma
 
PPTX
Best Practices in Building an API Security Ecosystem
byPrabath Siriwardena
 
PPTX
Rest API Security
byStormpath
 
PPTX
Token Authentication for Java Applications
byStormpath
 
PDF
SPUnite17 Who Are You and What Do You Want
byNCCOMMS
 
PPTX
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
byCA API Management
 
PPTX
OAuth in the new .NET world (OWIN)
byEmad Alashi
 
PDF
OAuth Tokens
byn|u - The Open Security Community
 
PDF
O365Con18 - Connect SharePoint Framework Solutions to API's secured with Azur...
byNCCOMMS
 
PPTX
ECS 2018: Introduction to Azure Web Applications
byEric Shupps
 
PPTX
Using & Abusing APIs: An Examination of the API Attack Surface
byCA API Management
 
PPTX
Azure staticwebapps
byUdaiappa Ramachandran
 
PPTX
OAuth
byVijay Naik
 
PPTX
Oauth2 and OWSM OAuth2 support
byGaurav Sharma
 
PPTX
API Security - Null meet
byvinoth kumar
 
PPTX
Instant Security & Scalable User Management with Spring Boot
byStormpath
 
PPTX
Spring Boot Authentication...and More!
byStormpath
 
PDF
How to Harden the Security of Your .NET Website
byDNN
 
PDF
CNIT 129S: Ch 5: Bypassing Client-Side Controls
bySam Bowne
 
Testing REST Web Services
byJan Algermissen
 
D@W REST security
byGaurav Sharma
 
Best Practices in Building an API Security Ecosystem
byPrabath Siriwardena
 
Rest API Security
byStormpath
 
Token Authentication for Java Applications
byStormpath
 
SPUnite17 Who Are You and What Do You Want
byNCCOMMS
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
byCA API Management
 
OAuth in the new .NET world (OWIN)
byEmad Alashi
 
OAuth Tokens
byn|u - The Open Security Community
 
O365Con18 - Connect SharePoint Framework Solutions to API's secured with Azur...
byNCCOMMS
 
ECS 2018: Introduction to Azure Web Applications
byEric Shupps
 
Using & Abusing APIs: An Examination of the API Attack Surface
byCA API Management
 
Azure staticwebapps
byUdaiappa Ramachandran
 
OAuth
byVijay Naik
 
Oauth2 and OWSM OAuth2 support
byGaurav Sharma
 
API Security - Null meet
byvinoth kumar
 
Instant Security & Scalable User Management with Spring Boot
byStormpath
 
Spring Boot Authentication...and More!
byStormpath
 
How to Harden the Security of Your .NET Website
byDNN
 
CNIT 129S: Ch 5: Bypassing Client-Side Controls
bySam Bowne
 

Viewers also liked

PPTX
Pentesting ReST API
byNutan Kumar Panda
 
PPTX
REST API testing with SpecFlow
byAiste Stikliute
 
PPTX
Getting Started with API Security Testing
bySmartBear
 
PDF
Top 5 Ways To Increase API Adoption
byProgrammableWeb
 
PDF
Integrated social solutions, the power and pitfalls of mashups
byNordic APIs
 
PDF
Lessons Learned from Building Enterprise APIs (Gustaf Nyman)
byNordic APIs
 
PDF
Apinf Open Api Management
byTaija Björklund
 
PDF
TDD for APIs in a Microservice World (Michael Kuehne Schlinkert)
byNordic APIs
 
PPTX
Platform Security that will Last for Decades (Travis Spencer)
byNordic APIs
 
PPTX
Microservices architecture overview v2
byDmitry Skaredov
 
PDF
API Management - Why it matters!
bySven Bernhardt
 
PPTX
Automated API pentesting using fuzzapi
byAbhijeth D
 
PDF
How Spotify Payments Creates APIs to Manage Complexity (Horia Jurcut)
byNordic APIs
 
