Scribd
Upload
26 views

Web API Security

Uploaded by

ilham
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
26 views

Web API Security

Uploaded by

ilham
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 29

A QUICK GUIDE TO

SECURE
YOUR
WEB API
Aram Tchekrekjian @AramT87
Introduction
Web API Security is a crucial
topic that you need to be
properly aware of

Building secure Web APIs


implies that your solution
deters Bots, Fraudsters,
anonymous clients,
unauthorized access and the
list goes on...

Security isn't only limited to


code, your whole solution
must provide a solid fortress
against a variety of attacks
@AramT87
Let's learn the
different ways
to secure your
Web API

@AramT87
API Key Authentication
This is the minimum level of security you
can put for your API.

Never leave your API without any sort of


authentication.

API Key authentication provides a client


identification strategy and a basic security
layer so that your APIs are not accessible
without the correct API Key in the headers.

A Best practice is to share the API Key once


with the client and save it hashed at your
side, then you validate the 2 hashes to
validate, same as passwords.

This is to guarantee that no one would be


able to use the API Key except the API Key
wielder.
@AramT87
Cryptographically
Secure API Key
To generate a secure API Key, you need to
generate a random key that is fairly long
with mixed alphanumeric characters.

This way, an attacker would face tough


time to try and crack your API Key.

For .NET users, the latest versions of .NET


6, 7 and 8 provide a super simple way to
create a cryptographically secure random
keys, see below:

@AramT87
Rotate API Keys
API Keys should have expiry and should
be renewed every once and while.

Usually the recommended duration is


90 Days , however you can always
change that according to your
implementations.

This rotation is to ensure that if an API


Key got into the wrong hands it would
be invalidated.

You can maintain the hashes of your


API Keys with their associated clients in
a database alongside the expiry for
each.
@AramT87
White-list IP Addresses
Make sure you only allow a list of IP
Addresses or Domains to access your
API

White-listing can be implemented


through your domain or hosting
provider

you can add the whitelist via


.htaccess file for Apache or
Web.Config for IIS servers.

API Gateways of cloud providers also


have a decent White-listing
capabilities
@AramT87
JWT Authentication
A More efficient and secure solution than
API Key

JWT stands for Json Web Token, it is a


structured JSON Payload that contains 3
parts: The Header, the payload and the
signature

With JWT Authentication you can guarantee


that the caller is authentic and has the proper
rights to access your API via claims

JWTs are meant to be short lived and


dispensable (invalid) after the expiry

In the recent .NET World, you can simply use


the ASP.NET Core JWTBearer library to
enable your Web API generate and validate
JWT Tokens
@AramT87
JWT Authentication
with Refresh Tokens
To provide a better user experience
at your client-side products ( web
or mobile ).

You can have another token that


would be used to silently refresh
your JWT Access Token

A refresh token usually is an


alphanumeric random token
generated and stored hashed at the
backend side, with a much longer
sliding lifespan

@AramT87
JWT Authentication
with Refresh Tokens

Linked with a device id and a


channel, a refresh token can be
used to keep track of the signed
in users as well as can be used to
revoke access from a potentially
hacked account,

You can invalidate (or remove)


the refresh token and the hacker
won't be able to use it again to
refresh the tokens for the
victim's account

@AramT87
OAuth 2.0 and OpenID
Connect
OAuth 2.0 is an authorization
protocol which defines how tokens
are transferred and how the
different clients would request them

OAuth 2.0 specifies multiple flows


to generate tokens depending on the
client's use case: native mobile apps,
SPA web apps, server-side web
apps, desktop apps

OAuth 2.0 tokens can be either JWT


formatted or non-JWT formatted
(Opaque Tokens)

@AramT87
OAuth 2.0 and OpenID
Connect
JWT are stateless since the authorization
server won't maintain state of the token and
the resource can verify the authenticity of
the JWT from its embedded digital signature

Opaque tokens are stateful and requires the


resource server to validate the token with
the authorization server

OpenID Connect extends the OAuth 2.0


through introducing the ID Token, it is used
to authenticate users and to obtain basic
profile information of users.

OAuth 2.0 and OpenID Connect are big and


important topics and would take a series of
slides to even briefly cover them, but I will
make sure to prepare something very soon
@AramT87
Identity Providers
If you don't want to build your own
Authentication functionality, you can rely
on a 3rd party identity provider

These providers usually offer


sophisticated and comprehensive
solutions to provision and handle
generating, validating and managing the
authentication/authorization for multiple
applications and clients, usually with web-
based admin portals.

Good examples for such are


IdentityServer4 (DuendeSoftware) , Auth0
by Okta

Usually cloud providers also have


managed identities to use and integrate
with their own API Gateways
@AramT87
Apply Server Side
Validations
Your APIs must always validate and
sanitize every input control and every
payload you receive

Remember that the frontend app


resides at the client side which can offer
a perfect mean for data manipulation
and the injection of malicious scripts

XSS is one of the most common attacks


where the malicious user would inject a
script to your input forms in your site,
all the way to your APIs, and so other
user will be seeing this script when
loading your site's content at their side.

