6. BROKEN AUTHENTICATION (A2)
6
I am not advertising this API,
how could anyone know about it ?!
https://motherboard.vice.com/en_us/article/598xaa/remini-app-exposed-childrens-data-open-api
7. 7
Information Leakage (A3)
Broken Access Control (A5)
Check: https://www1.cs.fau.de/filepool/
projects/n26/n26-roots.pdf
Watch video at: https://media.ccc.de/v/
33c3-7969-shut_up_and_take_my_money
25. OPEN BANKING SAMPLE CATEGORISATION
25
API Category Data Sensitivity
Operations
Sensitivity
Authentication
Requirements
Integrity
Requirement
ATMs OpenData Low Low None None
Accounts Read High Medium Medium Required
Payments Write High High High Required
26. VALIDATE AND
SANITIZE INPUT
26
URL validation
Verb validation
✓ Reject if not valid
Query params validation
✓ Min / Max / Pattern-based matching
Content-Type validation
✓ Don’t accept as-is!
Accept Header validation
✓ Don’t copy into Content-Type
Data inbound
✓ Format
✓ Message Size and complexity
Data outbound
✓ Data Leakage
✓ Exception Leakage
✓ Use rules against data dictionary
2
OPENAPI SPECIFICATION to the RESCUE !
27. USE OAUTH
PROPERLY
27
OAuth Grant Types
✓ Authorization Code
✓ Others are usually not the safe option.
Do not use OAuth as proof of authentication, use
OpenID Connect instead.
Leverage PKCE
3
OPENAPI SPECIFICATION to the RESCUE !
28. OAUTH THREAT LANDSCAPE
Sensitive information
✓ Access tokens: the key to open the API door
✓ Refresh tokens: the key to obtain many valid access tokens
✓ Authorization code : to obtain an access token
✓ State : protection against CSRF attacks
Common attacks vectors
✓ Token leakage g TLS 1.2 + strong ciphers, short-lived, token binding, protected storage
✓ Code Interception attacks g Use PKCE (Proof Key for Code Exchange)
✓ Token replay g Token Binding (over TLS) or Mutual TLS for OAuth
✓ Redirect URI Forgery g standard CRSF attacks countermeasures (OWASP)
REQUIRES PROTECTION MEASURES ON CLIENT AND SERVER SIDE
28
29. VALIDATE JSON
WEB TOKENS
29
Don’t trust the incoming tokens!
Client could have been compromised…
Validate algorithm (the one you chose!)
✓ HS256
✓ RS256 (recommended)
Reject None!
Validate signature
✓ Prefer digital signatures over HMAC
✓ If not, be careful of key exchange
Validate standard claims and your own claims
See details Learn the best practices for keeping your JWTs secure.
4
OPENAPI SPECIFICATION (AGAIN) to the RESCUE !
31. FINE-GRAIN
AUTHORIZATION
31
Who is calling ?
✓ Is it your own app ?
✓ Is it a trusted user ?
What can they do ?
OAuth Scopes are often not enough !
✓ Need Attributes-based Access Control (ABAC)
solution (XACML!)
5
39. 39
PROTECT YOUR
APIS
3
Protect all APIs ( public, private, SaaS)
AUTOMATICALLY deploy security measures
such as API Security Gateways/Firewalls
✓ Enforce Rate Limiting
• Brute force attacks (see N26!)
• DOS attacks
✓ Data Validation / JWT Validation / Auth / Azn
✓ Serves as Virtual Patching (as a WAF does for applications)
✓ Deploy at the edge and/or close to APIs (microservices
architecture)
40. Use Development ticketing system for
tracking issues
Analyse runtime behaviour and raise
issues automatically
40
MONITOR AND
ANALYZE
4
41. JOIN THE MAILING LIST !
APISECURITY.IO
REGISTER AND LEARN FROM MORE STORIES!