Presentation is loading. Please wait.

Presentation is loading. Please wait.

What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.

Published byJocelin White Modified over 6 years ago

Similar presentations

Presentation on theme: "What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the."— Presentation transcript:

1 What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the resources. Resource is identified by URIs/ Global IDs. REST uses various representations to represent a resource like Text, JSON and XML. JSON is now the most popular format being used in Web Services REST is NOT A Protocol A Standard Replacement of SOAP

2 How does a REST API Look like?

3 HTTP Methods GET (read) POST (create)(Not idempotent)
PUT (replace/update) DELETE PATCH (updating an existing resource)

4 HTTP Status Code 200 OK - Response to a successful REST API action.
204 No Content 400 Bad Request 401 Unauthorized 403 Forbidden 404 Not Found 405 Method Not Allowed 429 Too Many Requests (DOS due to rate limit)

5 Rest API Architecture

6 API Vulnerabilities

7 Authentication and Authorization
Common mistakes made during development phase: HTTP Basic Authentication HTTP Digest Authentication Host: example.org GET / HTTP/1.1 Authorization: Basic Zm9vOmJhcg== GET /users/username/account HTTP/1.1 Host: example.org Authentication: hmac username:[digest]

8 Cont... Cookie based Authentication
Resource : Credentials : { "username": "myuser", "password": "mypassword" } { "session":{"name":"JSESSIONID", "value":"6E A9EB4AE501F" },

9 Mitigation Avoid Session based authentication
HTTP authentication over HTTPS Oauth 1.0 (Fb app) Oauth 2.0 API Keys

10 DoS (Denial of service) Reason : Lack of Rate Limiting

11 Cont.. Set Rate Limit to avoid DoS
User rate limits (Set with user API) Server rate limits( Limit of specific Resource ) Regional data limits (Based on time and situation)

12 Service Information Leakage
Mitigation : - Configure API properly Hide server finger print

13 Cross-Site Scripting (XSS)
{ "code": "20025", "title": "<script> alert('XSS'); </script>" } Mitigation : - Sanitize all Input Data Use HTML special character encoding White List input (Avoid Blacklisting)

14 CORS for REST APIs CORS(Cross-Origin Resource Sharing) is a security mechanism that allows a web page from one domain or Origin to access a resource with a different domain (a cross-domain request). Lack of CORS headers allow attacker to perform Cross-Site Request Forgery (CSRF).

15 Mitigation HTTP Response Code : HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8 Access-Control-Allow-Headers: Content-Type Access-Control-Allow-Methods: GET,POST,PUT Access-Control-Allow-Origin: { "token": "15d38683-a98f-402d-a373-4f81a " }

16 SQL Injections Input : http://petstore.com/api/v1/pet/123
Malicious Input : Mitigation : Sanitize user Input White List input (Avoid Blacklisting)

17 HPP (HTTP Parameter Pollution)
Malicious Payload : security_token=attackertoken&blogID=attackerblogidvalue&blogID=vict imblogidvalue&authorsList=goldshlager19test%40gmail.com(attacker )&ok=Invite Mitigation : Server side parameter verification.

18 Avoid API Risk Build API Security into Software Development and Deployment Processes Validate User and App Identity Encrypt the Message Channel Monitor, Audit, Log and Analyze Your API Traffic

Download ppt "What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Web Security Never, ever, trust user inputs Supankar.

Web Security Never, ever, trust user inputs Supankar.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Martin Kruliš 2. 4. 2015 by Martin Kruliš (v1.0)1.

Martin Kruliš by Martin Kruliš (v1.0)1.
Understanding SharePoint 2013 Add-In Security Vulnerabilities

Understanding SharePoint 2013 Add-In Security Vulnerabilities
Cookies Cross site scripting

Cookies Cross site scripting
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report 2014 https://info.cenzic.com/2013-Application-Security-Trends-Report.html.

Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.

Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
Introduction to InfoSec – Recitation 7 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 7 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Similar presentations

Ads by Google