@AramT87
Apply Server Side
Validations

With proper data validation and


sanitization (for HTML tags or
scripts) you can keep the XSS
attacks or malicious scripts at
bay

Turning off HTTP TRACE


support on your server would
prevent XSS via your HTTP
Cookies

@AramT87
Force HTTPS

Always opt to use HTTPS over


the plain HTTP

Having your
requests/responses transferred
over plain HTTP would expose
your and customers' data to
loads of troubles

In .NET, it is very easily to force


https via the
UseHttpsRedirection
middleware call in program.cs
file @AramT87
Force HTTPS

What would happen if you use plain


HTTP?

An attacker would be
monitoring the network (via
different network monitoring
tools) of a user and will start
sniffing the requests/responses,
and since your site is using plain
HTTP, then everything will be
clearly visible for the attacker (
personal information, credit
card data ...etc.)

@AramT87
Use a Valid and Strong
SSL/TLS Certificate
Your website as well as your Web API should
always use an SSL/TLS certificate that is valid
and strong

Make sure the certificate supports TLS 1.2 or


above since older versions have known
vulnerabilities.

All browsers will notify your users about your


site being secure or not, and if the certificate
is valid or not, via the secure lock icon

@AramT87
Implement Rate Limiter
A rate limiter’s function is to throttle
the requests to your APIs for a
specified number of requests within a
specified time or duration.

Implementing a rate limiter on your


Web APIs, is greatly important to
limit the usage of your APIs, and this
is particularly helpful to decrease the
damage that might happen from a
DDOS attack

Now, in ASP.NET Core Web API 7,


you can use the Rate Limiter
Middleware to apply rate limiting
from the code itself, as it is now a
built-in feature in .NET 7.
@AramT87
Web Application Firewall
A Web Application Firewall helps
monitor, detect, filter, prevent malicious
traffic like bot or fraudulent attacks on
your APIs.

Many of the hosting providers offer you,


free or paid, web application firewall
services

There are many sophisticate and


advanced firewalls that can smartly
protect your Web API or website.

This can also help in mitigating and


deterring the risk of DDOS Attacks on
your Web API in a significant way.

CloudFlare is one of the top providers for


Web Application Firewall
@AramT87
Run a Security Scan with
a 3rd Party Provider

It is always great to have a 3rd eye to


look into the security of your Web
APIs.

Sometimes you might be missing to


implement a policy that you are not
aware of, or underestimating a tweak
in your security implementation,
thinking that no one might notice it.

But having a dedicated and


professional security entity run a
comprehensive scan on your Web APIs
along with its hosting environment
might be greatly beneficial and even
crucial to your business. @AramT87
Run a Security Scan with
a 3rd Party Provider
It is always great to have a 3rd eye to
look into the security of your Web
APIs.

Sometimes you might be missing to


implement a policy that you are not
aware of, or underestimating a tweak
in your security implementation,
thinking that no one might notice it.

But having a dedicated and


professional security entity run a
comprehensive scan on your Web
APIs along with its hosting
environment might be greatly
beneficial and even crucial to your
business.
@AramT87
Run a Security Scan with
a 3rd Party Provider
If you are in the field of security,
enthusiast about performing the
security test yourself, or just want to
expand your security testing and
best practices knowledge, you can
instead search for and learn the:

"OWASP security testing guidelines"

https://github.com/OWASP/wstg

@AramT87
Apply Captcha at your
Frontend
Having a captcha can greatly
reduce the number of
fraudulent and bot requests to
your APIs

This will enhance your overall


site security and allow only
your real users interact with
your APIs.

There are a numerous captcha


services that you can easily
integrate with.
@AramT87
Apply Captcha at your
Frontend
You can try Google reCaptcha
V3 , as it provides you with a
score representing the
possibility of whether a request
to your API is from a real user or
a bot.

Google reCaptcha will return a


token for your calling client-side
code, where you have to pass it
for your API and validate it via
server verification and check
the score

@AramT87
Store your Passwords
Hashed ...but
Only using Cryptographically
Secure Hashing Functions

MD5, SHA-1 are out of


question as these have been
broken way long time ago, you
should never use them.

SHA-2, SHA-3 are much better


options yet these are better for
hashing large amounts of data
rather than just passwords,
since these are fast hashing
functions.
@AramT87
Store your Passwords
Hashed ...but

For passwords, it is more


preferable to use slow
functions like key derivative
functions:
PbKDF 2 (with high iterations)
scrypt
Argon2id
Balloon Hashing

or Blowfish cipher like:


bcrypt
@AramT87
Any more
security tips?
Share your
thoughts in the
comments
@AramT87
Thank You
Follow me for more content

Aram Tchekrekjian

AramT87

CodingSonata.com/newsletters

You might also like