PPT
Why APIs are not SOA++
byApigee | Google Cloud
 
PPTX
The Hitch Pitch Deck
byHitch
 
PDF
Pentesting RESTful WebServices v1.0
byn|u - The Open Security Community
 
PPTX
API Management in Digital Transformation
byAditya Thatte
 
PDF
API Testing
byBikash Sharma
 
PDF
The Architecture of an API Platform
byJohannes Ridderstedt
 
PPTX
Api testing
byKeshav Kashyap
 
Pentesting ReST API
byNutan Kumar Panda
 
REST API testing with SpecFlow
byAiste Stikliute
 
Getting Started with API Security Testing
bySmartBear
 
Top 5 Ways To Increase API Adoption
byProgrammableWeb
 
Integrated social solutions, the power and pitfalls of mashups
byNordic APIs
 
Lessons Learned from Building Enterprise APIs (Gustaf Nyman)
byNordic APIs
 
Apinf Open Api Management
byTaija Björklund
 
TDD for APIs in a Microservice World (Michael Kuehne Schlinkert)
byNordic APIs
 
Platform Security that will Last for Decades (Travis Spencer)
byNordic APIs
 
Microservices architecture overview v2
byDmitry Skaredov
 
API Management - Why it matters!
bySven Bernhardt
 
Automated API pentesting using fuzzapi
byAbhijeth D
 
How Spotify Payments Creates APIs to Manage Complexity (Horia Jurcut)
byNordic APIs
 
Why APIs are not SOA++
byApigee | Google Cloud
 
The Hitch Pitch Deck
byHitch
 
Pentesting RESTful WebServices v1.0
byn|u - The Open Security Community
 
API Management in Digital Transformation
byAditya Thatte
 
API Testing
byBikash Sharma
 
The Architecture of an API Platform
byJohannes Ridderstedt
 
Api testing
byKeshav Kashyap
 

Similar to HTTP Services & REST API Security

PPTX
REST API Security: OAuth 2.0, JWTs, and More!
byStormpath
 
PPT
Securing RESTful API
byMuhammad Zbeedat
 
PDF
Protecting your APIs with OAuth 2.0
byUbisecure
 
PPTX
Rest API Security - A quick understanding of Rest API Security
byMohammed Fazuluddin
 
PDF
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
PPTX
Web api security
by9xdot
 
PDF
Securing APIs with OAuth 2.0
byKai Hofstetter
 
PPTX
Securing APIs using OAuth 2.0
byAdam Lewis
 
PDF
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
PPTX
How to build Simple yet powerful API.pptx
byChanna Ly
 
PDF
API SECURITY
byTubagus Rizky Dharmawan
 
PPTX
Unit 3_detailed_automotiving_mobiles.pptx
byVijaySasanM21IT
 
PPTX
Secure rest api on microservices vws2016
byQuý Nguyễn Minh
 
PPTX
OAuth
byAdi Challa
 
PDF
RESTful Day 5
byAkhil Mittal
 
PDF
OAuth2
bySPARK MEDIA
 
PPTX
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
byNilanjan Roy
 
PPTX
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
byCA API Management
 
PDF
Authentication and authorization in res tful infrastructures
byCorley S.r.l.
 
PPTX
API Security : Patterns and Practices
byPrabath Siriwardena
 
REST API Security: OAuth 2.0, JWTs, and More!
byStormpath
 
Securing RESTful API
byMuhammad Zbeedat
 
Protecting your APIs with OAuth 2.0
byUbisecure
 
Rest API Security - A quick understanding of Rest API Security
byMohammed Fazuluddin
 
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
Web api security
by9xdot
 
Securing APIs with OAuth 2.0
byKai Hofstetter
 
Securing APIs using OAuth 2.0
byAdam Lewis
 
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
How to build Simple yet powerful API.pptx
byChanna Ly
 
API SECURITY
byTubagus Rizky Dharmawan
 
Unit 3_detailed_automotiving_mobiles.pptx
byVijaySasanM21IT
 
Secure rest api on microservices vws2016
byQuý Nguyễn Minh
 
OAuth
byAdi Challa
 
RESTful Day 5
byAkhil Mittal
 
OAuth2
bySPARK MEDIA
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
byNilanjan Roy
 
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
byCA API Management
 
Authentication and authorization in res tful infrastructures
byCorley S.r.l.
 
API Security : Patterns and Practices
byPrabath Siriwardena
 

Recently uploaded

PDF
How NetSuite Cloud ERP Helps Businesses Overcome Legacy System Downtime.
byTechWize
 
PDF
DSD-INT 2025 Managing low flows in the International Meuse Basin with Nature-...
byDeltares
 
PPTX
OTT Content Analytics Enhanced by ALTBalaji Data Scraping.pptx
byyashpatric
 
PDF
Microservices-Final !!!!!!!!!!!!!!!!.pdf
bydoquangminh962004
 
PDF
DSD-INT 2025 Stochastic flood event generation using wflow and a diffusion do...
byDeltares
 
PPTX
SNG460-CNG489_Week8_17-21Nov25_Chp8-OdtuClass.pptx
byberayseray382
 
PDF
Unit-II Asymptotic Notations and Basic Efficiency Classes (DAA) BCA SEP SEM-III
byKuvempu University
 
PPTX
Custom chat gpt integration services.pptx
byChetu
 
PDF
DSD-INT 2025 Hydrological response of the Puget Sound area to a changing clim...
byDeltares
 
PPTX
application security presentation 2 by harman
byharmanideapad
 
PPTX
List on Python Programming Language.pptx
byRICHARDALONSAGAY1
 
PDF
nsfconvertersoftwaretoconvertNSFtoPST.pdf
byNSF Converter Software
 
PDF
DSD-INT 2025 Latest Developments for HydroMT and wflow - Meshgi
byDeltares
 
PPTX
Fast-tracking quality for hundreds applications with automated testing layers
byBogdan Plieshka
 
PDF
DSD-INT 2025 Introduction to Hydrology Suite - Slootjes
byDeltares
 
PDF
From Experiment to Enterprise: Scaling AI Coding Assistants Across Engineerin...
byMaxim Salnikov
 
PDF
Manual vs Automated Accessibility Testing – What to Choose in 2025.pdf
bykalichargn70th171
 
PPTX
AI Clinic Management Software for Pulmonology Clinics Bringing Clarity, Contr...
byEasy Clinic
 
PPTX
Lecture 3 - Scheduling - Operating System
bynurulalomador
 
PPTX
AI Agent Overview - Why we need AI Agent
byAlokGope
 
How NetSuite Cloud ERP Helps Businesses Overcome Legacy System Downtime.
byTechWize
 
DSD-INT 2025 Managing low flows in the International Meuse Basin with Nature-...
byDeltares
 
OTT Content Analytics Enhanced by ALTBalaji Data Scraping.pptx
byyashpatric
 
Microservices-Final !!!!!!!!!!!!!!!!.pdf
bydoquangminh962004
 
DSD-INT 2025 Stochastic flood event generation using wflow and a diffusion do...
byDeltares
 
SNG460-CNG489_Week8_17-21Nov25_Chp8-OdtuClass.pptx
byberayseray382
 
Unit-II Asymptotic Notations and Basic Efficiency Classes (DAA) BCA SEP SEM-III
byKuvempu University
 
Custom chat gpt integration services.pptx
byChetu
 
DSD-INT 2025 Hydrological response of the Puget Sound area to a changing clim...
byDeltares
 
application security presentation 2 by harman
byharmanideapad
 
List on Python Programming Language.pptx
byRICHARDALONSAGAY1
 
nsfconvertersoftwaretoconvertNSFtoPST.pdf
byNSF Converter Software
 
DSD-INT 2025 Latest Developments for HydroMT and wflow - Meshgi
byDeltares
 
Fast-tracking quality for hundreds applications with automated testing layers
byBogdan Plieshka
 
DSD-INT 2025 Introduction to Hydrology Suite - Slootjes
byDeltares
 
From Experiment to Enterprise: Scaling AI Coding Assistants Across Engineerin...
byMaxim Salnikov
 
Manual vs Automated Accessibility Testing – What to Choose in 2025.pdf
bykalichargn70th171
 
AI Clinic Management Software for Pulmonology Clinics Bringing Clarity, Contr...
byEasy Clinic
 
Lecture 3 - Scheduling - Operating System
bynurulalomador
 
AI Agent Overview - Why we need AI Agent
byAlokGope
 

HTTP Services & REST API Security

  • 1.
    HTTP Services Security TaiseerJoudeh Corporate IT Manager at Aramex @tjoudeh http://bitoftech.net
  • 2.
    Agenda • Why weare building HTTP Services? • Should I care about HTTP Service Security? • Live examples of Sloppy HTTP Services and Apps. • Ways to secure your API • Basic Authentication. • Token Based Authentication. • OAuth 2.0 Protocol, Roles and Flows. • Demo
  • 3.
    Why we arebuilding HTTP Services? • Enterprise wants to integrate with others, HTTP Services is your way. • (Mobile devices, Smart homes, Intelligent devices, IoT, etc...) all speaks HTTP. • New trends of building modern web application (SPA, JS Frameworks).
  • 4.
    Should I careabout HTTP Service Security? • Definitely! Your Web API is publicly accessible. • No Active Directory, no Windows Authentication. • When designing your Web API, security is a first class citizen. • Shall I build my own security model?
  • 5.
    Sloppy HTTP Servicesand Apps • Case 1: • Hardcoding API Key in mobile applications, with fiddler proxy API Key was exposed. • Access checks are done on front-end. Backed-end server should never trust the UI.
  • 6.
    Sloppy HTTP Servicesand Apps • Case 2: • Leaky API, returning hashed user passwords. • People tend to reuse passwords!
  • 7.
    HTTP Services isstateless! • HTTP Service is stateless, no sessions between the client and the server. • Authentication should be done with each request from front-end to the back-end server.
  • 8.
    Ways to secureyour API • 1 - Basic Authentication (Very simple) • Client needs to send Username/Password with each request – Client will store credentials somewhere – Bad Idea? • Your password is your master key, if it is compromised, your account is compromised. • On the back-end server will validate credentials with each request, intentionally slow process, why? • Should be used over SSL only. • Try to avoid it as much as possible. • Any alternatives? GET /orders HTTP/1.1 Host: api.example.com Authorization: Basic dGFpc2VlcjpwYXNzd29yZA==
  • 9.
    Ways to secureyour API – Cont. • 2 – Token Based Authentication • How this happen? 1. Front-end presents username/password to (/token) end point. 2. Back-end server validates credentials. 3. Back-end server returns a magical string (Access Token) 4. Front-end presents Access Token with each request in the Authorization header using Bearer scheme. POST /token HTTP/1.1 Host: api.example.com grant_type=password &username=taiseer &password=password { "access_token": “YsSHs2rrsh8Vs8fggdsd44jssfVJ8h95sds", "token_type": "Bearer", "expires": 3600 } GET /orders HTTP/1.1 Host: api.example.com Authorization: Bearer YsSHs2rrsh8Vs8fggdsd44jssfVJ8h95sds
  • 10.
    Ways to secureyour API – Cont. • 2 – Token Based Authentication • What is Access Token? • Self contained data structure represented in string. • Contains information about user identity • Have lifetime and should expire • Should be signed, sometimes encrypted by the server. • Access Tokens like Cash, so SSL everywhere! • Access Token != Password (Token compromised, master key - password is safe)
  • 11.
    Ways to secureyour API – Cont. • 2 – Token Based Authentication – Cont. • Any drawbacks? • Self contained tokens are not revocable! • User changes password, access token still valid. • Solution? • Issue short lived access tokens (15 minutes). • Refresh Access Tokens silently using Refresh Tokens. • Refresh Tokens are revocable, you are in good shape! • Adds complexity to the front-end and the back-end!
  • 12.
    OAuth 2.0 Protocol •OAuth 2.0 is set of spec. and standards to build on top of it. • Different flows to protect HTTP services. • Four main roles:
  • 13.
    OAuth 2.0 Flows 1.Resource owner password credentials flow • Should be used with trusted clients (mobile apps you trust) 2. Implicit flow • Good for 3rd party mobile apps. • Client (mobile apps) never sees the password. 3. Authorization Code flow • Web server apps talking to each other. 4. Client Credentials flow • Machine to Machine (No human interaction).
  • 14.
    Demo • Implementing theresource owner password credentials flow
  • 15.